Atomic Red Team doc generator
68 KiB
68 KiB
| 1 | Tactic | Technique # | Technique Name | Test # | Test Name | Test GUID | Executor Name |
|---|---|---|---|---|---|---|---|
| 2 | defense-evasion | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 1 | Malicious PAM rule | 4b9dde80-ae22-44b1-a82a-644bf009eb9c | sh |
| 3 | defense-evasion | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 2 | Malicious PAM rule (freebsd) | b17eacac-282d-4ca8-a240-46602cf863e3 | sh |
| 4 | defense-evasion | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 3 | Malicious PAM module | 65208808-3125-4a2e-8389-a0a00e9ab326 | sh |
| 5 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 1 | chmod - Change file or folder mode (numeric mode) | 34ca1464-de9d-40c6-8c77-690adf36a135 | sh |
| 6 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 2 | chmod - Change file or folder mode (symbolic mode) | fc9d6695-d022-4a80-91b1-381f5c35aff3 | sh |
| 7 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 3 | chmod - Change file or folder mode (numeric mode) recursively | ea79f937-4a4d-4348-ace6-9916aec453a4 | sh |
| 8 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 4 | chmod - Change file or folder mode (symbolic mode) recursively | 0451125c-b5f6-488f-993b-5a32b09f7d8f | bash |
| 9 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 5 | chown - Change file or folder ownership and group | d169e71b-85f9-44ec-8343-27093ff3dfc0 | bash |
| 10 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 6 | chown - Change file or folder ownership and group recursively | b78598be-ff39-448f-a463-adbf2a5b7848 | bash |
| 11 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 7 | chown - Change file or folder mode ownership only | 967ba79d-f184-4e0e-8d09-6362b3162e99 | sh |
| 12 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 8 | chown - Change file or folder ownership recursively | 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 | bash |
| 13 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 9 | chattr - Remove immutable file attribute | e7469fe2-ad41-4382-8965-99b94dd3c13f | sh |
| 14 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 10 | chflags - Remove immutable file attribute | 60eee3ea-2ebd-453b-a666-c52ce08d2709 | sh |
| 15 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 11 | Chmod through c script | 973631cf-6680-4ffa-a053-045e1b6b67ab | sh |
| 16 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 12 | Chmod through c script (freebsd) | da40b5fe-3098-4b3b-a410-ff177e49ee2e | sh |
| 17 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 13 | Chown through c script | 18592ba1-5f88-4e3c-abc8-ab1c6042e389 | sh |
| 18 | defense-evasion | T1222.002 | File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification | 14 | Chown through c script (freebsd) | eb577a19-b730-4918-9b03-c5edcf51dc4e | sh |
| 19 | defense-evasion | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File | 1 | Decode Eicar File and Write to File | 7693ccaa-8d64-4043-92a5-a2eb70359535 | powershell |
| 20 | defense-evasion | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File | 2 | Decrypt Eicar File and Write to File | b404caaa-12ce-43c7-9214-62a531c044f7 | powershell |
| 21 | defense-evasion | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File | 3 | Password-Protected ZIP Payload Extraction and Execution | c2ca068a-eb1e-498f-9f93-3d554c455916 | bash |
| 22 | defense-evasion | T1014 | Rootkit | 1 | Loadable Kernel Module based Rootkit | dfb50072-e45a-4c75-a17e-a484809c8553 | sh |
| 23 | defense-evasion | T1014 | Rootkit | 2 | Loadable Kernel Module based Rootkit | 75483ef8-f10f-444a-bf02-62eb0e48db6f | sh |
| 24 | defense-evasion | T1014 | Rootkit | 3 | dynamic-linker based rootkit (libprocesshider) | 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3 | sh |
| 25 | defense-evasion | T1014 | Rootkit | 4 | Loadable Kernel Module based Rootkit (Diamorphine) | 0b996469-48c6-46e2-8155-a17f8b6c2247 | sh |
| 26 | defense-evasion | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 1 | Sudo usage | 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e | sh |
| 27 | defense-evasion | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 2 | Sudo usage (freebsd) | 2bf9a018-4664-438a-b435-cc6f8c6f71b1 | sh |
| 28 | defense-evasion | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 3 | Unlimited sudo cache timeout | a7b17659-dd5e-46f7-b7d1-e6792c91d0bc | sh |
| 29 | defense-evasion | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 4 | Unlimited sudo cache timeout (freebsd) | a83ad6e8-6f24-4d7f-8f44-75f8ab742991 | sh |
| 30 | defense-evasion | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 5 | Disable tty_tickets for sudo caching | 91a60b03-fb75-4d24-a42e-2eb8956e8de1 | sh |
| 31 | defense-evasion | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 6 | Disable tty_tickets for sudo caching (freebsd) | 4df6a0fe-2bdd-4be8-8618-a6a19654a57a | sh |
| 32 | defense-evasion | T1036.005 | Masquerading: Match Legitimate Name or Location | 1 | Execute a process from a directory masquerading as the current parent directory | 812c3ab8-94b0-4698-a9bf-9420af23ce24 | sh |
| 33 | defense-evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 1 | Detect Virtualization Environment (Linux) | dfbd1a21-540d-4574-9731-e852bd6fe840 | sh |
| 34 | defense-evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 2 | Detect Virtualization Environment (FreeBSD) | e129d73b-3e03-4ae9-bf1e-67fc8921e0fd | sh |
| 35 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 1 | rm -rf | 989cc1b1-3642-4260-a809-54f9dd559683 | sh |
| 36 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 2 | rm -rf | bd8ccc45-d632-481e-b7cf-c467627d68f9 | sh |
| 37 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 5 | Truncate system log files via truncate utility (freebsd) | 14033063-ee04-4eaf-8f5d-ba07ca7a097c | sh |
| 38 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 7 | Delete log files via cat utility by appending /dev/null or /dev/zero (freebsd) | 369878c6-fb04-48d6-8fc2-da9d97b3e054 | sh |
| 39 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 10 | Overwrite FreeBSD system log via echo utility | 11cb8ee1-97fb-4960-8587-69b8388ee9d9 | sh |
| 40 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 13 | Delete system log files via unlink utility (freebsd) | 45ad4abd-19bd-4c5f-a687-41f3eee8d8c2 | sh |
| 41 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 18 | Delete system journal logs via rm and journalctl utilities | ca50dd85-81ff-48ca-92e1-61f119cb1dcf | sh |
| 42 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 19 | Overwrite Linux Mail Spool | 1602ff76-ed7f-4c94-b550-2f727b4782d4 | bash |
| 43 | defense-evasion | T1070.002 | Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs | 20 | Overwrite Linux Log | d304b2dc-90b4-4465-a650-16ddd503f7b5 | bash |
| 44 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 1 | Clear Bash history (rm) | a934276e-2be5-4a36-93fd-98adbb5bd4fc | sh |
| 45 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 2 | Clear Bash history (echo) | cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 | sh |
| 46 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 3 | Clear Bash history (cat dev/null) | b1251c35-dcd3-4ea1-86da-36d27b54f31f | sh |
| 47 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 4 | Clear Bash history (ln dev/null) | 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 | sh |
| 48 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 5 | Clear Bash history (truncate) | 47966a1d-df4f-4078-af65-db6d9aa20739 | sh |
| 49 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 6 | Clear history of a bunch of shells | 7e6721df-5f08-4370-9255-f06d8a77af4c | sh |
| 50 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 7 | Clear and Disable Bash History Logging | 784e4011-bd1a-4ecd-a63a-8feb278512e6 | bash |
| 51 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 8 | Use Space Before Command to Avoid Logging to History | 53b03a54-4529-4992-852d-a00b4b7215a6 | sh |
| 52 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 9 | Disable Bash History Logging with SSH -T | 5f8abd62-f615-43c5-b6be-f780f25790a1 | sh |
| 53 | defense-evasion | T1070.003 | Indicator Removal on Host: Clear Command History | 10 | Clear Docker Container Logs | 553b39f9-1e8c-47b1-abf5-8daf7b0391e9 | bash |
| 54 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 3 | Base64 decoding with Python | 356dc0e8-684f-4428-bb94-9313998ad608 | sh |
| 55 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 4 | Base64 decoding with Perl | 6604d964-b9f6-4d4b-8ce8-499829a14d0a | sh |
| 56 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 5 | Base64 decoding with shell utilities | b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e | sh |
| 57 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 6 | Base64 decoding with shell utilities (freebsd) | b6097712-c42e-4174-b8f2-4b1e1a5bbb3d | sh |
| 58 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 7 | FreeBSD b64encode Shebang in CLI | 18ee2002-66e8-4518-87c5-c0ec9c8299ac | sh |
| 59 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 8 | Hex decoding with shell utilities | 005943f9-8dd5-4349-8b46-0313c0a9f973 | sh |
| 60 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 9 | Linux Base64 Encoded Shebang in CLI | 3a15c372-67c1-4430-ac8e-ec06d641ce4d | sh |
