security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add csv index by OS, then by tactic and technique, add art_layer json per OS (#903)

Browse Source 
* add csv index by OS, then by tactic and technique

* generate art layer for each OS

* generate art layer for each OS

* update readme

* reset files

* a little cleanup

* a little cleanup

* deleted files from old location

* new folder structure and naming

* link fix

* temp add
This commit is contained in:
Carrie Roberts
2020-04-03 11:14:15 -06:00
committed by GitHub
parent 3bc48cf815
commit a87eeeb535
21 changed files with 33856 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+5 -5
View File
@@ -40,11 +40,11 @@ Join the community on Slack at [https://atomicredteam.slack.com](https://atomicr
* [Getting Started With Atomic Tests](https://atomicredteam.io/testing)
* Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/blob/master/execution-frameworks)
* Peruse the [Complete list of Atomic Tests](atomics/index.md) and the [ATT&CK Matrix](atomics/matrix.md)
- Windows [Tests](atomics/windows-index.md) and [Matrix](atomics/windows-matrix.md)
- macOS [Tests](atomics/macos-index.md) and [Matrix](atomics/macos-matrix.md)
- Linux [Tests](atomics/linux-index.md) and [Matrix](atomics/linux-matrix.md)
* Using [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator)? Check out our [coverage layer](atomics/art_navigator_layer.json)
* Peruse the Complete list of Atomic Tests ([md](atomics/Indexes-Markdown/index.md), [csv](atomics/Indexes-CSV/index-by-tactic.md)) and the [ATT&CK Matrix](atomics/Matrices/matrix.md)
- Windows [Matrix](atomics/Matrices/windows-matrix.md) and tests by tactic ([md](atomics/Indexes-Markdown/windows-index.md), [csv](atomics/Indexes-CSV/windows-index.csv))
- MacOS [Matrix](atomics/Matrices/macos-matrix.md) and tests by tactic ([md](atomics/Indexes-Markdown/macos-index.md), [csv](atomics/Indexes-CSV/macos-index.csv))
- Linux [Matrix](atomics/Matrices/linux-matrix.md) and tests by tactic ([md](atomics/Indexes-Markdown/linux-index.md), [csv](atomics/Indexes-CSV/linux-index.csv))
* Using [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator)? Check out our coverage layers ([All](atomics/Attack-Navigator-Layers/art-navigator-layer.json), [Windows](atomics/Attack-Navigator-Layers/art-navigator-layer-windows.json), [MacOS](atomics/Attack-Navigator-Layers/art-navigator-layer-macos.json), [Linux](atomics/Attack-Navigator-Layers/art-navigator-layer-linux.json))
* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://atomicredteam.io/contributing) your own modifications
* Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
* Need a Slack invitation? Grab one at [https://slack.atomicredteam.io/](https://slack.atomicredteam.io/)
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+1
View File
@@ -0,0 +1 @@
{"version":"2.2","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1009","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1130","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1139","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1146","score":100,"enabled":true},{"techniqueID":"T1148","score":100,"enabled":true},{"techniqueID":"T1153","score":100,"enabled":true},{"techniqueID":"T1154","score":100,"enabled":true},{"techniqueID":"T1156","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1166","score":100,"enabled":true},{"techniqueID":"T1168","score":100,"enabled":true},{"techniqueID":"T1169","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1206","score":100,"enabled":true},{"techniqueID":"T1215","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1501","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
+1
View File
@@ -0,0 +1 @@
{"version":"2.2","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1005","score":100,"enabled":true},{"techniqueID":"T1009","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1139","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1142","score":100,"enabled":true},{"techniqueID":"T1144","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1146","score":100,"enabled":true},{"techniqueID":"T1147","score":100,"enabled":true},{"techniqueID":"T1148","score":100,"enabled":true},{"techniqueID":"T1150","score":100,"enabled":true},{"techniqueID":"T1151","score":100,"enabled":true},{"techniqueID":"T1152","score":100,"enabled":true},{"techniqueID":"T1153","score":100,"enabled":true},{"techniqueID":"T1154","score":100,"enabled":true},{"techniqueID":"T1155","score":100,"enabled":true},{"techniqueID":"T1156","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1159","score":100,"enabled":true},{"techniqueID":"T1160","score":100,"enabled":true},{"techniqueID":"T1163","score":100,"enabled":true},{"techniqueID":"T1164","score":100,"enabled":true},{"techniqueID":"T1165","score":100,"enabled":true},{"techniqueID":"T1166","score":100,"enabled":true},{"techniqueID":"T1168","score":100,"enabled":true},{"techniqueID":"T1169","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1206","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1519","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1
View File
File diff suppressed because one or more lines are too long
atomics/art_navigator_layer.json → atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
View File
atomics/Indexes/Indexes-CSV/index.csv
+655
View File
@@ -0,0 +1,655 @@
Tactic,Technique #,Test #,Test Name
persistence,T1156,1,Add command to .bash_profile
persistence,T1156,2,Add command to .bashrc
persistence,T1015,1,Attaches Command Prompt as a Debugger to a List of Target Processes
persistence,T1098,1,Admin Account Manipulate
persistence,T1103,1,Install AppInit Shim
persistence,T1138,1,Application Shim Installation
persistence,T1138,2,New shim database files created in the default shim database directory
persistence,T1138,3,Registry key creation and/or modification events for SDB
persistence,T1197,1,Bitsadmin Download (cmd)
persistence,T1197,2,Bitsadmin Download (PowerShell)
persistence,T1197,3,"Persist, Download, & Execute"
persistence,T1176,1,Chrome (Developer Mode)
persistence,T1176,2,Chrome (Chrome Web Store)
persistence,T1176,3,Firefox
persistence,T1042,1,Change Default File Association
persistence,T1136,1,Create a user account on a Linux system
persistence,T1136,2,Create a user account on a MacOS system
persistence,T1136,3,Create a new user in a command prompt
persistence,T1136,4,Create a new user in PowerShell
persistence,T1136,5,Create a new user in Linux with `root` UID and GID.
persistence,T1038,1,DLL Search Order Hijacking - amsi.dll
persistence,T1519,1,Persistance with Event Monitor - emond
persistence,T1044,1,File System Permissions Weakness
persistence,T1158,1,Create a hidden file in a hidden directory
persistence,T1158,2,Mac Hidden file
persistence,T1158,3,Create Windows System File with Attrib
persistence,T1158,4,Create Windows Hidden File with Attrib
persistence,T1158,5,Hidden files
persistence,T1158,6,Hide a Directory
persistence,T1158,7,Show all hidden files
persistence,T1158,8,Create ADS command prompt
persistence,T1158,9,Create ADS PowerShell
persistence,T1179,1,Hook PowerShell TLS Encrypt/Decrypt Messages
persistence,T1062,1,Installing Hyper-V Feature
persistence,T1183,1,IFEO Add Debugger
persistence,T1183,2,IFEO Global Flags
persistence,T1215,1,Linux - Load Kernel Module via insmod
persistence,T1159,1,Launch Agent
persistence,T1160,1,Launch Daemon
persistence,T1152,1,Launchctl
persistence,T1168,1,Cron - Replace crontab with referenced file
persistence,T1168,2,Cron - Add script to cron folder
persistence,T1168,3,Event Monitor Daemon Persistence
persistence,T1037,1,Logon Scripts
persistence,T1037,2,Scheduled Task Startup Script
persistence,T1037,3,Logon Scripts - Mac
persistence,T1037,4,Supicious vbs file run from startup Folder
persistence,T1037,5,Supicious jse file run from startup Folder
persistence,T1037,6,Supicious bat file run from startup Folder
persistence,T1031,1,Modify Fax service to run PowerShell
persistence,T1128,1,Netsh Helper DLL Registration
persistence,T1050,1,Service Installation
persistence,T1050,2,Service Installation PowerShell
persistence,T1137,1,DDEAUTO
persistence,T1150,1,Plist Modification
persistence,T1504,1,Append malicious start-process cmdlet
persistence,T1163,1,rc.common
persistence,T1164,1,Re-Opened Applications
persistence,T1164,2,Re-Opened Applications
persistence,T1060,1,Reg Key Run
persistence,T1060,2,Reg Key RunOnce
persistence,T1060,3,PowerShell Registry RunOnce
persistence,T1053,1,At.exe Scheduled task
persistence,T1053,2,Scheduled task Local
persistence,T1053,3,Scheduled task Remote
persistence,T1053,4,Powershell Cmdlet Scheduled Task
persistence,T1180,1,Set Arbitrary Binary as Screensaver
persistence,T1101,1,Modify SSP configuration in registry
persistence,T1505,1,Install MS Exchange Transport Agent Persistence
persistence,T1058,1,Service Registry Permissions Weakness
persistence,T1166,1,Make and modify binary from C source
persistence,T1166,2,Set a SetUID flag on file
persistence,T1166,3,Set a SetGID flag on file
persistence,T1023,1,Shortcut Modification
persistence,T1023,2,Create shortcut to cmd in startup folders
persistence,T1165,1,add file to Local Library StartupItems
persistence,T1501,1,Create Systemd Service
persistence,T1154,1,Trap
persistence,T1100,1,Web Shell Written to Disk
persistence,T1084,1,Persistence
persistence,T1004,1,Winlogon Shell Key Persistence - PowerShell
persistence,T1004,2,Winlogon Userinit Key Persistence - PowerShell
persistence,T1004,3,Winlogon Notify Key Logon Persistence - PowerShell
defense-evasion,T1197,1,Bitsadmin Download (cmd)
defense-evasion,T1197,2,Bitsadmin Download (PowerShell)
defense-evasion,T1197,3,"Persist, Download, & Execute"
defense-evasion,T1009,1,Pad Binary to Change Hash - Linux/macOS dd
defense-evasion,T1088,1,Bypass UAC using Event Viewer (cmd)
defense-evasion,T1088,2,Bypass UAC using Event Viewer (PowerShell)
defense-evasion,T1088,3,Bypass UAC using Fodhelper
defense-evasion,T1088,4,Bypass UAC using Fodhelper - PowerShell
defense-evasion,T1088,5,Bypass UAC using ComputerDefaults (PowerShell)
defense-evasion,T1088,6,Bypass UAC by Mocking Trusted Directories
defense-evasion,T1191,1,CMSTP Executing Remote Scriptlet
defense-evasion,T1191,2,CMSTP Executing UAC Bypass
defense-evasion,T1146,1,Clear Bash history (rm)
defense-evasion,T1146,2,Clear Bash history (echo)
defense-evasion,T1146,3,Clear Bash history (cat dev/null)
defense-evasion,T1146,4,Clear Bash history (ln dev/null)
defense-evasion,T1146,5,Clear Bash history (truncate)
defense-evasion,T1146,6,Clear history of a bunch of shells
defense-evasion,T1500,1,Compile After Delivery using csc.exe
defense-evasion,T1223,1,Compiled HTML Help Local Payload