| 61 | defense-evasion | T1140 | Deobfuscate/Decode Files or Information | 10 | XOR decoding and command execution using Python | c3b65cd5-ee51-4e98-b6a3-6cbdec138efc | bash |
| 62 | defense-evasion | T1562 | Impair Defenses | 2 | Disable journal logging via systemctl utility | c3a377f9-1203-4454-aa35-9d391d34768f | sh |
| 63 | defense-evasion | T1562 | Impair Defenses | 3 | Disable journal logging via sed utility | 12e5551c-8d5c-408e-b3e4-63f53b03379f | sh |
| 64 | defense-evasion | T1070.008 | Email Collection: Mailbox Manipulation | 2 | Copy and Delete Mailbox Data on Linux | 25e2be0e-96f7-4417-bd16-a4a2500e3802 | bash |
| 65 | defense-evasion | T1070.008 | Email Collection: Mailbox Manipulation | 5 | Copy and Modify Mailbox Data on Linux | 6d99f93c-da56-49e3-b195-163090ace4f6 | bash |
| 66 | defense-evasion | T1070.006 | Indicator Removal on Host: Timestomp | 1 | Set a file's access timestamp | 5f9113d5-ed75-47ed-ba23-ea3573d05810 | sh |
| 67 | defense-evasion | T1070.006 | Indicator Removal on Host: Timestomp | 2 | Set a file's modification timestamp | 20ef1523-8758-4898-b5a2-d026cc3d2c52 | sh |
| 68 | defense-evasion | T1070.006 | Indicator Removal on Host: Timestomp | 3 | Set a file's creation timestamp | 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b | sh |
| 69 | defense-evasion | T1070.006 | Indicator Removal on Host: Timestomp | 4 | Modify file timestamps using reference file | 631ea661-d661-44b0-abdb-7a7f3fc08e50 | sh |
| 70 | defense-evasion | T1497.003 | Time Based Evasion | 1 | Delay execution with ping | 8b87dd03-8204-478c-bac3-3959f6528de3 | sh |
| 71 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 7 | Stop/Start UFW firewall | fe135572-edcd-49a2-afe6-1d39521c5a9a | sh |
| 72 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 8 | Stop/Start Packet Filter | 0ca82ed1-0a94-4774-9a9a-a2c83a8022b7 | sh |
| 73 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 9 | Stop/Start UFW firewall systemctl | 9fd99609-1854-4f3c-b47b-97d9a5972bd1 | sh |
| 74 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 10 | Turn off UFW logging | 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad | sh |
| 75 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 11 | Add and delete UFW firewall rules | b2563a4e-c4b8-429c-8d47-d5bcb227ba7a | sh |
| 76 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 12 | Add and delete Packet Filter rules | 8b23cae1-66c1-41c5-b79d-e095b6098b5b | sh |
| 77 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 13 | Edit UFW firewall user.rules file | beaf815a-c883-4194-97e9-fdbbb2bbdd7c | sh |
| 78 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 14 | Edit UFW firewall ufw.conf file | c1d8c4eb-88da-4927-ae97-c7c25893803b | sh |
| 79 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 15 | Edit UFW firewall sysctl.conf file | c4ae0701-88d3-4cd8-8bce-4801ed9f97e4 | sh |
| 80 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 16 | Edit UFW firewall main configuration file | 7b697ece-8270-46b5-bbc7-6b9e27081831 | sh |
| 81 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 17 | Tail the UFW firewall log file | 419cca0c-fa52-4572-b0d7-bc7c6f388a27 | sh |
| 82 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 18 | Disable iptables | 7784c64e-ed0b-4b65-bf63-c86db229fd56 | sh |
| 83 | defense-evasion | T1562.004 | Impair Defenses: Disable or Modify System Firewall | 19 | Modify/delete iptables firewall rules | 899a7fb5-d197-4951-8614-f19ac4a73ad4 | sh |
| 84 | defense-evasion | T1562.012 | Impair Defenses: Disable or Modify Linux Audit System | 1 | Delete all auditd rules using auditctl | 33a29ab1-cabb-407f-9448-269041bf2856 | sh |
| 85 | defense-evasion | T1562.012 | Impair Defenses: Disable or Modify Linux Audit System | 2 | Disable auditd using auditctl | 7906f0a6-b527-46ee-9026-6e81a9184e08 | sh |
| 86 | defense-evasion | T1027.001 | Obfuscated Files or Information: Binary Padding | 1 | Pad Binary to Change Hash - Linux/macOS dd | ffe2346c-abd5-4b45-a713-bf5f1ebd573a | sh |
| 87 | defense-evasion | T1027.001 | Obfuscated Files or Information: Binary Padding | 2 | Pad Binary to Change Hash using truncate command - Linux/macOS | e22a9e89-69c7-410f-a473-e6c212cd2292 | sh |
| 88 | defense-evasion | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 1 | Shared Library Injection via /etc/ld.so.preload | 39cb0e67-dd0d-4b74-a74b-c072db7ae991 | bash |
| 89 | defense-evasion | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 2 | Shared Library Injection via LD_PRELOAD | bc219ff7-789f-4d51-9142-ecae3397deae | bash |
| 90 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 1 | Make and modify binary from C source | 896dfe97-ae43-4101-8e96-9a7996555d80 | sh |
| 91 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 2 | Make and modify binary from C source (freebsd) | dd580455-d84b-481b-b8b0-ac96f3b1dc4c | sh |
| 92 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 3 | Set a SetUID flag on file | 759055b3-3885-4582-a8ec-c00c9d64dd79 | sh |
| 93 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 4 | Set a SetUID flag on file (freebsd) | 9be9b827-ff47-4e1b-bef8-217db6fb7283 | sh |
| 94 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 5 | Set a SetGID flag on file | db55f666-7cba-46c6-9fe6-205a05c3242c | sh |
| 95 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 6 | Set a SetGID flag on file (freebsd) | 1f73af33-62a8-4bf1-bd10-3bea931f2c0d | sh |
| 96 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 7 | Make and modify capabilities of a binary | db53959c-207d-4000-9e7a-cd8eb417e072 | sh |
| 97 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 8 | Provide the SetUID capability to a file | 1ac3272f-9bcf-443a-9888-4b1d3de785c1 | sh |
| 98 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 9 | Do reconnaissance for files that have the setuid bit set | 8e36da01-cd29-45fd-be72-8a0fcaad4481 | sh |
| 99 | defense-evasion | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 10 | Do reconnaissance for files that have the setgid bit set | 3fb46e17-f337-4c14-9f9a-a471946533e2 | sh |
| 100 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 1 | Auditing Configuration Changes on Linux Host | 212cfbcf-4770-4980-bc21-303e37abd0e3 | bash |
| 101 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 2 | Auditing Configuration Changes on FreeBSD Host | cedaf7e7-28ee-42ab-ba13-456abd35d1bd | sh |
| 102 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 3 | Logging Configuration Changes on Linux Host | 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c | bash |
| 103 | defense-evasion | T1562.006 | Impair Defenses: Indicator Blocking | 4 | Logging Configuration Changes on FreeBSD Host | 6b8ca3ab-5980-4321-80c3-bcd77c8daed8 | sh |
| 104 | defense-evasion | T1036.004 | Masquerading: Masquerade Task or Service | 3 | linux rename /proc/pid/comm using prctl | f0e3aaea-5cd9-4db6-a077-631dd19b27a8 | sh |
| 105 | defense-evasion | T1036.004 | Masquerading: Masquerade Task or Service | 4 | Hiding a malicious process with bind mounts | ad4b73c2-d6e2-4d8b-9868-4c6f55906e01 | sh |
| 106 | defense-evasion | T1562.010 | Impair Defenses: Downgrade Attack | 1 | ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI | 062f92c9-28b1-4391-a5f8-9d8ca6852091 | powershell |
| 107 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 1 | Disable history collection | 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 | sh |
| 108 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 2 | Disable history collection (freebsd) | cada55b4-8251-4c60-819e-8ec1b33c9306 | sh |
| 109 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 3 | Mac HISTCONTROL | 468566d5-83e5-40c1-b338-511e1659628d | manual |
| 110 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 4 | Clear bash history | 878794f7-c511-4199-a950-8c28b3ed8e5b | bash |
| 111 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 5 | Setting the HISTCONTROL environment variable | 10ab786a-028e-4465-96f6-9e83ca6c5f24 | bash |
| 112 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 6 | Setting the HISTFILESIZE environment variable | 5cafd6c1-2f43-46eb-ac47-a5301ba0a618 | bash |
| 113 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 7 | Setting the HISTSIZE environment variable | 386d3850-2ce7-4508-b56b-c0558922c814 | sh |
| 114 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 8 | Setting the HISTFILE environment variable | b3dacb6c-a9e3-44ec-bf87-38db60c5cad1 | bash |
| 115 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 9 | Setting the HISTFILE environment variable (freebsd) | f7308845-6da8-468e-99f2-4271f2f5bb67 | sh |
| 116 | defense-evasion | T1562.003 | Impair Defenses: Impair Command History Logging | 10 | Setting the HISTIGNORE environment variable | f12acddb-7502-4ce6-a146-5b62c59592f1 | bash |
| 117 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 1 | Disable syslog | 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 | sh |
| 118 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 2 | Disable syslog (freebsd) | db9de996-441e-4ae0-947b-61b6871e2fdf | sh |
| 119 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 3 | Disable Cb Response | ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 | sh |
| 120 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 4 | Disable SELinux | fc225f36-9279-4c39-b3f9-5141ab74f8d8 | sh |
| 121 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 5 | Stop Crowdstrike Falcon on Linux | 828a1278-81cc-4802-96ab-188bf29ca77d | sh |
| 122 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 39 | Clear History | 23b88394-091b-4968-a42d-fb8076992443 | sh |
| 123 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 40 | Suspend History | 94f6a1c9-aae7-46a4-9083-2bb1f5768ec4 | sh |
| 124 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 41 | Reboot Linux Host via Kernel System Request | 6d6d3154-1a52-4d1a-9d51-92ab8148b32e | sh |
| 125 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 42 | Clear Pagging Cache | f790927b-ea85-4a16-b7b2-7eb44176a510 | sh |
| 126 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 43 | Disable Memory Swap | e74e4c63-6fde-4ad2-9ee8-21c3a1733114 | sh |
| 127 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 47 | Tamper with Defender ATP on Linux/MacOS | 40074085-dbc8-492b-90a3-11bcfc52fda8 | sh |
| 128 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 50 | ESXi - Disable Account Lockout Policy via PowerCLI | 091a6290-cd29-41cb-81ea-b12f133c66cb | powershell |
| 129 | defense-evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | 59 | Disable ASLR Via sysctl parameters - Linux | ac333fe1-ce2b-400b-a117-538634427439 | bash |
| 130 | defense-evasion | T1027 | Obfuscated Files or Information | 1 | Decode base64 Data into Script | f45df6be-2e1e-4136-a384-8f18ab3826fb | sh |
| 131 | defense-evasion | T1036.003 | Masquerading: Rename System Utilities | 2 | Masquerading as FreeBSD or Linux crond process. | a315bfff-7a98-403b-b442-2ea1b255e556 | sh |
| 132 | defense-evasion | T1553.004 | Subvert Trust Controls: Install Root Certificate | 1 | Install root CA on CentOS/RHEL | 9c096ec4-fd42-419d-a762-d64cc950627e | sh |
| 133 | defense-evasion | T1553.004 | Subvert Trust Controls: Install Root Certificate | 2 | Install root CA on FreeBSD | f4568003-1438-44ab-a234-b3252ea7e7a3 | sh |
| 134 | defense-evasion | T1553.004 | Subvert Trust Controls: Install Root Certificate | 3 | Install root CA on Debian/Ubuntu | 53bcf8a0-1549-4b85-b919-010c56d724ff | sh |
| 135 | defense-evasion | T1027.004 | Obfuscated Files or Information: Compile After Delivery | 3 | C compile | d0377aa6-850a-42b2-95f0-de558d80be57 | sh |
| 136 | defense-evasion | T1027.004 | Obfuscated Files or Information: Compile After Delivery | 4 | CC compile | da97bb11-d6d0-4fc1-b445-e443d1346efe | sh |
| 137 | defense-evasion | T1027.004 | Obfuscated Files or Information: Compile After Delivery | 5 | Go compile | 78bd3fa7-773c-449e-a978-dc1f1500bc52 | sh |
| 138 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 1 | Delete a single file - FreeBSD/Linux/macOS | 562d737f-2fc6-4b09-8c2a-7f8ff0828480 | sh |
| 139 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 2 | Delete an entire folder - FreeBSD/Linux/macOS | a415f17e-ce8d-4ce2-a8b4-83b674e7017e | sh |
| 140 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 3 | Overwrite and delete a file with shred | 039b4b10-2900-404b-b67f-4b6d49aa6499 | sh |
| 141 | defense-evasion | T1070.004 | Indicator Removal on Host: File Deletion | 8 | Delete Filesystem - Linux | f3aa95fe-4f10-4485-ad26-abf22a764c52 | sh |
| 142 | defense-evasion | T1027.002 | Obfuscated Files or Information: Software Packing | 1 | Binary simply packed by UPX (linux) | 11c46cd8-e471-450e-acb8-52a1216ae6a4 | sh |
| 143 | defense-evasion | T1027.002 | Obfuscated Files or Information: Software Packing | 2 | Binary packed by UPX, with modified headers (linux) | f06197f8-ff46-48c2-a0c6-afc1b50665e1 | sh |
| 144 | defense-evasion | T1036.006 | Masquerading: Space after Filename | 2 | Space After Filename | b95ce2eb-a093-4cd8-938d-5258cef656ea | sh |
| 145 | defense-evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories | 1 | Create a hidden file in a hidden directory | 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be | sh |
| 146 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 8 | Create local account (Linux) | 02a91c34-8a5b-4bed-87af-501103eb5357 | bash |
| 147 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 9 | Reactivate a locked/expired account (Linux) | d2b95631-62d7-45a3-aaef-0972cea97931 | bash |
| 148 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 10 | Reactivate a locked/expired account (FreeBSD) | 09e3380a-fae5-4255-8b19-9950be0252cf | sh |
| 149 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 11 | Login as nobody (Linux) | 3d2cd093-ee05-41bd-a802-59ee5c301b85 | bash |
| 150 | defense-evasion | T1078.003 | Valid Accounts: Local Accounts | 12 | Login as nobody (freebsd) | 16f6374f-7600-459a-9b16-6a88fd96d310 | sh |
| 151 | persistence | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 1 | Malicious PAM rule | 4b9dde80-ae22-44b1-a82a-644bf009eb9c | sh |
| 152 | persistence | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 2 | Malicious PAM rule (freebsd) | b17eacac-282d-4ca8-a240-46602cf863e3 | sh |
| 153 | persistence | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 3 | Malicious PAM module | 65208808-3125-4a2e-8389-a0a00e9ab326 | sh |
| 154 | persistence | T1053.003 | Scheduled Task/Job: Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | sh |
| 155 | persistence | T1053.003 | Scheduled Task/Job: Cron | 2 | Cron - Add script to all cron subfolders | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 156 | persistence | T1053.003 | Scheduled Task/Job: Cron | 3 | Cron - Add script to /etc/cron.d folder | 078e69eb-d9fb-450e-b9d0-2e118217c846 | sh |
| 157 | persistence | T1053.003 | Scheduled Task/Job: Cron | 4 | Cron - Add script to /var/spool/cron/crontabs/ folder | 2d943c18-e74a-44bf-936f-25ade6cccab4 | bash |
| 158 | persistence | T1176 | Browser Extensions | 1 | Chrome/Chromium (Developer Mode) | 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 | manual |
| 159 | persistence | T1176 | Browser Extensions | 2 | Firefox | cb790029-17e6-4c43-b96f-002ce5f10938 | manual |
| 160 | persistence | T1546.005 | Event Triggered Execution: Trap | 1 | Trap EXIT | a74b2e07-5952-4c03-8b56-56274b076b61 | sh |
| 161 | persistence | T1546.005 | Event Triggered Execution: Trap | 2 | Trap EXIT (freebsd) | be1a5d70-6865-44aa-ab50-42244c9fd16f | sh |
| 162 | persistence | T1546.005 | Event Triggered Execution: Trap | 3 | Trap SIGINT | a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 | sh |
| 163 | persistence | T1546.005 | Event Triggered Execution: Trap | 4 | Trap SIGINT (freebsd) | ade10242-1eac-43df-8412-be0d4c704ada | sh |
| 164 | persistence | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 1 | Shared Library Injection via /etc/ld.so.preload | 39cb0e67-dd0d-4b74-a74b-c072db7ae991 | bash |
| 165 | persistence | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 2 | Shared Library Injection via LD_PRELOAD | bc219ff7-789f-4d51-9142-ecae3397deae | bash |
| 166 | persistence | T1136.001 | Create Account: Local Account | 1 | Create a user account on a Linux system | 40d8eabd-e394-46f6-8785-b9bfa1d011d2 | bash |
| 167 | persistence | T1136.001 | Create Account: Local Account | 2 | Create a user account on a FreeBSD system | a39ee1bc-b8c1-4331-8e5f-1859eb408518 | sh |
| 168 | persistence | T1136.001 | Create Account: Local Account | 6 | Create a new user in Linux with `root` UID and GID. | a1040a30-d28b-4eda-bd99-bb2861a4616c | bash |
| 169 | persistence | T1136.001 | Create Account: Local Account | 7 | Create a new user in FreeBSD with `root` GID. | d141afeb-d2bc-4934-8dd5-b7dba0f9f67a | sh |
| 170 | persistence | T1098.004 | SSH Authorized Keys | 1 | Modify SSH Authorized Keys | 342cc723-127c-4d3a-8292-9c0c6b4ecadc | sh |
| 171 | persistence | T1136.002 | Create Account: Domain Account | 4 | Active Directory Create Admin Account | 562aa072-524e-459a-ba2b-91f1afccf5ab | sh |
| 172 | persistence | T1136.002 | Create Account: Domain Account | 5 | Active Directory Create User Account (Non-elevated) | 8c992cb3-a46e-4fd5-b005-b1bab185af31 | sh |
| 173 | persistence | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | 1 | Linux - Load Kernel Module via insmod | 687dcb93-9656-4853-9c36-9977315e9d23 | bash |
| 174 | persistence | T1053.006 | Scheduled Task/Job: Systemd Timers | 1 | Create Systemd Service and Timer | f4983098-bb13-44fb-9b2c-46149961807b | bash |
| 175 | persistence | T1053.006 | Scheduled Task/Job: Systemd Timers | 2 | Create a user level transient systemd service and timer | 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec | sh |
| 176 | persistence | T1053.006 | Scheduled Task/Job: Systemd Timers | 3 | Create a system level transient systemd service and timer | d3eda496-1fc0-49e9-aff5-3bec5da9fa22 | sh |
| 177 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 1 | Add command to .bash_profile | 94500ae1-7e31-47e3-886b-c328da46872f | sh |
| 178 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 2 | Add command to .bashrc | 0a898315-4cfa-4007-bafe-33a4646d115f | sh |
| 179 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 3 | Add command to .shrc | 41502021-591a-4649-8b6e-83c9192aff53 | sh |
| 180 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 4 | Append to the system shell profile | 694b3cc8-6a78-4d35-9e74-0123d009e94b | sh |
| 181 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 5 | Append commands user shell profile | bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 | sh |
| 182 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 6 | System shell profile scripts | 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 | sh |