defense-evasion,T1223,2,Compiled HTML Help Remote Payload
defense-evasion,T1090,1,Connection Proxy
defense-evasion,T1090,2,portproxy reg key
defense-evasion,T1196,1,Control Panel Items
defense-evasion,T1207,1,DCShadow - Mimikatz
defense-evasion,T1038,1,DLL Search Order Hijacking - amsi.dll
defense-evasion,T1073,1,DLL Side-Loading using the Notepad++ GUP.exe binary
defense-evasion,T1140,1,Deobfuscate/Decode Files Or Information
defense-evasion,T1140,2,Certutil Rename and Decode
defense-evasion,T1089,1,Disable iptables firewall
defense-evasion,T1089,2,Disable syslog
defense-evasion,T1089,3,Disable Cb Response
defense-evasion,T1089,4,Disable SELinux
defense-evasion,T1089,5,Disable Carbon Black Response
defense-evasion,T1089,6,Disable LittleSnitch
defense-evasion,T1089,7,Disable OpenDNS Umbrella
defense-evasion,T1089,8,Unload Sysmon Filter Driver
defense-evasion,T1089,9,Disable Windows IIS HTTP Logging
defense-evasion,T1089,10,Uninstall Sysmon
defense-evasion,T1089,11,AMSI Bypass - AMSI InitFailed
defense-evasion,T1089,12,AMSI Bypass - Remove AMSI Provider Reg Key
defense-evasion,T1089,13,Disable Arbitrary Security Windows Service
defense-evasion,T1089,14,Disable PowerShell Script Block Logging
defense-evasion,T1089,15,PowerShell Bypass of AntiMalware Scripting Interface
defense-evasion,T1089,16,Tamper with Windows Defender ATP PowerShell
defense-evasion,T1089,17,Tamper with Windows Defender Command Prompt
defense-evasion,T1089,18,Tamper with Windows Defender Registry
defense-evasion,T1089,19,Disable Microft Office Security Features
defense-evasion,T1089,20,Remove Windows Defender Definition Files
defense-evasion,T1107,1,Delete a single file - Linux/macOS
defense-evasion,T1107,2,Delete an entire folder - Linux/macOS
defense-evasion,T1107,3,Overwrite and delete a file with shred
defense-evasion,T1107,4,Delete a single file - Windows cmd
defense-evasion,T1107,5,Delete an entire folder - Windows cmd
defense-evasion,T1107,6,Delete a single file - Windows PowerShell
defense-evasion,T1107,7,Delete an entire folder - Windows PowerShell
defense-evasion,T1107,8,Delete VSS - vssadmin
defense-evasion,T1107,9,Delete VSS - wmic
defense-evasion,T1107,10,bcdedit
defense-evasion,T1107,11,wbadmin
defense-evasion,T1107,12,Delete Filesystem - Linux
defense-evasion,T1107,13,Delete-PrefetchFile
defense-evasion,T1107,14,Delete TeamViewer Log Files
defense-evasion,T1222,1,Take ownership using takeown utility
defense-evasion,T1222,2,Take ownership recursively using takeown utility
defense-evasion,T1222,3,cacls - Grant permission to specified user or group
defense-evasion,T1222,4,cacls - Grant permission to specified user or group recursively
defense-evasion,T1222,5,icacls - Grant permission to specified user or group
defense-evasion,T1222,6,icacls - Grant permission to specified user or group recursively
defense-evasion,T1222,7,attrib - Remove read-only attribute
defense-evasion,T1222,8,chmod - Change file or folder mode (numeric mode)
defense-evasion,T1222,9,chmod - Change file or folder mode (symbolic mode)
defense-evasion,T1222,10,chmod - Change file or folder mode (numeric mode) recursively
defense-evasion,T1222,11,chmod - Change file or folder mode (symbolic mode) recursively
defense-evasion,T1222,12,chown - Change file or folder ownership and group
defense-evasion,T1222,13,chown - Change file or folder ownership and group recursively
defense-evasion,T1222,14,chown - Change file or folder mode ownership only
defense-evasion,T1222,15,chown - Change file or folder ownership recursively
defense-evasion,T1222,16,chattr - Remove immutable file attribute
defense-evasion,T1144,1,Gatekeeper Bypass
defense-evasion,T1148,1,Disable history collection
defense-evasion,T1148,2,Mac HISTCONTROL
defense-evasion,T1158,1,Create a hidden file in a hidden directory
defense-evasion,T1158,2,Mac Hidden file
defense-evasion,T1158,3,Create Windows System File with Attrib
defense-evasion,T1158,4,Create Windows Hidden File with Attrib
defense-evasion,T1158,5,Hidden files
defense-evasion,T1158,6,Hide a Directory
defense-evasion,T1158,7,Show all hidden files
defense-evasion,T1158,8,Create ADS command prompt
defense-evasion,T1158,9,Create ADS PowerShell
defense-evasion,T1147,1,Hidden Users
defense-evasion,T1143,1,Hidden Window
defense-evasion,T1183,1,IFEO Add Debugger
defense-evasion,T1183,2,IFEO Global Flags
defense-evasion,T1070,1,Clear Logs
defense-evasion,T1070,2,FSUtil
defense-evasion,T1070,3,rm -rf
defense-evasion,T1070,4,Overwrite Linux Mail Spool
defense-evasion,T1070,5,Overwrite Linux Log
defense-evasion,T1070,6,Delete System Logs Using PowerShell
defense-evasion,T1070,7,Delete System Logs Using Clear-EventLogId
defense-evasion,T1202,1,Indirect Command Execution - pcalua.exe
defense-evasion,T1202,2,Indirect Command Execution - forfiles.exe
defense-evasion,T1130,1,Install root CA on CentOS/RHEL
defense-evasion,T1118,1,CheckIfInstallable method call
defense-evasion,T1118,2,InstallHelper method call
defense-evasion,T1118,3,InstallUtil class constructor method call
defense-evasion,T1118,4,InstallUtil Install method call
defense-evasion,T1118,5,InstallUtil Uninstall method call - /U variant
defense-evasion,T1118,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
defense-evasion,T1118,7,InstallUtil HelpText method call
defense-evasion,T1118,8,InstallUtil evasive invocation
defense-evasion,T1152,1,Launchctl
defense-evasion,T1036,1,Masquerading as Windows LSASS process
defense-evasion,T1036,2,Masquerading as Linux crond process.
defense-evasion,T1036,3,Masquerading - cscript.exe running as notepad.exe
defense-evasion,T1036,4,Masquerading - wscript.exe running as svchost.exe
defense-evasion,T1036,5,Masquerading - powershell.exe running as taskhostw.exe
defense-evasion,T1036,6,Masquerading - non-windows exe running as windows exe
defense-evasion,T1036,7,Masquerading - windows exe running as different windows exe
defense-evasion,T1036,8,Malicious process Masquerading as LSM.exe
defense-evasion,T1112,1,Modify Registry of Current User Profile - cmd
defense-evasion,T1112,2,Modify Registry of Local Machine - cmd
defense-evasion,T1112,3,Modify Registry of Another User Profile
defense-evasion,T1112,4,Modify registry to store logon credentials
defense-evasion,T1112,5,Modify registry to store PowerShell code
defense-evasion,T1112,6,Add domain to Trusted sites Zone
defense-evasion,T1112,7,Javascript in registry
defense-evasion,T1170,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
defense-evasion,T1170,2,Mshta calls a local VBScript file to launch notepad.exe
defense-evasion,T1170,3,Mshta executes VBScript to execute malicious command
defense-evasion,T1170,4,Mshta Executes Remote HTML Application (HTA)
defense-evasion,T1096,1,Alternate Data Streams (ADS)
defense-evasion,T1096,2,Store file in Alternate Data Stream (ADS)
defense-evasion,T1126,1,Add Network Share
defense-evasion,T1126,2,Remove Network Share
defense-evasion,T1126,3,Remove Network Share PowerShell
defense-evasion,T1027,1,Decode base64 Data into Script
defense-evasion,T1027,2,Execute base64-encoded PowerShell
defense-evasion,T1027,3,Execute base64-encoded PowerShell from Windows Registry
defense-evasion,T1502,1,Parent PID Spoofing using PowerShell
defense-evasion,T1150,1,Plist Modification
defense-evasion,T1093,1,Process Hollowing using PowerShell
defense-evasion,T1055,1,Process Injection via mavinject.exe
defense-evasion,T1055,2,Process Injection via PowerSploit
defense-evasion,T1055,3,Shared Library Injection via /etc/ld.so.preload
defense-evasion,T1055,4,Shared Library Injection via LD_PRELOAD
defense-evasion,T1055,5,Process Injection via C#
defense-evasion,T1055,6,svchost writing a file to a UNC path
defense-evasion,T1121,1,Regasm Uninstall Method Call Test
defense-evasion,T1121,2,Regsvs Uninstall Method Call Test
defense-evasion,T1117,1,Regsvr32 local COM scriptlet execution
defense-evasion,T1117,2,Regsvr32 remote COM scriptlet execution
defense-evasion,T1117,3,Regsvr32 local DLL execution
defense-evasion,T1014,1,Loadable Kernel Module based Rootkit
defense-evasion,T1014,2,Loadable Kernel Module based Rootkit
defense-evasion,T1014,3,Windows Signed Driver Rootkit Test
defense-evasion,T1085,1,Rundll32 execute JavaScript Remote Payload With GetObject
defense-evasion,T1085,2,Rundll32 execute VBscript command
defense-evasion,T1085,3,Rundll32 advpack.dll Execution
defense-evasion,T1085,4,Rundll32 ieadvpack.dll Execution
defense-evasion,T1085,5,Rundll32 syssetup.dll Execution
defense-evasion,T1085,6,Rundll32 setupapi.dll Execution
defense-evasion,T1064,1,Create and Execute Bash Shell Script
defense-evasion,T1064,2,Create and Execute Batch Script
defense-evasion,T1218,1,mavinject - Inject DLL into running process
defense-evasion,T1218,2,SyncAppvPublishingServer - Execute arbitrary PowerShell code
defense-evasion,T1218,3,Register-CimProvider - Execute evil dll
defense-evasion,T1218,4,Msiexec.exe - Execute Local MSI file
defense-evasion,T1218,5,Msiexec.exe - Execute Remote MSI file
defense-evasion,T1218,6,Msiexec.exe - Execute Arbitrary DLL
defense-evasion,T1218,7,Odbcconf.exe - Execute Arbitrary DLL
defense-evasion,T1218,8,InfDefaultInstall.exe .inf Execution
defense-evasion,T1216,1,PubPrn.vbs Signed Script Bypass
defense-evasion,T1216,2,SyncAppvPublishingServer Signed Script PowerShell Command Execution
defense-evasion,T1216,3,manage-bde.wsf Signed Script Command Execution
defense-evasion,T1151,1,Space After Filename
defense-evasion,T1099,1,Set a file's access timestamp
defense-evasion,T1099,2,Set a file's modification timestamp
defense-evasion,T1099,3,Set a file's creation timestamp
defense-evasion,T1099,4,Modify file timestamps using reference file
defense-evasion,T1099,5,Windows - Modify file creation timestamp with PowerShell
defense-evasion,T1099,6,Windows - Modify file last modified timestamp with PowerShell
defense-evasion,T1099,7,Windows - Modify file last access timestamp with PowerShell
defense-evasion,T1127,1,MSBuild Bypass Using Inline Tasks
defense-evasion,T1102,1,Reach out to C2 Pointer URLs via command_prompt
defense-evasion,T1102,2,Reach out to C2 Pointer URLs via powershell
defense-evasion,T1220,1,MSXSL Bypass using local files
defense-evasion,T1220,2,MSXSL Bypass using remote files
defense-evasion,T1220,3,WMIC bypass using local XSL file
defense-evasion,T1220,4,WMIC bypass using remote XSL file
privilege-escalation,T1015,1,Attaches Command Prompt as a Debugger to a List of Target Processes
privilege-escalation,T1103,1,Install AppInit Shim
privilege-escalation,T1138,1,Application Shim Installation
privilege-escalation,T1138,2,New shim database files created in the default shim database directory
privilege-escalation,T1138,3,Registry key creation and/or modification events for SDB
privilege-escalation,T1088,1,Bypass UAC using Event Viewer (cmd)
privilege-escalation,T1088,2,Bypass UAC using Event Viewer (PowerShell)
privilege-escalation,T1088,3,Bypass UAC using Fodhelper
privilege-escalation,T1088,4,Bypass UAC using Fodhelper - PowerShell
privilege-escalation,T1088,5,Bypass UAC using ComputerDefaults (PowerShell)
privilege-escalation,T1088,6,Bypass UAC by Mocking Trusted Directories
privilege-escalation,T1038,1,DLL Search Order Hijacking - amsi.dll
privilege-escalation,T1519,1,Persistance with Event Monitor - emond
privilege-escalation,T1044,1,File System Permissions Weakness
privilege-escalation,T1179,1,Hook PowerShell TLS Encrypt/Decrypt Messages
privilege-escalation,T1183,1,IFEO Add Debugger
privilege-escalation,T1183,2,IFEO Global Flags
privilege-escalation,T1160,1,Launch Daemon
privilege-escalation,T1050,1,Service Installation
privilege-escalation,T1050,2,Service Installation PowerShell
privilege-escalation,T1502,1,Parent PID Spoofing using PowerShell
privilege-escalation,T1150,1,Plist Modification
privilege-escalation,T1504,1,Append malicious start-process cmdlet
privilege-escalation,T1055,1,Process Injection via mavinject.exe
privilege-escalation,T1055,2,Process Injection via PowerSploit
privilege-escalation,T1055,3,Shared Library Injection via /etc/ld.so.preload
privilege-escalation,T1055,4,Shared Library Injection via LD_PRELOAD
privilege-escalation,T1055,5,Process Injection via C#
privilege-escalation,T1055,6,svchost writing a file to a UNC path
privilege-escalation,T1053,1,At.exe Scheduled task
privilege-escalation,T1053,2,Scheduled task Local
privilege-escalation,T1053,3,Scheduled task Remote
privilege-escalation,T1053,4,Powershell Cmdlet Scheduled Task
privilege-escalation,T1058,1,Service Registry Permissions Weakness
privilege-escalation,T1166,1,Make and modify binary from C source
privilege-escalation,T1166,2,Set a SetUID flag on file
privilege-escalation,T1166,3,Set a SetGID flag on file
privilege-escalation,T1165,1,add file to Local Library StartupItems
privilege-escalation,T1169,1,Sudo usage
privilege-escalation,T1206,1,Unlimited sudo cache timeout
privilege-escalation,T1206,2,Disable tty_tickets for sudo caching
privilege-escalation,T1100,1,Web Shell Written to Disk
impact,T1531,1,Change User Password - Windows
impact,T1531,2,Delete User - Windows
impact,T1485,1,Windows - Delete Volume Shadow Copies
impact,T1485,2,Windows - Delete Windows Backup Catalog
impact,T1485,3,Windows - Disable Windows Recovery Console Repair
impact,T1485,4,Windows - Overwrite file with Sysinternals SDelete
impact,T1485,5,macOS/Linux - Overwrite file with DD
impact,T1485,6,Windows - Delete Backup Files
impact,T1490,1,Windows - Delete Volume Shadow Copies
impact,T1490,2,Windows - Delete Volume Shadow Copies via WMI
impact,T1490,3,Windows - Delete Windows Backup Catalog
impact,T1490,4,Windows - Disable Windows Recovery Console Repair
impact,T1490,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell
impact,T1496,1,macOS/Linux - Simulate CPU Load with Yes
impact,T1489,1,Windows - Stop service using Service Controller
impact,T1489,2,Windows - Stop service using net.exe
impact,T1489,3,Windows - Stop service by killing process
impact,T1529,1,Shutdown System - Windows
impact,T1529,2,Restart System - Windows
impact,T1529,3,Restart System via `shutdown` - macOS/Linux
impact,T1529,4,Shutdown System via `shutdown` - macOS/Linux
impact,T1529,5,Restart System via `reboot` - macOS/Linux
impact,T1529,6,Shutdown System via `halt` - Linux
impact,T1529,7,Reboot System via `halt` - Linux
impact,T1529,8,Shutdown System via `poweroff` - Linux
impact,T1529,9,Reboot System via `poweroff` - Linux
discovery,T1087,1,Enumerate all accounts
discovery,T1087,2,View sudoers access
discovery,T1087,3,View accounts with UID 0
discovery,T1087,4,List opened files by user
discovery,T1087,5,Show if a user account has ever logged in remotely
discovery,T1087,6,Enumerate users and groups
discovery,T1087,7,Enumerate users and groups
discovery,T1087,8,Enumerate all accounts
discovery,T1087,9,Enumerate all accounts via PowerShell
discovery,T1087,10,Enumerate logged on users
discovery,T1087,11,Enumerate logged on users via PowerShell
discovery,T1010,1,List Process Main Windows - C# .NET
discovery,T1217,1,List Mozilla Firefox Bookmark Database Files on Linux
discovery,T1217,2,List Mozilla Firefox Bookmark Database Files on macOS
discovery,T1217,3,List Google Chrome Bookmark JSON Files on macOS
discovery,T1217,4,List Google Chrome Bookmarks on Windows with powershell
discovery,T1217,5,List Google Chrome Bookmarks on Windows with command prompt
discovery,T1482,1,Windows - Discover domain trusts with dsquery
discovery,T1482,2,Windows - Discover domain trusts with nltest
discovery,T1482,3,Powershell enumerate domains and forests
discovery,T1083,1,File and Directory Discovery (cmd.exe)
discovery,T1083,2,File and Directory Discovery (PowerShell)
discovery,T1083,3,Nix File and Diectory Discovery
discovery,T1083,4,Nix File and Directory Discovery 2
discovery,T1046,1,Port Scan
discovery,T1046,2,Port Scan Nmap
discovery,T1135,1,Network Share Discovery
discovery,T1135,2,Network Share Discovery command prompt
discovery,T1135,3,Network Share Discovery PowerShell
discovery,T1135,4,View available share drives
discovery,T1040,1,Packet Capture Linux
discovery,T1040,2,Packet Capture macOS
discovery,T1040,3,Packet Capture Windows Command Prompt
discovery,T1040,4,Packet Capture PowerShell
discovery,T1201,1,Examine password complexity policy - Ubuntu
discovery,T1201,2,Examine password complexity policy - CentOS/RHEL 7.x
discovery,T1201,3,Examine password complexity policy - CentOS/RHEL 6.x
discovery,T1201,4,Examine password expiration policy - All Linux
discovery,T1201,5,Examine local password policy - Windows
discovery,T1201,6,Examine domain password policy - Windows
discovery,T1201,7,Examine password policy - macOS
discovery,T1069,1,Permission Groups Discovery
discovery,T1069,2,Basic Permission Groups Discovery Windows
discovery,T1069,3,Permission Groups Discovery PowerShell
discovery,T1069,4,Elevated group enumeration using net group
discovery,T1057,1,Process Discovery - ps
discovery,T1057,2,Process Discovery - tasklist
discovery,T1012,1,Query Registry
discovery,T1018,1,Remote System Discovery - net
discovery,T1018,2,Remote System Discovery - net group Domain Computers
discovery,T1018,3,Remote System Discovery - nltest
discovery,T1018,4,Remote System Discovery - ping sweep
discovery,T1018,5,Remote System Discovery - arp
discovery,T1018,6,Remote System Discovery - arp nix
discovery,T1018,7,Remote System Discovery - sweep
discovery,T1018,8,Remote System Discovery - nslookup
discovery,T1063,1,Security Software Discovery
discovery,T1063,2,Security Software Discovery - powershell
discovery,T1063,3,Security Software Discovery - ps
discovery,T1063,4,Security Software Discovery - Sysmon Service
discovery,T1063,5,Security Software Discovery - AV Discovery via WMI
discovery,T1518,1,Find and Display Internet Explorer Browser Version
discovery,T1518,2,Applications Installed
discovery,T1082,1,System Information Discovery
discovery,T1082,2,System Information Discovery
discovery,T1082,3,List OS Information
discovery,T1082,4,Linux VM Check via Hardware
discovery,T1082,5,Linux VM Check via Kernel Modules
discovery,T1082,6,Hostname Discovery (Windows)
discovery,T1082,7,Hostname Discovery
discovery,T1082,8,Windows MachineGUID Discovery
discovery,T1016,1,System Network Configuration Discovery
discovery,T1016,2,List Windows Firewall Rules
discovery,T1016,3,System Network Configuration Discovery
discovery,T1016,4,System Network Configuration Discovery (TrickBot Style)
discovery,T1016,5,List Open Egress Ports
discovery,T1049,1,System Network Connections Discovery
discovery,T1049,2,System Network Connections Discovery with PowerShell
discovery,T1049,3,System Network Connections Discovery Linux & MacOS
discovery,T1033,1,System Owner/User Discovery
discovery,T1033,2,System Owner/User Discovery
discovery,T1007,1,System Service Discovery
discovery,T1007,2,System Service Discovery - net.exe
discovery,T1124,1,System Time Discovery
discovery,T1124,2,System Time Discovery - PowerShell
credential-access,T1098,1,Admin Account Manipulate
credential-access,T1139,1,Search Through Bash History
credential-access,T1110,1,Brute Force Credentials
credential-access,T1003,1,Powershell Mimikatz
credential-access,T1003,2,Gsecdump
credential-access,T1003,3,Windows Credential Editor
credential-access,T1003,4,"Registry dump of SAM, creds, and secrets"
credential-access,T1003,5,Dump LSASS.exe Memory using ProcDump
credential-access,T1003,6,Dump LSASS.exe Memory using Windows Task Manager
credential-access,T1003,7,Offline Credential Theft With Mimikatz
credential-access,T1003,8,Dump Active Directory Database with NTDSUtil
credential-access,T1003,9,Create Volume Shadow Copy with NTDS.dit
credential-access,T1003,10,Copy NTDS.dit from Volume Shadow Copy
credential-access,T1003,11,GPP Passwords (findstr)
credential-access,T1003,12,GPP Passwords (Get-GPPPassword)
credential-access,T1003,13,LSASS read with pypykatz
credential-access,T1003,14,Registry parse with pypykatz
credential-access,T1081,1,Extract Browser and System credentials with LaZagne
credential-access,T1081,2,Extract passwords with grep
credential-access,T1081,3,Extracting passwords with findstr
credential-access,T1081,4,Access unattend.xml
credential-access,T1214,1,Enumeration for Credentials in Registry
credential-access,T1214,2,Enumeration for PuTTY Credentials in Registry
credential-access,T1179,1,Hook PowerShell TLS Encrypt/Decrypt Messages
credential-access,T1056,1,Input Capture
credential-access,T1141,1,AppleScript - Prompt User for Password
credential-access,T1141,2,PowerShell - Prompt User for Password
credential-access,T1208,1,Request for service tickets
credential-access,T1142,1,Keychain
credential-access,T1040,1,Packet Capture Linux
credential-access,T1040,2,Packet Capture macOS
credential-access,T1040,3,Packet Capture Windows Command Prompt
credential-access,T1040,4,Packet Capture PowerShell
credential-access,T1174,1,Install and Register Password Filter DLL
credential-access,T1145,1,Private Keys
credential-access,T1145,2,Discover Private SSH Keys
credential-access,T1145,3,Copy Private SSH Keys with CP
credential-access,T1145,4,Copy Private SSH Keys with rsync
execution,T1155,1,AppleScript
execution,T1191,1,CMSTP Executing Remote Scriptlet
execution,T1191,2,CMSTP Executing UAC Bypass
execution,T1059,1,Command-Line Interface
execution,T1223,1,Compiled HTML Help Local Payload
execution,T1223,2,Compiled HTML Help Remote Payload
execution,T1196,1,Control Panel Items
execution,T1173,1,Execute Commands
execution,T1173,2,Execute PowerShell script via Word DDE