| 183 | persistence | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 7 | Create/Append to .bash_logout | 37ad2f24-7c53-4a50-92da-427a4ad13f58 | bash |
| 184 | persistence | T1546.018 | Event Triggered Execution: Python Startup Hooks | 3 | Python Startup Hook - atomic_hook.pth (Linux) | a58c066d-f2f0-42a2-ab70-30af73f89e66 | sh |
| 185 | persistence | T1546.018 | Event Triggered Execution: Python Startup Hooks | 5 | Python Startup Hook - usercustomize.py (Linux / MacOS) | 6e78084a-a433-4702-a838-cc7b765d87e8 | sh |
| 186 | persistence | T1037.004 | Boot or Logon Initialization Scripts: Rc.common | 2 | rc.common | c33f3d80-5f04-419b-a13a-854d1cbdbf3a | bash |
| 187 | persistence | T1037.004 | Boot or Logon Initialization Scripts: Rc.common | 3 | rc.local | 126f71af-e1c9-405c-94ef-26a47b16c102 | sh |
| 188 | persistence | T1543.002 | Create or Modify System Process: SysV/Systemd Service | 1 | Create Systemd Service | d9e4f24f-aa67-4c6e-bcbf-85622b697a7c | bash |
| 189 | persistence | T1543.002 | Create or Modify System Process: SysV/Systemd Service | 2 | Create SysV Service | 760fe8d2-79d9-494f-905e-a239a3df86f6 | sh |
| 190 | persistence | T1543.002 | Create or Modify System Process: SysV/Systemd Service | 3 | Create Systemd Service file, Enable the service , Modify and Reload the service. | c35ac4a8-19de-43af-b9f8-755da7e89c89 | bash |
| 191 | persistence | T1053.002 | Scheduled Task/Job: At | 2 | At - Schedule a job | 7266d898-ac82-4ec0-97c7-436075d0d08e | sh |
| 192 | persistence | T1078.003 | Valid Accounts: Local Accounts | 8 | Create local account (Linux) | 02a91c34-8a5b-4bed-87af-501103eb5357 | bash |
| 193 | persistence | T1078.003 | Valid Accounts: Local Accounts | 9 | Reactivate a locked/expired account (Linux) | d2b95631-62d7-45a3-aaef-0972cea97931 | bash |
| 194 | persistence | T1078.003 | Valid Accounts: Local Accounts | 10 | Reactivate a locked/expired account (FreeBSD) | 09e3380a-fae5-4255-8b19-9950be0252cf | sh |
| 195 | persistence | T1078.003 | Valid Accounts: Local Accounts | 11 | Login as nobody (Linux) | 3d2cd093-ee05-41bd-a802-59ee5c301b85 | bash |
| 196 | persistence | T1078.003 | Valid Accounts: Local Accounts | 12 | Login as nobody (freebsd) | 16f6374f-7600-459a-9b16-6a88fd96d310 | sh |
| 197 | command-and-control | T1132.001 | Data Encoding: Standard Encoding | 1 | Base64 Encoded data. | 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 | sh |
| 198 | command-and-control | T1132.001 | Data Encoding: Standard Encoding | 2 | Base64 Encoded data (freebsd) | 2d97c626-7652-449e-a986-b02d9051c298 | sh |
| 199 | command-and-control | T1568.002 | Dynamic Resolution: Domain Generation Algorithms | 1 | DGA Simulation (Python) | cc367493-3a00-4c4a-a685-16b73339167c | bash |
| 200 | command-and-control | T1659 | Content Injection | 1 | MITM Proxy Injection | 9b360eaf-c778-4f07-a6e7-895c4f01ac1c | bash |
| 201 | command-and-control | T1572 | Protocol Tunneling | 5 | Microsoft Dev tunnels (Linux/macOS) | 9f94a112-1ce2-464d-a63b-83c1f465f801 | bash |
| 202 | command-and-control | T1572 | Protocol Tunneling | 6 | VSCode tunnels (Linux/macOS) | b877943f-0377-44f4-8477-f79db7f07c4d | sh |
| 203 | command-and-control | T1572 | Protocol Tunneling | 7 | Cloudflare tunnels (Linux/macOS) | 228c336a-2f79-4043-8aef-bfa453a611d5 | sh |
| 204 | command-and-control | T1090.003 | Proxy: Multi-hop Proxy | 3 | Tor Proxy Usage - Debian/Ubuntu/FreeBSD | 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7 | sh |
| 205 | command-and-control | T1571 | Non-Standard Port | 2 | Testing usage of uncommonly used port | 5db21e1d-dd9c-4a50-b885-b1e748912767 | sh |
| 206 | command-and-control | T1095 | Non-Application Layer Protocol | 4 | Linux ICMP Reverse Shell using icmp-cnc | 8e139e1f-1f3a-4be7-901d-afae9738c064 | manual |
| 207 | command-and-control | T1071.001 | Application Layer Protocol: Web Protocols | 3 | Malicious User Agents - Nix | 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 | sh |
| 208 | command-and-control | T1105 | Ingress Tool Transfer | 1 | rsync remote file copy (push) | 0fc6e977-cb12-44f6-b263-2824ba917409 | sh |
| 209 | command-and-control | T1105 | Ingress Tool Transfer | 2 | rsync remote file copy (pull) | 3180f7d5-52c0-4493-9ea0-e3431a84773f | sh |
| 210 | command-and-control | T1105 | Ingress Tool Transfer | 3 | scp remote file copy (push) | 83a49600-222b-4866-80a0-37736ad29344 | sh |
| 211 | command-and-control | T1105 | Ingress Tool Transfer | 4 | scp remote file copy (pull) | b9d22b9a-9778-4426-abf0-568ea64e9c33 | sh |
| 212 | command-and-control | T1105 | Ingress Tool Transfer | 5 | sftp remote file copy (push) | f564c297-7978-4aa9-b37a-d90477feea4e | bash |
| 213 | command-and-control | T1105 | Ingress Tool Transfer | 6 | sftp remote file copy (pull) | 0139dba1-f391-405e-a4f5-f3989f2c88ef | sh |
| 214 | command-and-control | T1105 | Ingress Tool Transfer | 14 | whois file download | c99a829f-0bb8-4187-b2c6-d47d1df74cab | sh |
| 215 | command-and-control | T1105 | Ingress Tool Transfer | 27 | Linux Download File and Run | bdc373c5-e9cf-4563-8a7b-a9ba720a90f3 | sh |
| 216 | command-and-control | T1001.002 | Data Obfuscation via Steganography | 3 | Execute Embedded Script in Image via Steganography | 4ff61684-ad91-405c-9fbc-048354ff1d07 | sh |
| 217 | command-and-control | T1090.001 | Proxy: Internal Proxy | 1 | Connection Proxy | 0ac21132-4485-4212-a681-349e8a6637cd | sh |
| 218 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 5 | Data Compressed - nix - zip | c51cec55-28dd-4ad2-9461-1eacbc82c3a0 | bash |
| 219 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 6 | Data Compressed - nix - gzip Single File | cde3c2af-3485-49eb-9c1f-0ed60e9cc0af | sh |
| 220 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 7 | Data Compressed - nix - tar Folder or File | 7af2b51e-ad1c-498c-aca8-d3290c19535a | sh |
| 221 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 8 | Data Encrypted with zip and gpg symmetric | 0286eb44-e7ce-41a0-b109-3da516e05a5f | sh |
| 222 | collection | T1560.001 | Archive Collected Data: Archive via Utility | 9 | Encrypts collected data with AES-256 and Base64 | a743e3a6-e8b2-4a30-abe7-ca85d201b5d3 | bash |
| 223 | collection | T1113 | Screen Capture | 3 | X Windows Capture | 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac | bash |
| 224 | collection | T1113 | Screen Capture | 4 | X Windows Capture (freebsd) | 562f3bc2-74e8-46c5-95c7-0e01f9ccc65c | sh |
| 225 | collection | T1113 | Screen Capture | 5 | Capture Linux Desktop using Import Tool | 9cd1cccb-91e4-4550-9139-e20a586fcea1 | bash |
| 226 | collection | T1113 | Screen Capture | 6 | Capture Linux Desktop using Import Tool (freebsd) | 18397d87-38aa-4443-a098-8a48a8ca5d8d | sh |
| 227 | collection | T1056.001 | Input Capture: Keylogging | 2 | Living off the land Terminal Input Capture on Linux with pam.d | 9c6bdb34-a89f-4b90-acb1-5970614c711b | sh |
| 228 | collection | T1056.001 | Input Capture: Keylogging | 3 | Logging bash history to syslog | 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 | sh |
| 229 | collection | T1056.001 | Input Capture: Keylogging | 4 | Logging sh history to syslog/messages | b04284dc-3bd9-4840-8d21-61b8d31c99f2 | sh |
| 230 | collection | T1056.001 | Input Capture: Keylogging | 5 | Bash session based keylogger | 7f85a946-a0ea-48aa-b6ac-8ff539278258 | bash |
| 231 | collection | T1056.001 | Input Capture: Keylogging | 6 | SSHD PAM keylogger | 81d7d2ad-d644-4b6a-bea7-28ffe43becca | sh |
| 232 | collection | T1056.001 | Input Capture: Keylogging | 7 | Auditd keylogger | a668edb9-334e-48eb-8c2e-5413a40867af | sh |
| 233 | collection | T1074.001 | Data Staged: Local Data Staging | 2 | Stage data from Discovery.sh | 39ce0303-ae16-4b9e-bb5b-4f53e8262066 | sh |
| 234 | collection | T1115 | Clipboard Data | 5 | Add or copy content to clipboard with xClip | ee363e53-b083-4230-aff3-f8d955f2d5bb | sh |
| 235 | collection | T1005 | Data from Local System | 2 | Find and dump sqlite databases (Linux) | 00cbb875-7ae4-4cf1-b638-e543fd825300 | bash |
| 236 | collection | T1560.002 | Archive Collected Data: Archive via Library | 1 | Compressing data using GZip in Python (FreeBSD/Linux) | 391f5298-b12d-4636-8482-35d9c17d53a8 | sh |
| 237 | collection | T1560.002 | Archive Collected Data: Archive via Library | 2 | Compressing data using bz2 in Python (FreeBSD/Linux) | c75612b2-9de0-4d7c-879c-10d7b077072d | sh |
| 238 | collection | T1560.002 | Archive Collected Data: Archive via Library | 3 | Compressing data using zipfile in Python (FreeBSD/Linux) | 001a042b-859f-44d9-bf81-fd1c4e2200b0 | sh |
| 239 | collection | T1560.002 | Archive Collected Data: Archive via Library | 4 | Compressing data using tarfile in Python (FreeBSD/Linux) | e86f1b4b-fcc1-4a2a-ae10-b49da01458db | sh |
| 240 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 1 | Sudo usage | 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e | sh |
| 241 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 2 | Sudo usage (freebsd) | 2bf9a018-4664-438a-b435-cc6f8c6f71b1 | sh |
| 242 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 3 | Unlimited sudo cache timeout | a7b17659-dd5e-46f7-b7d1-e6792c91d0bc | sh |
| 243 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 4 | Unlimited sudo cache timeout (freebsd) | a83ad6e8-6f24-4d7f-8f44-75f8ab742991 | sh |
| 244 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 5 | Disable tty_tickets for sudo caching | 91a60b03-fb75-4d24-a42e-2eb8956e8de1 | sh |