execution,T1118,1,CheckIfInstallable method call
execution,T1118,2,InstallHelper method call
execution,T1118,3,InstallUtil class constructor method call
execution,T1118,4,InstallUtil Install method call
execution,T1118,5,InstallUtil Uninstall method call - /U variant
execution,T1118,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
execution,T1118,7,InstallUtil HelpText method call
execution,T1118,8,InstallUtil evasive invocation
execution,T1152,1,Launchctl
execution,T1168,1,Cron - Replace crontab with referenced file
execution,T1168,2,Cron - Add script to cron folder
execution,T1168,3,Event Monitor Daemon Persistence
execution,T1170,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
execution,T1170,2,Mshta calls a local VBScript file to launch notepad.exe
execution,T1170,3,Mshta executes VBScript to execute malicious command
execution,T1170,4,Mshta Executes Remote HTML Application (HTA)
execution,T1086,1,Mimikatz
execution,T1086,2,BloodHound
execution,T1086,3,Obfuscation Tests
execution,T1086,4,Mimikatz - Cradlecraft PsSendKeys
execution,T1086,5,Invoke-AppPathBypass
execution,T1086,6,PowerShell Add User
execution,T1086,7,Powershell MsXml COM object - no prompt
execution,T1086,8,Powershell MsXml COM object - with prompt
execution,T1086,9,Powershell XML requests
execution,T1086,10,Powershell invoke mshta.exe download
execution,T1086,11,Powershell Invoke-DownloadCradle
execution,T1086,12,PowerShell Fileless Script Execution
execution,T1086,13,PowerShell Downgrade Attack
execution,T1086,14,NTFS Alternate Data Stream Access
execution,T1121,1,Regasm Uninstall Method Call Test
execution,T1121,2,Regsvs Uninstall Method Call Test
execution,T1117,1,Regsvr32 local COM scriptlet execution
execution,T1117,2,Regsvr32 remote COM scriptlet execution
execution,T1117,3,Regsvr32 local DLL execution
execution,T1085,1,Rundll32 execute JavaScript Remote Payload With GetObject
execution,T1085,2,Rundll32 execute VBscript command
execution,T1085,3,Rundll32 advpack.dll Execution
execution,T1085,4,Rundll32 ieadvpack.dll Execution
execution,T1085,5,Rundll32 syssetup.dll Execution
execution,T1085,6,Rundll32 setupapi.dll Execution
execution,T1053,1,At.exe Scheduled task
execution,T1053,2,Scheduled task Local
execution,T1053,3,Scheduled task Remote
execution,T1053,4,Powershell Cmdlet Scheduled Task
execution,T1064,1,Create and Execute Bash Shell Script
execution,T1064,2,Create and Execute Batch Script
execution,T1035,1,Execute a Command as a Service
execution,T1035,2,Use PsExec to execute a command on a remote host
execution,T1218,1,mavinject - Inject DLL into running process
execution,T1218,2,SyncAppvPublishingServer - Execute arbitrary PowerShell code
execution,T1218,3,Register-CimProvider - Execute evil dll
execution,T1218,4,Msiexec.exe - Execute Local MSI file
execution,T1218,5,Msiexec.exe - Execute Remote MSI file
execution,T1218,6,Msiexec.exe - Execute Arbitrary DLL
execution,T1218,7,Odbcconf.exe - Execute Arbitrary DLL
execution,T1218,8,InfDefaultInstall.exe .inf Execution
execution,T1216,1,PubPrn.vbs Signed Script Bypass
execution,T1216,2,SyncAppvPublishingServer Signed Script PowerShell Command Execution
execution,T1216,3,manage-bde.wsf Signed Script Command Execution
execution,T1153,1,Execute Script using Source
execution,T1153,2,Execute Script using Source Alias
execution,T1151,1,Space After Filename
execution,T1154,1,Trap
execution,T1127,1,MSBuild Bypass Using Inline Tasks
execution,T1204,1,OSTap Style Macro Execution
execution,T1204,2,Maldoc choice flags command execution
execution,T1204,3,OSTAP JS version
execution,T1047,1,WMI Reconnaissance Users
execution,T1047,2,WMI Reconnaissance Processes
execution,T1047,3,WMI Reconnaissance Software
execution,T1047,4,WMI Reconnaissance List Remote Services
execution,T1047,5,WMI Execute Local Process
execution,T1047,6,WMI Execute Remote Process
execution,T1028,1,Enable Windows Remote Management
execution,T1028,2,PowerShell Lateral Movement
execution,T1028,3,WMIC Process Call Create
execution,T1028,4,Psexec
execution,T1028,5,Invoke-Command
execution,T1220,1,MSXSL Bypass using local files
execution,T1220,2,MSXSL Bypass using remote files
execution,T1220,3,WMIC bypass using local XSL file
execution,T1220,4,WMIC bypass using remote XSL file
lateral-movement,T1155,1,AppleScript
lateral-movement,T1037,1,Logon Scripts
lateral-movement,T1037,2,Scheduled Task Startup Script
lateral-movement,T1037,3,Logon Scripts - Mac
lateral-movement,T1037,4,Supicious vbs file run from startup Folder
lateral-movement,T1037,5,Supicious jse file run from startup Folder
lateral-movement,T1037,6,Supicious bat file run from startup Folder
lateral-movement,T1075,1,Mimikatz Pass the Hash
lateral-movement,T1075,2,crackmapexec Pass the Hash
lateral-movement,T1097,1,Mimikatz Kerberos Ticket Attack
lateral-movement,T1076,1,RDP
lateral-movement,T1076,2,RDPto-DomainController
lateral-movement,T1105,1,rsync remote file copy (push)
lateral-movement,T1105,2,rsync remote file copy (pull)
lateral-movement,T1105,3,scp remote file copy (push)
lateral-movement,T1105,4,scp remote file copy (pull)
lateral-movement,T1105,5,sftp remote file copy (push)
lateral-movement,T1105,6,sftp remote file copy (pull)
lateral-movement,T1105,7,certutil download (urlcache)
lateral-movement,T1105,8,certutil download (verifyctl)
lateral-movement,T1105,9,Windows - BITSAdmin BITS Download
lateral-movement,T1105,10,Windows - PowerShell Download
lateral-movement,T1105,11,OSTAP Worming Activity
lateral-movement,T1077,1,Map admin share
lateral-movement,T1077,2,Map Admin Share PowerShell
lateral-movement,T1077,3,Copy and Execute File with PsExec
lateral-movement,T1077,4,Execute command writing output to local Admin Share
lateral-movement,T1028,1,Enable Windows Remote Management
lateral-movement,T1028,2,PowerShell Lateral Movement
lateral-movement,T1028,3,WMIC Process Call Create
lateral-movement,T1028,4,Psexec
lateral-movement,T1028,5,Invoke-Command
collection,T1123,1,using device audio capture commandlet
collection,T1119,1,Automated Collection Command Prompt
collection,T1119,2,Automated Collection PowerShell
collection,T1119,3,Recon information for export with PowerShell
collection,T1119,4,Recon information for export with Command Prompt
collection,T1115,1,Utilize Clipboard to store or execute commands from
collection,T1115,2,PowerShell
collection,T1074,1,Stage data from Discovery.bat
collection,T1074,2,Stage data from Discovery.sh
collection,T1074,3,Zip a Folder with PowerShell for Staging in Temp
collection,T1005,1,Search macOS Safari Cookies
collection,T1114,1,T1114 Email Collection with PowerShell
collection,T1056,1,Input Capture
collection,T1113,1,Screencapture
collection,T1113,2,Screencapture (silent)
collection,T1113,3,X Windows Capture
collection,T1113,4,Import
exfiltration,T1002,1,Compress Data for Exfiltration With PowerShell
exfiltration,T1002,2,Compress Data for Exfiltration With Rar
exfiltration,T1002,3,Data Compressed - nix - zip
exfiltration,T1002,4,Data Compressed - nix - gzip Single File
exfiltration,T1002,5,Data Compressed - nix - tar Folder or File
exfiltration,T1022,1,Data Encrypted with zip and gpg symmetric
exfiltration,T1022,2,Compress Data and lock with password for Exfiltration with winrar
exfiltration,T1022,3,Compress Data and lock with password for Exfiltration with winzip
exfiltration,T1022,4,Compress Data and lock with password for Exfiltration with 7zip
exfiltration,T1030,1,Data Transfer Size Limits
exfiltration,T1048,1,Exfiltration Over Alternative Protocol - SSH
exfiltration,T1048,2,Exfiltration Over Alternative Protocol - SSH
exfiltration,T1048,3,Exfiltration Over Alternative Protocol - HTTP
exfiltration,T1048,4,Exfiltration Over Alternative Protocol - ICMP
exfiltration,T1048,5,Exfiltration Over Alternative Protocol - DNS
command-and-control,T1090,1,Connection Proxy
command-and-control,T1090,2,portproxy reg key
command-and-control,T1132,1,Base64 Encoded data.
command-and-control,T1219,1,TeamViewer Files Detected Test on Windows
command-and-control,T1105,1,rsync remote file copy (push)
command-and-control,T1105,2,rsync remote file copy (pull)
command-and-control,T1105,3,scp remote file copy (push)
command-and-control,T1105,4,scp remote file copy (pull)
command-and-control,T1105,5,sftp remote file copy (push)
command-and-control,T1105,6,sftp remote file copy (pull)
command-and-control,T1105,7,certutil download (urlcache)
command-and-control,T1105,8,certutil download (verifyctl)
command-and-control,T1105,9,Windows - BITSAdmin BITS Download
command-and-control,T1105,10,Windows - PowerShell Download
command-and-control,T1105,11,OSTAP Worming Activity
command-and-control,T1071,1,Malicious User Agents - Powershell
command-and-control,T1071,2,Malicious User Agents - CMD
command-and-control,T1071,3,Malicious User Agents - Nix
command-and-control,T1071,4,DNS Large Query Volume
command-and-control,T1071,5,DNS Regular Beaconing
command-and-control,T1071,6,DNS Long Domain Query
command-and-control,T1071,7,DNS C2
command-and-control,T1071,8,OSTap Payload Download
command-and-control,T1032,1,OpenSSL C2
command-and-control,T1095,1,ICMP C2
command-and-control,T1095,2,Netcat C2
command-and-control,T1095,3,Powercat C2
command-and-control,T1065,1,Testing usage of uncommonly used port with PowerShell
command-and-control,T1065,2,Testing usage of uncommonly used port
command-and-control,T1102,1,Reach out to C2 Pointer URLs via command_prompt
command-and-control,T1102,2,Reach out to C2 Pointer URLs via powershell
initial-access,T1193,1,Download Phishing Attachment - VBScript
1 Tactic Technique # Test # Test Name
2 persistence T1156 1 Add command to .bash_profile
3 persistence T1156 2 Add command to .bashrc
4 persistence T1015 1 Attaches Command Prompt as a Debugger to a List of Target Processes
5 persistence T1098 1 Admin Account Manipulate
6 persistence T1103 1 Install AppInit Shim
7 persistence T1138 1 Application Shim Installation
8 persistence T1138 2 New shim database files created in the default shim database directory
9 persistence T1138 3 Registry key creation and/or modification events for SDB
10 persistence T1197 1 Bitsadmin Download (cmd)
11 persistence T1197 2 Bitsadmin Download (PowerShell)
12 persistence T1197 3 Persist, Download, & Execute
13 persistence T1176 1 Chrome (Developer Mode)
14 persistence T1176 2 Chrome (Chrome Web Store)
15 persistence T1176 3 Firefox
16 persistence T1042 1 Change Default File Association
17 persistence T1136 1 Create a user account on a Linux system
18 persistence T1136 2 Create a user account on a MacOS system
19 persistence T1136 3 Create a new user in a command prompt
20 persistence T1136 4 Create a new user in PowerShell
21 persistence T1136 5 Create a new user in Linux with `root` UID and GID.
22 persistence T1038 1 DLL Search Order Hijacking - amsi.dll
23 persistence T1519 1 Persistance with Event Monitor - emond
24 persistence T1044 1 File System Permissions Weakness
25 persistence T1158 1 Create a hidden file in a hidden directory
26 persistence T1158 2 Mac Hidden file
27 persistence T1158 3 Create Windows System File with Attrib
28 persistence T1158 4 Create Windows Hidden File with Attrib
29 persistence T1158 5 Hidden files
30 persistence T1158 6 Hide a Directory
31 persistence T1158 7 Show all hidden files
32 persistence T1158 8 Create ADS command prompt
33 persistence T1158 9 Create ADS PowerShell
34 persistence T1179 1 Hook PowerShell TLS Encrypt/Decrypt Messages
35 persistence T1062 1 Installing Hyper-V Feature
36 persistence T1183 1 IFEO Add Debugger
37 persistence T1183 2 IFEO Global Flags
38 persistence T1215 1 Linux - Load Kernel Module via insmod
39 persistence T1159 1 Launch Agent
40 persistence T1160 1 Launch Daemon
41 persistence T1152 1 Launchctl
42 persistence T1168 1 Cron - Replace crontab with referenced file
43 persistence T1168 2 Cron - Add script to cron folder
44 persistence T1168 3 Event Monitor Daemon Persistence
45 persistence T1037 1 Logon Scripts
46 persistence T1037 2 Scheduled Task Startup Script
47 persistence T1037 3 Logon Scripts - Mac
48 persistence T1037 4 Supicious vbs file run from startup Folder
49 persistence T1037 5 Supicious jse file run from startup Folder
50 persistence T1037 6 Supicious bat file run from startup Folder
51 persistence T1031 1 Modify Fax service to run PowerShell
52 persistence T1128 1 Netsh Helper DLL Registration
53 persistence T1050 1 Service Installation
54 persistence T1050 2 Service Installation PowerShell
55 persistence T1137 1 DDEAUTO
56 persistence T1150 1 Plist Modification
57 persistence T1504 1 Append malicious start-process cmdlet
58 persistence T1163 1 rc.common
59 persistence T1164 1 Re-Opened Applications
60 persistence T1164 2 Re-Opened Applications
61 persistence T1060 1 Reg Key Run
62 persistence T1060 2 Reg Key RunOnce
63 persistence T1060 3 PowerShell Registry RunOnce
64 persistence T1053 1 At.exe Scheduled task
65 persistence T1053 2 Scheduled task Local
66 persistence T1053 3 Scheduled task Remote
67 persistence T1053 4 Powershell Cmdlet Scheduled Task
68 persistence T1180 1 Set Arbitrary Binary as Screensaver
69 persistence T1101 1 Modify SSP configuration in registry
70 persistence T1505 1 Install MS Exchange Transport Agent Persistence
71 persistence T1058 1 Service Registry Permissions Weakness
72 persistence T1166 1 Make and modify binary from C source
73 persistence T1166 2 Set a SetUID flag on file
74 persistence T1166 3 Set a SetGID flag on file
75 persistence T1023 1 Shortcut Modification
76 persistence T1023 2 Create shortcut to cmd in startup folders
77 persistence T1165 1 add file to Local Library StartupItems
78 persistence T1501 1 Create Systemd Service
79 persistence T1154 1 Trap
80 persistence T1100 1 Web Shell Written to Disk
81 persistence T1084 1 Persistence
82 persistence T1004 1 Winlogon Shell Key Persistence - PowerShell
83 persistence T1004 2 Winlogon Userinit Key Persistence - PowerShell
84 persistence T1004 3 Winlogon Notify Key Logon Persistence - PowerShell
85 defense-evasion T1197 1 Bitsadmin Download (cmd)
86 defense-evasion T1197 2 Bitsadmin Download (PowerShell)
87 defense-evasion T1197 3 Persist, Download, & Execute
88 defense-evasion T1009 1 Pad Binary to Change Hash - Linux/macOS dd
89 defense-evasion T1088 1 Bypass UAC using Event Viewer (cmd)
90 defense-evasion T1088 2 Bypass UAC using Event Viewer (PowerShell)
91 defense-evasion T1088 3 Bypass UAC using Fodhelper
92 defense-evasion T1088 4 Bypass UAC using Fodhelper - PowerShell
93 defense-evasion T1088 5 Bypass UAC using ComputerDefaults (PowerShell)
94 defense-evasion T1088 6 Bypass UAC by Mocking Trusted Directories
95 defense-evasion T1191 1 CMSTP Executing Remote Scriptlet
96 defense-evasion T1191 2 CMSTP Executing UAC Bypass
97 defense-evasion T1146 1 Clear Bash history (rm)
98 defense-evasion T1146 2 Clear Bash history (echo)
99 defense-evasion T1146 3 Clear Bash history (cat dev/null)
100 defense-evasion T1146 4 Clear Bash history (ln dev/null)
101 defense-evasion T1146 5 Clear Bash history (truncate)
102 defense-evasion T1146 6 Clear history of a bunch of shells
103 defense-evasion T1500 1 Compile After Delivery using csc.exe
104 defense-evasion T1223 1 Compiled HTML Help Local Payload
105 defense-evasion T1223 2 Compiled HTML Help Remote Payload
106 defense-evasion T1090 1 Connection Proxy
107 defense-evasion T1090 2 portproxy reg key
108 defense-evasion T1196 1 Control Panel Items
109 defense-evasion T1207 1 DCShadow - Mimikatz
110 defense-evasion T1038 1 DLL Search Order Hijacking - amsi.dll
111 defense-evasion T1073 1 DLL Side-Loading using the Notepad++ GUP.exe binary
112 defense-evasion T1140 1 Deobfuscate/Decode Files Or Information
113 defense-evasion T1140 2 Certutil Rename and Decode
114 defense-evasion T1089 1 Disable iptables firewall
115 defense-evasion T1089 2 Disable syslog
116 defense-evasion T1089 3 Disable Cb Response
117 defense-evasion T1089 4 Disable SELinux
118 defense-evasion T1089 5 Disable Carbon Black Response
119 defense-evasion T1089 6 Disable LittleSnitch
120 defense-evasion T1089 7 Disable OpenDNS Umbrella
121 defense-evasion T1089 8 Unload Sysmon Filter Driver
122 defense-evasion T1089 9 Disable Windows IIS HTTP Logging
123 defense-evasion T1089 10 Uninstall Sysmon
124 defense-evasion T1089 11 AMSI Bypass - AMSI InitFailed
125 defense-evasion T1089 12 AMSI Bypass - Remove AMSI Provider Reg Key
126 defense-evasion T1089 13 Disable Arbitrary Security Windows Service
127 defense-evasion T1089 14 Disable PowerShell Script Block Logging
128 defense-evasion T1089 15 PowerShell Bypass of AntiMalware Scripting Interface
129 defense-evasion T1089 16 Tamper with Windows Defender ATP PowerShell
130 defense-evasion T1089 17 Tamper with Windows Defender Command Prompt
131 defense-evasion T1089 18 Tamper with Windows Defender Registry
132 defense-evasion T1089 19 Disable Microft Office Security Features
133 defense-evasion T1089 20 Remove Windows Defender Definition Files
134 defense-evasion T1107 1 Delete a single file - Linux/macOS
135 defense-evasion T1107 2 Delete an entire folder - Linux/macOS
136 defense-evasion T1107 3 Overwrite and delete a file with shred
137 defense-evasion T1107 4 Delete a single file - Windows cmd
138 defense-evasion T1107 5 Delete an entire folder - Windows cmd
139 defense-evasion T1107 6 Delete a single file - Windows PowerShell
140 defense-evasion T1107 7 Delete an entire folder - Windows PowerShell
141 defense-evasion T1107 8 Delete VSS - vssadmin
142 defense-evasion T1107 9 Delete VSS - wmic
143 defense-evasion T1107 10 bcdedit
144 defense-evasion T1107 11 wbadmin
145 defense-evasion T1107 12 Delete Filesystem - Linux
146 defense-evasion T1107 13 Delete-PrefetchFile
147 defense-evasion T1107 14 Delete TeamViewer Log Files
148 defense-evasion T1222 1 Take ownership using takeown utility
149 defense-evasion T1222 2 Take ownership recursively using takeown utility
150 defense-evasion T1222 3 cacls - Grant permission to specified user or group
151 defense-evasion T1222 4 cacls - Grant permission to specified user or group recursively
152 defense-evasion T1222 5 icacls - Grant permission to specified user or group
153 defense-evasion T1222 6 icacls - Grant permission to specified user or group recursively
154 defense-evasion T1222 7 attrib - Remove read-only attribute
155 defense-evasion T1222 8 chmod - Change file or folder mode (numeric mode)
156 defense-evasion T1222 9 chmod - Change file or folder mode (symbolic mode)
157 defense-evasion T1222 10 chmod - Change file or folder mode (numeric mode) recursively
158 defense-evasion T1222 11 chmod - Change file or folder mode (symbolic mode) recursively
159 defense-evasion T1222 12 chown - Change file or folder ownership and group
160 defense-evasion T1222 13 chown - Change file or folder ownership and group recursively
161 defense-evasion T1222 14 chown - Change file or folder mode ownership only
162 defense-evasion T1222 15 chown - Change file or folder ownership recursively
163 defense-evasion T1222 16 chattr - Remove immutable file attribute
164 defense-evasion T1144 1 Gatekeeper Bypass
165 defense-evasion T1148 1 Disable history collection
166 defense-evasion T1148 2 Mac HISTCONTROL
167 defense-evasion T1158 1 Create a hidden file in a hidden directory
168 defense-evasion T1158 2 Mac Hidden file
169 defense-evasion T1158 3 Create Windows System File with Attrib
170 defense-evasion T1158 4 Create Windows Hidden File with Attrib
171 defense-evasion T1158 5 Hidden files
172 defense-evasion T1158 6 Hide a Directory
173 defense-evasion T1158 7 Show all hidden files
174 defense-evasion T1158 8 Create ADS command prompt
175 defense-evasion T1158 9 Create ADS PowerShell
176 defense-evasion T1147 1 Hidden Users
177 defense-evasion T1143 1 Hidden Window
178 defense-evasion T1183 1 IFEO Add Debugger
179 defense-evasion T1183 2 IFEO Global Flags
180 defense-evasion T1070 1 Clear Logs
181 defense-evasion T1070 2 FSUtil
182 defense-evasion T1070 3 rm -rf
183 defense-evasion T1070 4 Overwrite Linux Mail Spool
184 defense-evasion T1070 5 Overwrite Linux Log
185 defense-evasion T1070 6 Delete System Logs Using PowerShell
186 defense-evasion T1070 7 Delete System Logs Using Clear-EventLogId
187 defense-evasion T1202 1 Indirect Command Execution - pcalua.exe
188 defense-evasion T1202 2 Indirect Command Execution - forfiles.exe
189 defense-evasion T1130 1 Install root CA on CentOS/RHEL
190 defense-evasion T1118 1 CheckIfInstallable method call
191 defense-evasion T1118 2 InstallHelper method call
192 defense-evasion T1118 3 InstallUtil class constructor method call
193 defense-evasion T1118 4 InstallUtil Install method call
194 defense-evasion T1118 5 InstallUtil Uninstall method call - /U variant
195 defense-evasion T1118 6 InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
196 defense-evasion T1118 7 InstallUtil HelpText method call
197 defense-evasion T1118 8 InstallUtil evasive invocation
198 defense-evasion T1152 1 Launchctl
199 defense-evasion T1036 1 Masquerading as Windows LSASS process
200 defense-evasion T1036 2 Masquerading as Linux crond process.