| 245 | privilege-escalation | T1548.003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching | 6 | Disable tty_tickets for sudo caching (freebsd) | 4df6a0fe-2bdd-4be8-8618-a6a19654a57a | sh |
| 246 | privilege-escalation | T1053.003 | Scheduled Task/Job: Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | sh |
| 247 | privilege-escalation | T1053.003 | Scheduled Task/Job: Cron | 2 | Cron - Add script to all cron subfolders | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 248 | privilege-escalation | T1053.003 | Scheduled Task/Job: Cron | 3 | Cron - Add script to /etc/cron.d folder | 078e69eb-d9fb-450e-b9d0-2e118217c846 | sh |
| 249 | privilege-escalation | T1053.003 | Scheduled Task/Job: Cron | 4 | Cron - Add script to /var/spool/cron/crontabs/ folder | 2d943c18-e74a-44bf-936f-25ade6cccab4 | bash |
| 250 | privilege-escalation | T1546.005 | Event Triggered Execution: Trap | 1 | Trap EXIT | a74b2e07-5952-4c03-8b56-56274b076b61 | sh |
| 251 | privilege-escalation | T1546.005 | Event Triggered Execution: Trap | 2 | Trap EXIT (freebsd) | be1a5d70-6865-44aa-ab50-42244c9fd16f | sh |
| 252 | privilege-escalation | T1546.005 | Event Triggered Execution: Trap | 3 | Trap SIGINT | a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 | sh |
| 253 | privilege-escalation | T1546.005 | Event Triggered Execution: Trap | 4 | Trap SIGINT (freebsd) | ade10242-1eac-43df-8412-be0d4c704ada | sh |
| 254 | privilege-escalation | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 1 | Shared Library Injection via /etc/ld.so.preload | 39cb0e67-dd0d-4b74-a74b-c072db7ae991 | bash |
| 255 | privilege-escalation | T1574.006 | Hijack Execution Flow: LD_PRELOAD | 2 | Shared Library Injection via LD_PRELOAD | bc219ff7-789f-4d51-9142-ecae3397deae | bash |
| 256 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 1 | Make and modify binary from C source | 896dfe97-ae43-4101-8e96-9a7996555d80 | sh |
| 257 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 2 | Make and modify binary from C source (freebsd) | dd580455-d84b-481b-b8b0-ac96f3b1dc4c | sh |
| 258 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 3 | Set a SetUID flag on file | 759055b3-3885-4582-a8ec-c00c9d64dd79 | sh |
| 259 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 4 | Set a SetUID flag on file (freebsd) | 9be9b827-ff47-4e1b-bef8-217db6fb7283 | sh |
| 260 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 5 | Set a SetGID flag on file | db55f666-7cba-46c6-9fe6-205a05c3242c | sh |
| 261 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 6 | Set a SetGID flag on file (freebsd) | 1f73af33-62a8-4bf1-bd10-3bea931f2c0d | sh |
| 262 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 7 | Make and modify capabilities of a binary | db53959c-207d-4000-9e7a-cd8eb417e072 | sh |
| 263 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 8 | Provide the SetUID capability to a file | 1ac3272f-9bcf-443a-9888-4b1d3de785c1 | sh |
| 264 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 9 | Do reconnaissance for files that have the setuid bit set | 8e36da01-cd29-45fd-be72-8a0fcaad4481 | sh |
| 265 | privilege-escalation | T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | 10 | Do reconnaissance for files that have the setgid bit set | 3fb46e17-f337-4c14-9f9a-a471946533e2 | sh |
| 266 | privilege-escalation | T1098.004 | SSH Authorized Keys | 1 | Modify SSH Authorized Keys | 342cc723-127c-4d3a-8292-9c0c6b4ecadc | sh |
| 267 | privilege-escalation | T1547.006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions | 1 | Linux - Load Kernel Module via insmod | 687dcb93-9656-4853-9c36-9977315e9d23 | bash |
| 268 | privilege-escalation | T1053.006 | Scheduled Task/Job: Systemd Timers | 1 | Create Systemd Service and Timer | f4983098-bb13-44fb-9b2c-46149961807b | bash |
| 269 | privilege-escalation | T1053.006 | Scheduled Task/Job: Systemd Timers | 2 | Create a user level transient systemd service and timer | 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec | sh |
| 270 | privilege-escalation | T1053.006 | Scheduled Task/Job: Systemd Timers | 3 | Create a system level transient systemd service and timer | d3eda496-1fc0-49e9-aff5-3bec5da9fa22 | sh |
| 271 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 1 | Add command to .bash_profile | 94500ae1-7e31-47e3-886b-c328da46872f | sh |
| 272 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 2 | Add command to .bashrc | 0a898315-4cfa-4007-bafe-33a4646d115f | sh |
| 273 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 3 | Add command to .shrc | 41502021-591a-4649-8b6e-83c9192aff53 | sh |
| 274 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 4 | Append to the system shell profile | 694b3cc8-6a78-4d35-9e74-0123d009e94b | sh |
| 275 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 5 | Append commands user shell profile | bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 | sh |
| 276 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 6 | System shell profile scripts | 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 | sh |
| 277 | privilege-escalation | T1546.004 | Event Triggered Execution: .bash_profile .bashrc and .shrc | 7 | Create/Append to .bash_logout | 37ad2f24-7c53-4a50-92da-427a4ad13f58 | bash |
| 278 | privilege-escalation | T1546.018 | Event Triggered Execution: Python Startup Hooks | 3 | Python Startup Hook - atomic_hook.pth (Linux) | a58c066d-f2f0-42a2-ab70-30af73f89e66 | sh |
| 279 | privilege-escalation | T1546.018 | Event Triggered Execution: Python Startup Hooks | 5 | Python Startup Hook - usercustomize.py (Linux / MacOS) | 6e78084a-a433-4702-a838-cc7b765d87e8 | sh |
| 280 | privilege-escalation | T1037.004 | Boot or Logon Initialization Scripts: Rc.common | 2 | rc.common | c33f3d80-5f04-419b-a13a-854d1cbdbf3a | bash |
| 281 | privilege-escalation | T1037.004 | Boot or Logon Initialization Scripts: Rc.common | 3 | rc.local | 126f71af-e1c9-405c-94ef-26a47b16c102 | sh |
| 282 | privilege-escalation | T1543.002 | Create or Modify System Process: SysV/Systemd Service | 1 | Create Systemd Service | d9e4f24f-aa67-4c6e-bcbf-85622b697a7c | bash |
| 283 | privilege-escalation | T1543.002 | Create or Modify System Process: SysV/Systemd Service | 2 | Create SysV Service | 760fe8d2-79d9-494f-905e-a239a3df86f6 | sh |
| 284 | privilege-escalation | T1543.002 | Create or Modify System Process: SysV/Systemd Service | 3 | Create Systemd Service file, Enable the service , Modify and Reload the service. | c35ac4a8-19de-43af-b9f8-755da7e89c89 | bash |
| 285 | privilege-escalation | T1053.002 | Scheduled Task/Job: At | 2 | At - Schedule a job | 7266d898-ac82-4ec0-97c7-436075d0d08e | sh |
| 286 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 8 | Create local account (Linux) | 02a91c34-8a5b-4bed-87af-501103eb5357 | bash |
| 287 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 9 | Reactivate a locked/expired account (Linux) | d2b95631-62d7-45a3-aaef-0972cea97931 | bash |
| 288 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 10 | Reactivate a locked/expired account (FreeBSD) | 09e3380a-fae5-4255-8b19-9950be0252cf | sh |
| 289 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 11 | Login as nobody (Linux) | 3d2cd093-ee05-41bd-a802-59ee5c301b85 | bash |
| 290 | privilege-escalation | T1078.003 | Valid Accounts: Local Accounts | 12 | Login as nobody (freebsd) | 16f6374f-7600-459a-9b16-6a88fd96d310 | sh |
| 291 | credential-access | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 1 | Malicious PAM rule | 4b9dde80-ae22-44b1-a82a-644bf009eb9c | sh |
| 292 | credential-access | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 2 | Malicious PAM rule (freebsd) | b17eacac-282d-4ca8-a240-46602cf863e3 | sh |
| 293 | credential-access | T1556.003 | Modify Authentication Process: Pluggable Authentication Modules | 3 | Malicious PAM module | 65208808-3125-4a2e-8389-a0a00e9ab326 | sh |
| 294 | credential-access | T1056.001 | Input Capture: Keylogging | 2 | Living off the land Terminal Input Capture on Linux with pam.d | 9c6bdb34-a89f-4b90-acb1-5970614c711b | sh |
| 295 | credential-access | T1056.001 | Input Capture: Keylogging | 3 | Logging bash history to syslog | 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 | sh |
| 296 | credential-access | T1056.001 | Input Capture: Keylogging | 4 | Logging sh history to syslog/messages | b04284dc-3bd9-4840-8d21-61b8d31c99f2 | sh |
| 297 | credential-access | T1056.001 | Input Capture: Keylogging | 5 | Bash session based keylogger | 7f85a946-a0ea-48aa-b6ac-8ff539278258 | bash |
| 298 | credential-access | T1056.001 | Input Capture: Keylogging | 6 | SSHD PAM keylogger | 81d7d2ad-d644-4b6a-bea7-28ffe43becca | sh |
| 299 | credential-access | T1056.001 | Input Capture: Keylogging | 7 | Auditd keylogger | a668edb9-334e-48eb-8c2e-5413a40867af | sh |
| 300 | credential-access | T1110.001 | Brute Force: Password Guessing | 5 | SUDO Brute Force - Debian | ba1bf0b6-f32b-4db0-b7cc-d78cacc76700 | bash |
| 301 | credential-access | T1110.001 | Brute Force: Password Guessing | 6 | SUDO Brute Force - Redhat | 4097bc00-5eeb-4d56-aaf9-287d60351d95 | bash |
| 302 | credential-access | T1110.001 | Brute Force: Password Guessing | 7 | SUDO Brute Force - FreeBSD | abcde488-e083-4ee7-bc85-a5684edd7541 | bash |