201 defense-evasion T1036 3 Masquerading - cscript.exe running as notepad.exe
202 defense-evasion T1036 4 Masquerading - wscript.exe running as svchost.exe
203 defense-evasion T1036 5 Masquerading - powershell.exe running as taskhostw.exe
204 defense-evasion T1036 6 Masquerading - non-windows exe running as windows exe
205 defense-evasion T1036 7 Masquerading - windows exe running as different windows exe
206 defense-evasion T1036 8 Malicious process Masquerading as LSM.exe
207 defense-evasion T1112 1 Modify Registry of Current User Profile - cmd
208 defense-evasion T1112 2 Modify Registry of Local Machine - cmd
209 defense-evasion T1112 3 Modify Registry of Another User Profile
210 defense-evasion T1112 4 Modify registry to store logon credentials
211 defense-evasion T1112 5 Modify registry to store PowerShell code
212 defense-evasion T1112 6 Add domain to Trusted sites Zone
213 defense-evasion T1112 7 Javascript in registry
214 defense-evasion T1170 1 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
215 defense-evasion T1170 2 Mshta calls a local VBScript file to launch notepad.exe
216 defense-evasion T1170 3 Mshta executes VBScript to execute malicious command
217 defense-evasion T1170 4 Mshta Executes Remote HTML Application (HTA)
218 defense-evasion T1096 1 Alternate Data Streams (ADS)
219 defense-evasion T1096 2 Store file in Alternate Data Stream (ADS)
220 defense-evasion T1126 1 Add Network Share
221 defense-evasion T1126 2 Remove Network Share
222 defense-evasion T1126 3 Remove Network Share PowerShell
223 defense-evasion T1027 1 Decode base64 Data into Script
224 defense-evasion T1027 2 Execute base64-encoded PowerShell
225 defense-evasion T1027 3 Execute base64-encoded PowerShell from Windows Registry
226 defense-evasion T1502 1 Parent PID Spoofing using PowerShell
227 defense-evasion T1150 1 Plist Modification
228 defense-evasion T1093 1 Process Hollowing using PowerShell
229 defense-evasion T1055 1 Process Injection via mavinject.exe
230 defense-evasion T1055 2 Process Injection via PowerSploit
231 defense-evasion T1055 3 Shared Library Injection via /etc/ld.so.preload
232 defense-evasion T1055 4 Shared Library Injection via LD_PRELOAD
233 defense-evasion T1055 5 Process Injection via C#
234 defense-evasion T1055 6 svchost writing a file to a UNC path
235 defense-evasion T1121 1 Regasm Uninstall Method Call Test
236 defense-evasion T1121 2 Regsvs Uninstall Method Call Test
237 defense-evasion T1117 1 Regsvr32 local COM scriptlet execution
238 defense-evasion T1117 2 Regsvr32 remote COM scriptlet execution
239 defense-evasion T1117 3 Regsvr32 local DLL execution
240 defense-evasion T1014 1 Loadable Kernel Module based Rootkit
241 defense-evasion T1014 2 Loadable Kernel Module based Rootkit
242 defense-evasion T1014 3 Windows Signed Driver Rootkit Test
243 defense-evasion T1085 1 Rundll32 execute JavaScript Remote Payload With GetObject
244 defense-evasion T1085 2 Rundll32 execute VBscript command
245 defense-evasion T1085 3 Rundll32 advpack.dll Execution
246 defense-evasion T1085 4 Rundll32 ieadvpack.dll Execution
247 defense-evasion T1085 5 Rundll32 syssetup.dll Execution
248 defense-evasion T1085 6 Rundll32 setupapi.dll Execution
249 defense-evasion T1064 1 Create and Execute Bash Shell Script
250 defense-evasion T1064 2 Create and Execute Batch Script
251 defense-evasion T1218 1 mavinject - Inject DLL into running process
252 defense-evasion T1218 2 SyncAppvPublishingServer - Execute arbitrary PowerShell code
253 defense-evasion T1218 3 Register-CimProvider - Execute evil dll
254 defense-evasion T1218 4 Msiexec.exe - Execute Local MSI file
255 defense-evasion T1218 5 Msiexec.exe - Execute Remote MSI file
256 defense-evasion T1218 6 Msiexec.exe - Execute Arbitrary DLL
257 defense-evasion T1218 7 Odbcconf.exe - Execute Arbitrary DLL
258 defense-evasion T1218 8 InfDefaultInstall.exe .inf Execution
259 defense-evasion T1216 1 PubPrn.vbs Signed Script Bypass
260 defense-evasion T1216 2 SyncAppvPublishingServer Signed Script PowerShell Command Execution
261 defense-evasion T1216 3 manage-bde.wsf Signed Script Command Execution
262 defense-evasion T1151 1 Space After Filename
263 defense-evasion T1099 1 Set a file's access timestamp
264 defense-evasion T1099 2 Set a file's modification timestamp
265 defense-evasion T1099 3 Set a file's creation timestamp
266 defense-evasion T1099 4 Modify file timestamps using reference file
267 defense-evasion T1099 5 Windows - Modify file creation timestamp with PowerShell
268 defense-evasion T1099 6 Windows - Modify file last modified timestamp with PowerShell
269 defense-evasion T1099 7 Windows - Modify file last access timestamp with PowerShell
270 defense-evasion T1127 1 MSBuild Bypass Using Inline Tasks
271 defense-evasion T1102 1 Reach out to C2 Pointer URLs via command_prompt
272 defense-evasion T1102 2 Reach out to C2 Pointer URLs via powershell
273 defense-evasion T1220 1 MSXSL Bypass using local files
274 defense-evasion T1220 2 MSXSL Bypass using remote files
275 defense-evasion T1220 3 WMIC bypass using local XSL file
276 defense-evasion T1220 4 WMIC bypass using remote XSL file
277 privilege-escalation T1015 1 Attaches Command Prompt as a Debugger to a List of Target Processes
278 privilege-escalation T1103 1 Install AppInit Shim
279 privilege-escalation T1138 1 Application Shim Installation
280 privilege-escalation T1138 2 New shim database files created in the default shim database directory
281 privilege-escalation T1138 3 Registry key creation and/or modification events for SDB
282 privilege-escalation T1088 1 Bypass UAC using Event Viewer (cmd)
283 privilege-escalation T1088 2 Bypass UAC using Event Viewer (PowerShell)
284 privilege-escalation T1088 3 Bypass UAC using Fodhelper
285 privilege-escalation T1088 4 Bypass UAC using Fodhelper - PowerShell
286 privilege-escalation T1088 5 Bypass UAC using ComputerDefaults (PowerShell)
287 privilege-escalation T1088 6 Bypass UAC by Mocking Trusted Directories
288 privilege-escalation T1038 1 DLL Search Order Hijacking - amsi.dll
289 privilege-escalation T1519 1 Persistance with Event Monitor - emond
290 privilege-escalation T1044 1 File System Permissions Weakness
291 privilege-escalation T1179 1 Hook PowerShell TLS Encrypt/Decrypt Messages
292 privilege-escalation T1183 1 IFEO Add Debugger
293 privilege-escalation T1183 2 IFEO Global Flags
294 privilege-escalation T1160 1 Launch Daemon
295 privilege-escalation T1050 1 Service Installation
296 privilege-escalation T1050 2 Service Installation PowerShell
297 privilege-escalation T1502 1 Parent PID Spoofing using PowerShell
298 privilege-escalation T1150 1 Plist Modification
299 privilege-escalation T1504 1 Append malicious start-process cmdlet
300 privilege-escalation T1055 1 Process Injection via mavinject.exe
301 privilege-escalation T1055 2 Process Injection via PowerSploit
302 privilege-escalation T1055 3 Shared Library Injection via /etc/ld.so.preload
303 privilege-escalation T1055 4 Shared Library Injection via LD_PRELOAD
304 privilege-escalation T1055 5 Process Injection via C#
305 privilege-escalation T1055 6 svchost writing a file to a UNC path
306 privilege-escalation T1053 1 At.exe Scheduled task
307 privilege-escalation T1053 2 Scheduled task Local
308 privilege-escalation T1053 3 Scheduled task Remote
309 privilege-escalation T1053 4 Powershell Cmdlet Scheduled Task
310 privilege-escalation T1058 1 Service Registry Permissions Weakness
311 privilege-escalation T1166 1 Make and modify binary from C source
312 privilege-escalation T1166 2 Set a SetUID flag on file
313 privilege-escalation T1166 3 Set a SetGID flag on file
314 privilege-escalation T1165 1 add file to Local Library StartupItems
315 privilege-escalation T1169 1 Sudo usage
316 privilege-escalation T1206 1 Unlimited sudo cache timeout
317 privilege-escalation T1206 2 Disable tty_tickets for sudo caching
318 privilege-escalation T1100 1 Web Shell Written to Disk
319 impact T1531 1 Change User Password - Windows
320 impact T1531 2 Delete User - Windows
321 impact T1485 1 Windows - Delete Volume Shadow Copies
322 impact T1485 2 Windows - Delete Windows Backup Catalog
323 impact T1485 3 Windows - Disable Windows Recovery Console Repair
324 impact T1485 4 Windows - Overwrite file with Sysinternals SDelete
325 impact T1485 5 macOS/Linux - Overwrite file with DD
326 impact T1485 6 Windows - Delete Backup Files
327 impact T1490 1 Windows - Delete Volume Shadow Copies
328 impact T1490 2 Windows - Delete Volume Shadow Copies via WMI
329 impact T1490 3 Windows - Delete Windows Backup Catalog
330 impact T1490 4 Windows - Disable Windows Recovery Console Repair
331 impact T1490 5 Windows - Delete Volume Shadow Copies via WMI with PowerShell
332 impact T1496 1 macOS/Linux - Simulate CPU Load with Yes
333 impact T1489 1 Windows - Stop service using Service Controller
334 impact T1489 2 Windows - Stop service using net.exe
335 impact T1489 3 Windows - Stop service by killing process
336 impact T1529 1 Shutdown System - Windows
337 impact T1529 2 Restart System - Windows
338 impact T1529 3 Restart System via `shutdown` - macOS/Linux
339 impact T1529 4 Shutdown System via `shutdown` - macOS/Linux
340 impact T1529 5 Restart System via `reboot` - macOS/Linux
341 impact T1529 6 Shutdown System via `halt` - Linux
342 impact T1529 7 Reboot System via `halt` - Linux
343 impact T1529 8 Shutdown System via `poweroff` - Linux
344 impact T1529 9 Reboot System via `poweroff` - Linux
345 discovery T1087 1 Enumerate all accounts
346 discovery T1087 2 View sudoers access
347 discovery T1087 3 View accounts with UID 0
348 discovery T1087 4 List opened files by user
349 discovery T1087 5 Show if a user account has ever logged in remotely
350 discovery T1087 6 Enumerate users and groups