| 303 | credential-access | T1003.007 | OS Credential Dumping: Proc Filesystem | 1 | Dump individual process memory with sh (Local) | 7e91138a-8e74-456d-a007-973d67a0bb80 | sh |
| 304 | credential-access | T1003.007 | OS Credential Dumping: Proc Filesystem | 2 | Dump individual process memory with sh on FreeBSD (Local) | fa37b633-e097-4415-b2b8-c5bf4c86e423 | sh |
| 305 | credential-access | T1003.007 | OS Credential Dumping: Proc Filesystem | 3 | Dump individual process memory with Python (Local) | 437b2003-a20d-4ed8-834c-4964f24eec63 | sh |
| 306 | credential-access | T1003.007 | OS Credential Dumping: Proc Filesystem | 4 | Capture Passwords with MimiPenguin | a27418de-bdce-4ebd-b655-38f04842bf0c | bash |
| 307 | credential-access | T1040 | Network Sniffing | 1 | Packet Capture Linux using tshark or tcpdump | 7fe741f7-b265-4951-a7c7-320889083b3e | bash |
| 308 | credential-access | T1040 | Network Sniffing | 2 | Packet Capture FreeBSD using tshark or tcpdump | c93f2492-9ebe-44b5-8b45-36574cccfe67 | sh |
| 309 | credential-access | T1040 | Network Sniffing | 10 | Packet Capture FreeBSD using /dev/bpfN with sudo | e2028771-1bfb-48f5-b5e6-e50ee0942a14 | sh |
| 310 | credential-access | T1040 | Network Sniffing | 11 | Filtered Packet Capture FreeBSD using /dev/bpfN with sudo | a3a0d4c9-c068-4563-a08d-583bd05b884c | sh |
| 311 | credential-access | T1040 | Network Sniffing | 12 | Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo | 10c710c9-9104-4d5f-8829-5b65391e2a29 | bash |
| 312 | credential-access | T1040 | Network Sniffing | 13 | Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo | 7a0895f0-84c1-4adf-8491-a21510b1d4c1 | bash |
| 313 | credential-access | T1040 | Network Sniffing | 14 | Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo | 515575ab-d213-42b1-aa64-ef6a2dd4641b | bash |
| 314 | credential-access | T1040 | Network Sniffing | 15 | Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo | b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 | bash |
| 315 | credential-access | T1552 | Unsecured Credentials | 1 | AWS - Retrieve EC2 Password Data using stratus | a21118de-b11e-4ebd-b655-42f11142df0c | sh |
| 316 | credential-access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | 9 | LaZagne.py - Dump Credentials from Firefox Browser | 87e88698-621b-4c45-8a89-4eaebdeaabb1 | sh |
| 317 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 2 | Discover Private SSH Keys | 46959285-906d-40fa-9437-5a439accd878 | sh |
| 318 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 3 | Copy Private SSH Keys with CP | 7c247dc7-5128-4643-907b-73a76d9135c3 | sh |
| 319 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 4 | Copy Private SSH Keys with CP (freebsd) | 12e4a260-a7fd-4ed8-bf18-1a28c1395775 | sh |
| 320 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 5 | Copy Private SSH Keys with rsync | 864bb0b2-6bb5-489a-b43b-a77b3a16d68a | sh |
| 321 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 6 | Copy Private SSH Keys with rsync (freebsd) | 922b1080-0b95-42b0-9585-b9a5ea0af044 | sh |
| 322 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 7 | Copy the users GnuPG directory with rsync | 2a5a0601-f5fb-4e2e-aa09-73282ae6afca | sh |
| 323 | credential-access | T1552.004 | Unsecured Credentials: Private Keys | 8 | Copy the users GnuPG directory with rsync (freebsd) | b05ac39b-515f-48e9-88e9-2f141b5bcad0 | sh |
| 324 | credential-access | T1552.003 | Unsecured Credentials: Bash History | 1 | Search Through Bash History | 3cfde62b-7c33-4b26-a61e-755d6131c8ce | sh |
| 325 | credential-access | T1552.003 | Unsecured Credentials: Bash History | 2 | Search Through sh History | d87d3b94-05b4-40f2-a80f-99864ffa6803 | sh |
| 326 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 1 | Find AWS credentials | 37807632-d3da-442e-8c2e-00f44928ff8f | sh |
| 327 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 3 | Extract passwords with grep | bd4cf0d1-7646-474e-8610-78ccf5a097c4 | sh |
| 328 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 6 | Find and Access Github Credentials | da4f751a-020b-40d7-b9ff-d433b7799803 | bash |
| 329 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 15 | Find Azure credentials | a8f6148d-478a-4f43-bc62-5efee9f931a4 | sh |
| 330 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 16 | Find GCP credentials | aa12eb29-2dbb-414e-8b20-33d34af93543 | sh |
| 331 | credential-access | T1552.001 | Unsecured Credentials: Credentials In Files | 17 | Find OCI credentials | 9d9c22c9-fa97-4008-a204-478cf68c40af | sh |
| 332 | credential-access | T1110.004 | Brute Force: Credential Stuffing | 1 | SSH Credential Stuffing From Linux | 4f08197a-2a8a-472d-9589-cd2895ef22ad | bash |
| 333 | credential-access | T1110.004 | Brute Force: Credential Stuffing | 3 | SSH Credential Stuffing From FreeBSD | a790d50e-7ebf-48de-8daa-d9367e0911d4 | sh |
| 334 | credential-access | T1003.008 | OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow | 1 | Access /etc/shadow (Local) | 3723ab77-c546-403c-8fb4-bb577033b235 | bash |
| 335 | credential-access | T1003.008 | OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow | 2 | Access /etc/master.passwd (Local) | 5076874f-a8e6-4077-8ace-9e5ab54114a5 | sh |
| 336 | credential-access | T1003.008 | OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow | 3 | Access /etc/passwd (Local) | 60e860b6-8ae6-49db-ad07-5e73edd88f5d | sh |
| 337 | credential-access | T1003.008 | OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow | 4 | Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat | df1a55ae-019d-4120-bc35-94f4bc5c4b0a | sh |
| 338 | credential-access | T1003.008 | OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow | 5 | Access /etc/{shadow,passwd,master.passwd} with shell builtins | f5aa6543-6cb2-4fae-b9c2-b96e14721713 | sh |
| 339 | discovery | T1033 | System Owner/User Discovery | 2 | System Owner/User Discovery | 2a9b677d-a230-44f4-ad86-782df1ef108c | sh |
| 340 | discovery | T1016.001 | System Network Configuration Discovery: Internet Connection Discovery | 2 | Check internet connection using ping freebsd, linux or macos | be8f4019-d8b6-434c-a814-53123cdcc11e | bash |
| 341 | discovery | T1652 | Device Driver Discovery | 2 | Device Driver Discovery (Linux) | d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1 | bash |
| 342 | discovery | T1652 | Device Driver Discovery | 3 | Enumerate Kernel Driver Files (Linux) | 13c0fef5-9be9-4d7f-9c6b-901624e53770 | bash |
| 343 | discovery | T1087.002 | Account Discovery: Domain Account | 23 | Active Directory Domain Search | 096b6d2a-b63f-4100-8fa0-525da4cd25ca | sh |
| 344 | discovery | T1087.002 | Account Discovery: Domain Account | 24 | Account Enumeration with LDAPDomainDump | a54d497e-8dbe-4558-9895-44944baa395f | sh |
| 345 | discovery | T1087.001 | Account Discovery: Local Account | 1 | Enumerate all accounts (Local) | f8aab3dd-5990-4bf8-b8ab-2226c951696f | sh |
| 346 | discovery | T1087.001 | Account Discovery: Local Account | 2 | View sudoers access | fed9be70-0186-4bde-9f8a-20945f9370c2 | sh |
| 347 | discovery | T1087.001 | Account Discovery: Local Account | 3 | View accounts with UID 0 | c955a599-3653-4fe5-b631-f11c00eb0397 | sh |
| 348 | discovery | T1087.001 | Account Discovery: Local Account | 4 | List opened files by user | 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb | sh |
| 349 | discovery | T1087.001 | Account Discovery: Local Account | 5 | Show if a user account has ever logged in remotely | 0f0b6a29-08c3-44ad-a30b-47fd996b2110 | sh |
| 350 | discovery | T1087.001 | Account Discovery: Local Account | 6 | Enumerate users and groups | e6f36545-dc1e-47f0-9f48-7f730f54a02e | sh |
| 351 | discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 1 | Detect Virtualization Environment (Linux) | dfbd1a21-540d-4574-9731-e852bd6fe840 | sh |
| 352 | discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 2 | Detect Virtualization Environment (FreeBSD) | e129d73b-3e03-4ae9-bf1e-67fc8921e0fd | sh |
| 353 | discovery | T1069.002 | Permission Groups Discovery: Domain Groups | 15 | Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS | d58d749c-4450-4975-a9e9-8b1d562755c2 | sh |
| 354 | discovery | T1007 | System Service Discovery | 3 | System Service Discovery - systemctl/service | f4b26bce-4c2c-46c0-bcc5-fce062d38bef | bash |
| 355 | discovery | T1007 | System Service Discovery | 8 | System Service Discovery - Linux init scripts | 8f2a5d2b-4018-46d4-8f3f-0fea53754690 | sh |
| 356 | discovery | T1040 | Network Sniffing | 1 | Packet Capture Linux using tshark or tcpdump | 7fe741f7-b265-4951-a7c7-320889083b3e | bash |
| 357 | discovery | T1040 | Network Sniffing | 2 | Packet Capture FreeBSD using tshark or tcpdump | c93f2492-9ebe-44b5-8b45-36574cccfe67 | sh |
| 358 | discovery | T1040 | Network Sniffing | 10 | Packet Capture FreeBSD using /dev/bpfN with sudo | e2028771-1bfb-48f5-b5e6-e50ee0942a14 | sh |
| 359 | discovery | T1040 | Network Sniffing | 11 | Filtered Packet Capture FreeBSD using /dev/bpfN with sudo | a3a0d4c9-c068-4563-a08d-583bd05b884c | sh |
| 360 | discovery | T1040 | Network Sniffing | 12 | Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo | 10c710c9-9104-4d5f-8829-5b65391e2a29 | bash |
| 361 | discovery | T1040 | Network Sniffing | 13 | Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo | 7a0895f0-84c1-4adf-8491-a21510b1d4c1 | bash |
| 362 | discovery | T1040 | Network Sniffing | 14 | Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo | 515575ab-d213-42b1-aa64-ef6a2dd4641b | bash |
| 363 | discovery | T1040 | Network Sniffing | 15 | Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo | b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 | bash |
| 364 | discovery | T1135 | Network Share Discovery | 2 | Network Share Discovery - linux | 875805bc-9e86-4e87-be86-3a5527315cae | bash |
| 365 | discovery | T1135 | Network Share Discovery | 3 | Network Share Discovery - FreeBSD | 77e468a6-3e5c-45a1-9948-c4b5603747cb | sh |
| 366 | discovery | T1082 | System Information Discovery | 3 | List OS Information | cccb070c-df86-4216-a5bc-9fb60c74e27c | sh |
| 367 | discovery | T1082 | System Information Discovery | 4 | Linux VM Check via Hardware | 31dad7ad-2286-4c02-ae92-274418c85fec | bash |
| 368 | discovery | T1082 | System Information Discovery | 5 | Linux VM Check via Kernel Modules | 8057d484-0fae-49a4-8302-4812c4f1e64e | bash |
| 369 | discovery | T1082 | System Information Discovery | 6 | FreeBSD VM Check via Kernel Modules | eefe6a49-d88b-41d8-8fc2-b46822da90d3 | sh |
| 370 | discovery | T1082 | System Information Discovery | 8 | Hostname Discovery | 486e88ea-4f56-470f-9b57-3f4d73f39133 | sh |
| 371 | discovery | T1082 | System Information Discovery | 12 | Environment variables discovery on freebsd, macos and linux | fcbdd43f-f4ad-42d5-98f3-0218097e2720 | sh |
| 372 | discovery | T1082 | System Information Discovery | 25 | Linux List Kernel Modules | 034fe21c-3186-49dd-8d5d-128b35f181c7 | sh |
| 373 | discovery | T1082 | System Information Discovery | 26 | FreeBSD List Kernel Modules | 4947897f-643a-4b75-b3f5-bed6885749f6 | sh |
| 374 | discovery | T1497.003 | Time Based Evasion | 1 | Delay execution with ping | 8b87dd03-8204-478c-bac3-3959f6528de3 | sh |
| 375 | discovery | T1217 | Browser Bookmark Discovery | 1 | List Mozilla Firefox Bookmark Database Files on FreeBSD/Linux | 3a41f169-a5ab-407f-9269-abafdb5da6c2 | sh |
| 376 | discovery | T1217 | Browser Bookmark Discovery | 4 | List Google Chromium Bookmark JSON Files on FreeBSD | 88ca025b-3040-44eb-9168-bd8af22b82fa | sh |
| 377 | discovery | T1016 | System Network Configuration Discovery | 3 | System Network Configuration Discovery | c141bbdb-7fca-4254-9fd6-f47e79447e17 | sh |
| 378 | discovery | T1083 | File and Directory Discovery | 3 | Nix File and Directory Discovery | ffc8b249-372a-4b74-adcd-e4c0430842de | sh |
| 379 | discovery | T1083 | File and Directory Discovery | 4 | Nix File and Directory Discovery 2 | 13c5e1ae-605b-46c4-a79f-db28c77ff24e | sh |
| 380 | discovery | T1083 | File and Directory Discovery | 8 | Identifying Network Shares - Linux | 361fe49d-0c19-46ec-a483-ccb92d38e88e | sh |
| 381 | discovery | T1049 | System Network Connections Discovery | 4 | System Network Connections Discovery via ss or lsof (Linux/MacOS) | bcf05343-ef1d-4052-8a27-b00c9be42b9f | bash |
| 382 | discovery | T1049 | System Network Connections Discovery | 5 | System Network Connections Discovery FreeBSD, Linux & MacOS | 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 | sh |
| 383 | discovery | T1049 | System Network Connections Discovery | 6 | System Network Connections Discovery via sockstat (Linux, FreeBSD) | 997bb0a6-421e-40c7-b5d2-0f493904ef9b | sh |
| 384 | discovery | T1057 | Process Discovery | 1 | Process Discovery - ps | 4ff64f0b-aaf2-4866-b39d-38d9791407cc | sh |
| 385 | discovery | T1069.001 | Permission Groups Discovery: Local Groups | 1 | Permission Groups Discovery (Local) | 952931a4-af0b-4335-bbbe-73c8c5b327ae | sh |
| 386 | discovery | T1201 | Password Policy Discovery | 1 | Examine password complexity policy - Ubuntu | 085fe567-ac84-47c7-ac4c-2688ce28265b | bash |
| 387 | discovery | T1201 | Password Policy Discovery | 2 | Examine password complexity policy - FreeBSD | a7893624-a3d7-4aed-9676-80498f31820f | sh |
| 388 | discovery | T1201 | Password Policy Discovery | 3 | Examine password complexity policy - CentOS/RHEL 7.x | 78a12e65-efff-4617-bc01-88f17d71315d | bash |
| 389 | discovery | T1201 | Password Policy Discovery | 4 | Examine password complexity policy - CentOS/RHEL 6.x | 6ce12552-0adb-4f56-89ff-95ce268f6358 | bash |
| 390 | discovery | T1201 | Password Policy Discovery | 5 | Examine password expiration policy - All Linux | 7c86c55c-70fa-4a05-83c9-3aa19b145d1a | bash |
| 391 | discovery | T1614.001 | System Location Discovery: System Language Discovery | 3 | Discover System Language with locale | 837d609b-845e-4519-90ce-edc3b4b0e138 | sh |
| 392 | discovery | T1614.001 | System Location Discovery: System Language Discovery | 4 | Discover System Language with localectl | 07ce871a-b3c3-44a3-97fa-a20118fdc7c9 | sh |
| 393 | discovery | T1614.001 | System Location Discovery: System Language Discovery | 5 | Discover System Language by locale file | 5d7057c9-2c8a-4026-91dd-13b5584daa69 | sh |
| 394 | discovery | T1614.001 | System Location Discovery: System Language Discovery | 6 | Discover System Language by Environment Variable Query | cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a | sh |
| 395 | discovery | T1614 | System Location Discovery | 2 | Get geolocation info through IP-Lookup services using curl freebsd, linux or macos | 552b4db3-8850-412c-abce-ab5cc8a86604 | bash |
| 396 | discovery | T1518.001 | Software Discovery: Security Software Discovery | 4 | Security Software Discovery - ps (Linux) | 23b91cd2-c99c-4002-9e41-317c63e024a2 | sh |
| 397 | discovery | T1518.001 | Software Discovery: Security Software Discovery | 5 | Security Software Discovery - pgrep (FreeBSD) | fa96c21c-5fd6-4428-aa28-51a2fbecdbdc | sh |
| 398 | discovery | T1018 | Remote System Discovery | 6 | Remote System Discovery - arp nix | acb6b1ff-e2ad-4d64-806c-6c35fe73b951 | sh |
| 399 | discovery | T1018 | Remote System Discovery | 7 | Remote System Discovery - sweep | 96db2632-8417-4dbb-b8bb-a8b92ba391de | sh |
| 400 | discovery | T1018 | Remote System Discovery | 12 | Remote System Discovery - ip neighbour | 158bd4dd-6359-40ab-b13c-285b9ef6fa25 | sh |
| 401 | discovery | T1018 | Remote System Discovery | 13 | Remote System Discovery - ip route | 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 | sh |
| 402 | discovery | T1018 | Remote System Discovery | 14 | Remote System Discovery - netstat | d2791d72-b67f-4615-814f-ec824a91f514 | sh |
| 403 | discovery | T1018 | Remote System Discovery | 15 | Remote System Discovery - ip tcp_metrics | 6c2da894-0b57-43cb-87af-46ea3b501388 | sh |
| 404 | discovery | T1046 | Network Service Discovery | 1 | Port Scan | 68e907da-2539-48f6-9fc9-257a78c05540 | bash |
| 405 | discovery | T1046 | Network Service Discovery | 2 | Port Scan Nmap | 515942b0-a09f-4163-a7bb-22fefb6f185f | sh |
| 406 | discovery | T1046 | Network Service Discovery | 12 | Port Scan using nmap (Port range) | 0d5a2b03-3a26-45e4-96ae-89485b4d1f97 | sh |
| 407 | discovery | T1124 | System Time Discovery | 3 | System Time Discovery in FreeBSD/macOS | f449c933-0891-407f-821e-7916a21a1a6f | sh |
| 408 | execution | T1053.003 | Scheduled Task/Job: Cron | 1 | Cron - Replace crontab with referenced file | 435057fb-74b1-410e-9403-d81baf194f75 | sh |
| 409 | execution | T1053.003 | Scheduled Task/Job: Cron | 2 | Cron - Add script to all cron subfolders | b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 | bash |
| 410 | execution | T1053.003 | Scheduled Task/Job: Cron | 3 | Cron - Add script to /etc/cron.d folder | 078e69eb-d9fb-450e-b9d0-2e118217c846 | sh |
| 411 | execution | T1053.003 | Scheduled Task/Job: Cron | 4 | Cron - Add script to /var/spool/cron/crontabs/ folder | 2d943c18-e74a-44bf-936f-25ade6cccab4 | bash |
| 412 | execution | T1569.003 | System Services: Systemctl | 1 | Create and Enable a Malicious systemd Service Unit | e58c8723-5503-4533-b642-535cd20ec648 | sh |
| 413 | execution | T1569.003 | System Services: Systemctl | 2 | Create systemd Service Unit from /tmp (Unusual Location) | a1fa406e-2354-4a24-b6d6-94157e7564d4 | sh |
| 414 | execution | T1569.003 | System Services: Systemctl | 3 | Create systemd Service Unit from /dev/shm (Unusual Location) | dce49381-a26b-4d95-bdfa-c607ffe8bee5 | sh |
| 415 | execution | T1569.003 | System Services: Systemctl | 4 | Modify Existing systemd Service to Execute Malicious Command | 6123928f-6389-4914-8d25-a5d69bd657fa | sh |
| 416 | execution | T1569.003 | System Services: Systemctl | 5 | Execute Command via Transient systemd Service (systemd-run) | a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236 | sh |
| 417 | execution | T1569.003 | System Services: Systemctl | 6 | Enumerate All systemd Services Using systemctl | 1e5be8d4-605a-4acb-8709-2f80b2d8ea95 | sh |
| 418 | execution | T1569.003 | System Services: Systemctl | 7 | Enable systemd Service for Persistence with Auto-Restart | 2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7 | sh |
| 419 | execution | T1569.003 | System Services: Systemctl | 8 | Masquerade Malicious Service as Legitimate System Service | 6fec8560-ff64-4bbf-bc79-734fea48f7ca | sh |
| 420 | execution | T1053.006 | Scheduled Task/Job: Systemd Timers | 1 | Create Systemd Service and Timer | f4983098-bb13-44fb-9b2c-46149961807b | bash |
| 421 | execution | T1053.006 | Scheduled Task/Job: Systemd Timers | 2 | Create a user level transient systemd service and timer | 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec | sh |
| 422 | execution | T1053.006 | Scheduled Task/Job: Systemd Timers | 3 | Create a system level transient systemd service and timer | d3eda496-1fc0-49e9-aff5-3bec5da9fa22 | sh |