351 discovery T1087 7 Enumerate users and groups
352 discovery T1087 8 Enumerate all accounts
353 discovery T1087 9 Enumerate all accounts via PowerShell
354 discovery T1087 10 Enumerate logged on users
355 discovery T1087 11 Enumerate logged on users via PowerShell
356 discovery T1010 1 List Process Main Windows - C# .NET
357 discovery T1217 1 List Mozilla Firefox Bookmark Database Files on Linux
358 discovery T1217 2 List Mozilla Firefox Bookmark Database Files on macOS
359 discovery T1217 3 List Google Chrome Bookmark JSON Files on macOS
360 discovery T1217 4 List Google Chrome Bookmarks on Windows with powershell
361 discovery T1217 5 List Google Chrome Bookmarks on Windows with command prompt
362 discovery T1482 1 Windows - Discover domain trusts with dsquery
363 discovery T1482 2 Windows - Discover domain trusts with nltest
364 discovery T1482 3 Powershell enumerate domains and forests
365 discovery T1083 1 File and Directory Discovery (cmd.exe)
366 discovery T1083 2 File and Directory Discovery (PowerShell)
367 discovery T1083 3 Nix File and Diectory Discovery
368 discovery T1083 4 Nix File and Directory Discovery 2
369 discovery T1046 1 Port Scan
370 discovery T1046 2 Port Scan Nmap
371 discovery T1135 1 Network Share Discovery
372 discovery T1135 2 Network Share Discovery command prompt
373 discovery T1135 3 Network Share Discovery PowerShell
374 discovery T1135 4 View available share drives
375 discovery T1040 1 Packet Capture Linux
376 discovery T1040 2 Packet Capture macOS
377 discovery T1040 3 Packet Capture Windows Command Prompt
378 discovery T1040 4 Packet Capture PowerShell
379 discovery T1201 1 Examine password complexity policy - Ubuntu
380 discovery T1201 2 Examine password complexity policy - CentOS/RHEL 7.x
381 discovery T1201 3 Examine password complexity policy - CentOS/RHEL 6.x
382 discovery T1201 4 Examine password expiration policy - All Linux
383 discovery T1201 5 Examine local password policy - Windows
384 discovery T1201 6 Examine domain password policy - Windows
385 discovery T1201 7 Examine password policy - macOS
386 discovery T1069 1 Permission Groups Discovery
387 discovery T1069 2 Basic Permission Groups Discovery Windows
388 discovery T1069 3 Permission Groups Discovery PowerShell
389 discovery T1069 4 Elevated group enumeration using net group
390 discovery T1057 1 Process Discovery - ps
391 discovery T1057 2 Process Discovery - tasklist
392 discovery T1012 1 Query Registry
393 discovery T1018 1 Remote System Discovery - net
394 discovery T1018 2 Remote System Discovery - net group Domain Computers
395 discovery T1018 3 Remote System Discovery - nltest
396 discovery T1018 4 Remote System Discovery - ping sweep
397 discovery T1018 5 Remote System Discovery - arp
398 discovery T1018 6 Remote System Discovery - arp nix
399 discovery T1018 7 Remote System Discovery - sweep
400 discovery T1018 8 Remote System Discovery - nslookup
401 discovery T1063 1 Security Software Discovery
402 discovery T1063 2 Security Software Discovery - powershell
403 discovery T1063 3 Security Software Discovery - ps
404 discovery T1063 4 Security Software Discovery - Sysmon Service
405 discovery T1063 5 Security Software Discovery - AV Discovery via WMI
406 discovery T1518 1 Find and Display Internet Explorer Browser Version
407 discovery T1518 2 Applications Installed
408 discovery T1082 1 System Information Discovery
409 discovery T1082 2 System Information Discovery
410 discovery T1082 3 List OS Information
411 discovery T1082 4 Linux VM Check via Hardware
412 discovery T1082 5 Linux VM Check via Kernel Modules
413 discovery T1082 6 Hostname Discovery (Windows)
414 discovery T1082 7 Hostname Discovery
415 discovery T1082 8 Windows MachineGUID Discovery
416 discovery T1016 1 System Network Configuration Discovery
417 discovery T1016 2 List Windows Firewall Rules
418 discovery T1016 3 System Network Configuration Discovery
419 discovery T1016 4 System Network Configuration Discovery (TrickBot Style)
420 discovery T1016 5 List Open Egress Ports
421 discovery T1049 1 System Network Connections Discovery
422 discovery T1049 2 System Network Connections Discovery with PowerShell
423 discovery T1049 3 System Network Connections Discovery Linux & MacOS
424 discovery T1033 1 System Owner/User Discovery
425 discovery T1033 2 System Owner/User Discovery
426 discovery T1007 1 System Service Discovery
427 discovery T1007 2 System Service Discovery - net.exe
428 discovery T1124 1 System Time Discovery
429 discovery T1124 2 System Time Discovery - PowerShell
430 credential-access T1098 1 Admin Account Manipulate
431 credential-access T1139 1 Search Through Bash History
432 credential-access T1110 1 Brute Force Credentials
433 credential-access T1003 1 Powershell Mimikatz
434 credential-access T1003 2 Gsecdump
435 credential-access T1003 3 Windows Credential Editor
436 credential-access T1003 4 Registry dump of SAM, creds, and secrets
437 credential-access T1003 5 Dump LSASS.exe Memory using ProcDump
438 credential-access T1003 6 Dump LSASS.exe Memory using Windows Task Manager
439 credential-access T1003 7 Offline Credential Theft With Mimikatz
440 credential-access T1003 8 Dump Active Directory Database with NTDSUtil
441 credential-access T1003 9 Create Volume Shadow Copy with NTDS.dit
442 credential-access T1003 10 Copy NTDS.dit from Volume Shadow Copy
443 credential-access T1003 11 GPP Passwords (findstr)
444 credential-access T1003 12 GPP Passwords (Get-GPPPassword)
445 credential-access T1003 13 LSASS read with pypykatz
446 credential-access T1003 14 Registry parse with pypykatz
447 credential-access T1081 1 Extract Browser and System credentials with LaZagne
448 credential-access T1081 2 Extract passwords with grep
449 credential-access T1081 3 Extracting passwords with findstr
450 credential-access T1081 4 Access unattend.xml
451 credential-access T1214 1 Enumeration for Credentials in Registry
452 credential-access T1214 2 Enumeration for PuTTY Credentials in Registry
453 credential-access T1179 1 Hook PowerShell TLS Encrypt/Decrypt Messages
454 credential-access T1056 1 Input Capture
455 credential-access T1141 1 AppleScript - Prompt User for Password
456 credential-access T1141 2 PowerShell - Prompt User for Password
457 credential-access T1208 1 Request for service tickets
458 credential-access T1142 1 Keychain
459 credential-access T1040 1 Packet Capture Linux
460 credential-access T1040 2 Packet Capture macOS
461 credential-access T1040 3 Packet Capture Windows Command Prompt
462 credential-access T1040 4 Packet Capture PowerShell
463 credential-access T1174 1 Install and Register Password Filter DLL
464 credential-access T1145 1 Private Keys
465 credential-access T1145 2 Discover Private SSH Keys
466 credential-access T1145 3 Copy Private SSH Keys with CP
467 credential-access T1145 4 Copy Private SSH Keys with rsync
468 execution T1155 1 AppleScript
469 execution T1191 1 CMSTP Executing Remote Scriptlet
470 execution T1191 2 CMSTP Executing UAC Bypass
471 execution T1059 1 Command-Line Interface
472 execution T1223 1 Compiled HTML Help Local Payload
473 execution T1223 2 Compiled HTML Help Remote Payload
474 execution T1196 1 Control Panel Items
475 execution T1173 1 Execute Commands
476 execution T1173 2 Execute PowerShell script via Word DDE
477 execution T1118 1 CheckIfInstallable method call
478 execution T1118 2 InstallHelper method call
479 execution T1118 3 InstallUtil class constructor method call
480 execution T1118 4 InstallUtil Install method call
481 execution T1118 5 InstallUtil Uninstall method call - /U variant
482 execution T1118 6 InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
483 execution T1118 7 InstallUtil HelpText method call
484 execution T1118 8 InstallUtil evasive invocation
485 execution T1152 1 Launchctl
486 execution T1168 1 Cron - Replace crontab with referenced file
487 execution T1168 2 Cron - Add script to cron folder
488 execution T1168 3 Event Monitor Daemon Persistence
489 execution T1170 1 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
490 execution T1170 2 Mshta calls a local VBScript file to launch notepad.exe
491 execution T1170 3 Mshta executes VBScript to execute malicious command
492 execution T1170 4 Mshta Executes Remote HTML Application (HTA)
493 execution T1086 1 Mimikatz
494 execution T1086 2 BloodHound
495 execution T1086 3 Obfuscation Tests
496 execution T1086 4 Mimikatz - Cradlecraft PsSendKeys
497 execution T1086 5 Invoke-AppPathBypass
498 execution T1086 6 PowerShell Add User
499 execution T1086 7 Powershell MsXml COM object - no prompt
500 execution T1086 8 Powershell MsXml COM object - with prompt
501 execution T1086 9 Powershell XML requests
502 execution T1086 10 Powershell invoke mshta.exe download
503 execution T1086 11 Powershell Invoke-DownloadCradle
504 execution T1086 12 PowerShell Fileless Script Execution
505 execution T1086 13 PowerShell Downgrade Attack
506 execution T1086 14 NTFS Alternate Data Stream Access
507 execution T1121 1 Regasm Uninstall Method Call Test
508 execution T1121 2 Regsvs Uninstall Method Call Test
509 execution T1117 1 Regsvr32 local COM scriptlet execution
510 execution T1117 2 Regsvr32 remote COM scriptlet execution
511 execution T1117 3 Regsvr32 local DLL execution
512 execution T1085 1 Rundll32 execute JavaScript Remote Payload With GetObject
513 execution T1085 2 Rundll32 execute VBscript command
514 execution T1085 3 Rundll32 advpack.dll Execution
515 execution T1085 4 Rundll32 ieadvpack.dll Execution
516 execution T1085 5 Rundll32 syssetup.dll Execution
517 execution T1085 6 Rundll32 setupapi.dll Execution
518 execution T1053 1 At.exe Scheduled task
519 execution T1053 2 Scheduled task Local
520 execution T1053 3 Scheduled task Remote
521 execution T1053 4 Powershell Cmdlet Scheduled Task