| 423 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 1 | Create and Execute Bash Shell Script | 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 | sh |
| 424 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 2 | Command-Line Interface | d0c88567-803d-4dca-99b4-7ce65e7b257c | sh |
| 425 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 3 | Harvest SUID executable files | 46274fc6-08a7-4956-861b-24cbbaa0503c | sh |
| 426 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 4 | LinEnum tool execution | a2b35a63-9df1-4806-9a4d-5fe0500845f2 | sh |
| 427 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 5 | New script file in the tmp directory | 8cd1947b-4a54-41fb-b5ea-07d0ace04f81 | sh |
| 428 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 6 | What shell is running | 7b38e5cc-47be-44f0-a425-390305c76c17 | sh |
| 429 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 7 | What shells are available | bf23c7dc-1004-4949-8262-4c1d1ef87702 | sh |
| 430 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 8 | Command line scripts | b04ed73c-7d43-4dc8-b563-a2fc595cba1a | sh |
| 431 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 9 | Obfuscated command line scripts | 5bec4cc8-f41e-437b-b417-33ff60acf9af | sh |
| 432 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 10 | Change login shell | c7ac59cb-13cc-4622-81dc-6d2fee9bfac7 | bash |
| 433 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 11 | Environment variable scripts | bdaebd56-368b-4970-a523-f905ff4a8a51 | sh |
| 434 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 12 | Detecting pipe-to-shell | fca246a8-a585-4f28-a2df-6495973976a1 | sh |
| 435 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 13 | Current kernel information enumeration | 3a53734a-9e26-4f4b-ad15-059e767f5f14 | sh |
| 436 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 14 | Shell Creation using awk command | ee72b37d-b8f5-46a5-a9e7-0ff50035ffd5 | sh |
| 437 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 15 | Creating shell using cpan command | bcd4c2bc-490b-4f91-bd31-3709fe75bbdf | sh |
| 438 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 16 | Shell Creation using busybox command | ab4d04af-68dc-4fee-9c16-6545265b3276 | sh |
| 439 | execution | T1059.004 | Command and Scripting Interpreter: Bash | 17 | emacs spawning an interactive system shell | e0742e38-6efe-4dd4-ba5c-2078095b6156 | sh |
| 440 | execution | T1059.006 | Command and Scripting Interpreter: Python | 1 | Execute shell script via python's command mode arguement | 3a95cdb2-c6ea-4761-b24e-02b71889b8bb | sh |
| 441 | execution | T1059.006 | Command and Scripting Interpreter: Python | 2 | Execute Python via scripts | 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 | sh |
| 442 | execution | T1059.006 | Command and Scripting Interpreter: Python | 3 | Execute Python via Python executables | 0b44d79b-570a-4b27-a31f-3bf2156e5eaa | sh |
| 443 | execution | T1059.006 | Command and Scripting Interpreter: Python | 4 | Python pty module and spawn function used to spawn sh or bash | 161d694c-b543-4434-85c3-c3a433e33792 | sh |
| 444 | execution | T1053.002 | Scheduled Task/Job: At | 2 | At - Schedule a job | 7266d898-ac82-4ec0-97c7-436075d0d08e | sh |
| 445 | impact | T1489 | Service Stop | 4 | Linux - Stop service using systemctl | 42e3a5bd-1e45-427f-aa08-2a65fa29a820 | sh |
| 446 | impact | T1489 | Service Stop | 5 | Linux - Stop service by killing process using killall | e5d95be6-02ee-4ff1-aebe-cf86013b6189 | sh |
| 447 | impact | T1489 | Service Stop | 6 | Linux - Stop service by killing process using kill | 332f4c76-7e96-41a6-8cc2-7361c49db8be | sh |
| 448 | impact | T1489 | Service Stop | 7 | Linux - Stop service by killing process using pkill | 08b4718f-a8bf-4bb5-a552-294fc5178fea | sh |
| 449 | impact | T1489 | Service Stop | 8 | Abuse of linux magic system request key for Send a SIGTERM to all processes | 6e76f56f-2373-4a6c-a63f-98b7b72761f1 | bash |
| 450 | impact | T1531 | Account Access Removal | 4 | Change User Password via passwd | 3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6 | sh |
| 451 | impact | T1486 | Data Encrypted for Impact | 1 | Encrypt files using gpg (FreeBSD/Linux) | 7b8ce084-3922-4618-8d22-95f996173765 | sh |
| 452 | impact | T1486 | Data Encrypted for Impact | 2 | Encrypt files using 7z (FreeBSD/Linux) | 53e6735a-4727-44cc-b35b-237682a151ad | sh |
| 453 | impact | T1486 | Data Encrypted for Impact | 3 | Encrypt files using ccrypt (FreeBSD/Linux) | 08cbf59f-85da-4369-a5f4-049cffd7709f | sh |
| 454 | impact | T1486 | Data Encrypted for Impact | 4 | Encrypt files using openssl (FreeBSD/Linux) | 142752dc-ca71-443b-9359-cf6f497315f1 | sh |
| 455 | impact | T1496 | Resource Hijacking | 1 | FreeBSD/macOS/Linux - Simulate CPU Load with Yes | 904a5a0e-fb02-490d-9f8d-0e256eb37549 | sh |
| 456 | impact | T1485 | Data Destruction | 2 | FreeBSD/macOS/Linux - Overwrite file with DD | 38deee99-fd65-4031-bec8-bfa4f9f26146 | sh |
| 457 | impact | T1529 | System Shutdown/Reboot | 3 | Restart System via `shutdown` - FreeBSD/macOS/Linux | 6326dbc4-444b-4c04-88f4-27e94d0327cb | sh |
| 458 | impact | T1529 | System Shutdown/Reboot | 4 | Shutdown System via `shutdown` - FreeBSD/macOS/Linux | 4963a81e-a3ad-4f02-adda-812343b351de | sh |
| 459 | impact | T1529 | System Shutdown/Reboot | 5 | Restart System via `reboot` - FreeBSD/macOS/Linux | 47d0b042-a918-40ab-8cf9-150ffe919027 | sh |
| 460 | impact | T1529 | System Shutdown/Reboot | 6 | Shutdown System via `halt` - FreeBSD/Linux | 918f70ab-e1ef-49ff-bc57-b27021df84dd | sh |
| 461 | impact | T1529 | System Shutdown/Reboot | 7 | Reboot System via `halt` - FreeBSD | 7b1cee42-320f-4890-b056-d65c8b884ba5 | sh |
| 462 | impact | T1529 | System Shutdown/Reboot | 8 | Reboot System via `halt` - Linux | 78f92e14-f1e9-4446-b3e9-f1b921f2459e | bash |
| 463 | impact | T1529 | System Shutdown/Reboot | 9 | Shutdown System via `poweroff` - FreeBSD/Linux | 73a90cd2-48a2-4ac5-8594-2af35fa909fa | sh |
| 464 | impact | T1529 | System Shutdown/Reboot | 10 | Reboot System via `poweroff` - FreeBSD | 5a282e50-86ff-438d-8cef-8ae01c9e62e1 | sh |
| 465 | impact | T1529 | System Shutdown/Reboot | 11 | Reboot System via `poweroff` - Linux | 61303105-ff60-427b-999e-efb90b314e41 | bash |
| 466 | impact | T1529 | System Shutdown/Reboot | 16 | Abuse of Linux Magic System Request Key for Reboot | d2a1f4bc-a064-4223-8281-a086dce5423c | bash |
| 467 | initial-access | T1659 | Content Injection | 1 | MITM Proxy Injection | 9b360eaf-c778-4f07-a6e7-895c4f01ac1c | bash |
| 468 | initial-access | T1195.002 | Compromise Software Supply Chain | 1 | Simulate npm package installation on a Linux system | a9604672-cd46-493b-b58f-fd4124c22dd3 | bash |
| 469 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 8 | Create local account (Linux) | 02a91c34-8a5b-4bed-87af-501103eb5357 | bash |
| 470 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 9 | Reactivate a locked/expired account (Linux) | d2b95631-62d7-45a3-aaef-0972cea97931 | bash |
| 471 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 10 | Reactivate a locked/expired account (FreeBSD) | 09e3380a-fae5-4255-8b19-9950be0252cf | sh |
| 472 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 11 | Login as nobody (Linux) | 3d2cd093-ee05-41bd-a802-59ee5c301b85 | bash |
| 473 | initial-access | T1078.003 | Valid Accounts: Local Accounts | 12 | Login as nobody (freebsd) | 16f6374f-7600-459a-9b16-6a88fd96d310 | sh |
| 474 | exfiltration | T1048.002 | Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 2 | Exfiltrate data HTTPS using curl freebsd,linux or macos | 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 | bash |
| 475 | exfiltration | T1048.002 | Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 3 | Exfiltrate data in a file over HTTPS using wget | 7ccdfcfa-6707-46bc-b812-007ab6ff951c | sh |
| 476 | exfiltration | T1048.002 | Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | 4 | Exfiltrate data as text over HTTPS using wget | 8bec51da-7a6d-4346-b941-51eca448c4b0 | sh |
| 477 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 1 | Exfiltration Over Alternative Protocol - SSH | f6786cc8-beda-4915-a4d6-ac2f193bb988 | sh |
| 478 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 2 | Exfiltration Over Alternative Protocol - SSH | 7c3cb337-35ae-4d06-bf03-3032ed2ec268 | sh |
| 479 | exfiltration | T1048 | Exfiltration Over Alternative Protocol | 4 | Exfiltrate Data using DNS Queries via dig | a27916da-05f2-4316-a3ee-feec67a437be | bash |
| 480 | exfiltration | T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage | 2 | Exfiltrate data with rclone to cloud Storage - AWS S3 | a4b74723-5cee-4300-91c3-5e34166909b4 | powershell |
| 481 | exfiltration | T1030 | Data Transfer Size Limits | 1 | Data Transfer Size Limits | ab936c51-10f4-46ce-9144-e02137b2016a | sh |
| 482 | exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 1 | Exfiltration Over Alternative Protocol - HTTP | 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff | manual |
| 483 | exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 3 | Exfiltration Over Alternative Protocol - DNS | c403b5a4-b5fc-49f2-b181-d1c80d27db45 | manual |
| 484 | exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | 8 | Python3 http.server | 3ea1f938-f80a-4305-9aa8-431bc4867313 | sh |