522 execution T1064 1 Create and Execute Bash Shell Script
523 execution T1064 2 Create and Execute Batch Script
524 execution T1035 1 Execute a Command as a Service
525 execution T1035 2 Use PsExec to execute a command on a remote host
526 execution T1218 1 mavinject - Inject DLL into running process
527 execution T1218 2 SyncAppvPublishingServer - Execute arbitrary PowerShell code
528 execution T1218 3 Register-CimProvider - Execute evil dll
529 execution T1218 4 Msiexec.exe - Execute Local MSI file
530 execution T1218 5 Msiexec.exe - Execute Remote MSI file
531 execution T1218 6 Msiexec.exe - Execute Arbitrary DLL
532 execution T1218 7 Odbcconf.exe - Execute Arbitrary DLL
533 execution T1218 8 InfDefaultInstall.exe .inf Execution
534 execution T1216 1 PubPrn.vbs Signed Script Bypass
535 execution T1216 2 SyncAppvPublishingServer Signed Script PowerShell Command Execution
536 execution T1216 3 manage-bde.wsf Signed Script Command Execution
537 execution T1153 1 Execute Script using Source
538 execution T1153 2 Execute Script using Source Alias
539 execution T1151 1 Space After Filename
540 execution T1154 1 Trap
541 execution T1127 1 MSBuild Bypass Using Inline Tasks
542 execution T1204 1 OSTap Style Macro Execution
543 execution T1204 2 Maldoc choice flags command execution
544 execution T1204 3 OSTAP JS version
545 execution T1047 1 WMI Reconnaissance Users
546 execution T1047 2 WMI Reconnaissance Processes
547 execution T1047 3 WMI Reconnaissance Software
548 execution T1047 4 WMI Reconnaissance List Remote Services
549 execution T1047 5 WMI Execute Local Process
550 execution T1047 6 WMI Execute Remote Process
551 execution T1028 1 Enable Windows Remote Management
552 execution T1028 2 PowerShell Lateral Movement
553 execution T1028 3 WMIC Process Call Create
554 execution T1028 4 Psexec
555 execution T1028 5 Invoke-Command
556 execution T1220 1 MSXSL Bypass using local files
557 execution T1220 2 MSXSL Bypass using remote files
558 execution T1220 3 WMIC bypass using local XSL file
559 execution T1220 4 WMIC bypass using remote XSL file
560 lateral-movement T1155 1 AppleScript
561 lateral-movement T1037 1 Logon Scripts
562 lateral-movement T1037 2 Scheduled Task Startup Script
563 lateral-movement T1037 3 Logon Scripts - Mac
564 lateral-movement T1037 4 Supicious vbs file run from startup Folder
565 lateral-movement T1037 5 Supicious jse file run from startup Folder
566 lateral-movement T1037 6 Supicious bat file run from startup Folder
567 lateral-movement T1075 1 Mimikatz Pass the Hash
568 lateral-movement T1075 2 crackmapexec Pass the Hash
569 lateral-movement T1097 1 Mimikatz Kerberos Ticket Attack
570 lateral-movement T1076 1 RDP
571 lateral-movement T1076 2 RDPto-DomainController
572 lateral-movement T1105 1 rsync remote file copy (push)
573 lateral-movement T1105 2 rsync remote file copy (pull)
574 lateral-movement T1105 3 scp remote file copy (push)
575 lateral-movement T1105 4 scp remote file copy (pull)
576 lateral-movement T1105 5 sftp remote file copy (push)
577 lateral-movement T1105 6 sftp remote file copy (pull)
578 lateral-movement T1105 7 certutil download (urlcache)
579 lateral-movement T1105 8 certutil download (verifyctl)
580 lateral-movement T1105 9 Windows - BITSAdmin BITS Download
581 lateral-movement T1105 10 Windows - PowerShell Download
582 lateral-movement T1105 11 OSTAP Worming Activity
583 lateral-movement T1077 1 Map admin share
584 lateral-movement T1077 2 Map Admin Share PowerShell
585 lateral-movement T1077 3 Copy and Execute File with PsExec
586 lateral-movement T1077 4 Execute command writing output to local Admin Share
587 lateral-movement T1028 1 Enable Windows Remote Management
588 lateral-movement T1028 2 PowerShell Lateral Movement
589 lateral-movement T1028 3 WMIC Process Call Create
590 lateral-movement T1028 4 Psexec
591 lateral-movement T1028 5 Invoke-Command
592 collection T1123 1 using device audio capture commandlet
593 collection T1119 1 Automated Collection Command Prompt
594 collection T1119 2 Automated Collection PowerShell
595 collection T1119 3 Recon information for export with PowerShell
596 collection T1119 4 Recon information for export with Command Prompt
597 collection T1115 1 Utilize Clipboard to store or execute commands from
598 collection T1115 2 PowerShell
599 collection T1074 1 Stage data from Discovery.bat
600 collection T1074 2 Stage data from Discovery.sh
601 collection T1074 3 Zip a Folder with PowerShell for Staging in Temp
602 collection T1005 1 Search macOS Safari Cookies
603 collection T1114 1 T1114 Email Collection with PowerShell
604 collection T1056 1 Input Capture
605 collection T1113 1 Screencapture
606 collection T1113 2 Screencapture (silent)
607 collection T1113 3 X Windows Capture
608 collection T1113 4 Import
609 exfiltration T1002 1 Compress Data for Exfiltration With PowerShell
610 exfiltration T1002 2 Compress Data for Exfiltration With Rar
611 exfiltration T1002 3 Data Compressed - nix - zip
612 exfiltration T1002 4 Data Compressed - nix - gzip Single File
613 exfiltration T1002 5 Data Compressed - nix - tar Folder or File
614 exfiltration T1022 1 Data Encrypted with zip and gpg symmetric
615 exfiltration T1022 2 Compress Data and lock with password for Exfiltration with winrar
616 exfiltration T1022 3 Compress Data and lock with password for Exfiltration with winzip
617 exfiltration T1022 4 Compress Data and lock with password for Exfiltration with 7zip
618 exfiltration T1030 1 Data Transfer Size Limits
619 exfiltration T1048 1 Exfiltration Over Alternative Protocol - SSH
620 exfiltration T1048 2 Exfiltration Over Alternative Protocol - SSH
621 exfiltration T1048 3 Exfiltration Over Alternative Protocol - HTTP
622 exfiltration T1048 4 Exfiltration Over Alternative Protocol - ICMP
623 exfiltration T1048 5 Exfiltration Over Alternative Protocol - DNS
624 command-and-control T1090 1 Connection Proxy
625 command-and-control T1090 2 portproxy reg key
626 command-and-control T1132 1 Base64 Encoded data.
627 command-and-control T1219 1 TeamViewer Files Detected Test on Windows
628 command-and-control T1105 1 rsync remote file copy (push)
629 command-and-control T1105 2 rsync remote file copy (pull)
630 command-and-control T1105 3 scp remote file copy (push)
631 command-and-control T1105 4 scp remote file copy (pull)
632 command-and-control T1105 5 sftp remote file copy (push)
633 command-and-control T1105 6 sftp remote file copy (pull)
634 command-and-control T1105 7 certutil download (urlcache)
635 command-and-control T1105 8 certutil download (verifyctl)
636 command-and-control T1105 9 Windows - BITSAdmin BITS Download
637 command-and-control T1105 10 Windows - PowerShell Download
638 command-and-control T1105 11 OSTAP Worming Activity
639 command-and-control T1071 1 Malicious User Agents - Powershell
640 command-and-control T1071 2 Malicious User Agents - CMD
641 command-and-control T1071 3 Malicious User Agents - Nix
642 command-and-control T1071 4 DNS Large Query Volume
643 command-and-control T1071 5 DNS Regular Beaconing
644 command-and-control T1071 6 DNS Long Domain Query
645 command-and-control T1071 7 DNS C2
646 command-and-control T1071 8 OSTap Payload Download
647 command-and-control T1032 1 OpenSSL C2
648 command-and-control T1095 1 ICMP C2
649 command-and-control T1095 2 Netcat C2
650 command-and-control T1095 3 Powercat C2
651 command-and-control T1065 1 Testing usage of uncommonly used port with PowerShell
652 command-and-control T1065 2 Testing usage of uncommonly used port
653 command-and-control T1102 1 Reach out to C2 Pointer URLs via command_prompt
654 command-and-control T1102 2 Reach out to C2 Pointer URLs via powershell
655 initial-access T1193 1 Download Phishing Attachment - VBScript
atomics/Indexes/Indexes-CSV/linux-index.csv
+149
View File
@@ -0,0 +1,149 @@
Tactic,Technique #,Test #,Test Name
persistence,T1156,1,Add command to .bash_profile
persistence,T1156,2,Add command to .bashrc
persistence,T1176,1,Chrome (Developer Mode)
persistence,T1176,2,Chrome (Chrome Web Store)
persistence,T1176,3,Firefox
persistence,T1136,1,Create a user account on a Linux system
persistence,T1136,5,Create a new user in Linux with `root` UID and GID.
persistence,T1158,1,Create a hidden file in a hidden directory
persistence,T1215,1,Linux - Load Kernel Module via insmod
persistence,T1168,1,Cron - Replace crontab with referenced file
persistence,T1168,2,Cron - Add script to cron folder
persistence,T1168,3,Event Monitor Daemon Persistence
persistence,T1166,1,Make and modify binary from C source
persistence,T1166,2,Set a SetUID flag on file
persistence,T1166,3,Set a SetGID flag on file
persistence,T1501,1,Create Systemd Service
persistence,T1154,1,Trap
impact,T1485,5,macOS/Linux - Overwrite file with DD
impact,T1496,1,macOS/Linux - Simulate CPU Load with Yes
impact,T1529,3,Restart System via `shutdown` - macOS/Linux
impact,T1529,4,Shutdown System via `shutdown` - macOS/Linux
impact,T1529,5,Restart System via `reboot` - macOS/Linux
impact,T1529,6,Shutdown System via `halt` - Linux
impact,T1529,7,Reboot System via `halt` - Linux
impact,T1529,8,Shutdown System via `poweroff` - Linux
impact,T1529,9,Reboot System via `poweroff` - Linux
discovery,T1087,1,Enumerate all accounts
discovery,T1087,2,View sudoers access
discovery,T1087,3,View accounts with UID 0
discovery,T1087,4,List opened files by user
discovery,T1087,5,Show if a user account has ever logged in remotely
discovery,T1087,6,Enumerate users and groups
discovery,T1217,1,List Mozilla Firefox Bookmark Database Files on Linux
discovery,T1083,3,Nix File and Diectory Discovery
discovery,T1083,4,Nix File and Directory Discovery 2
discovery,T1046,1,Port Scan
discovery,T1046,2,Port Scan Nmap
discovery,T1135,1,Network Share Discovery
discovery,T1040,1,Packet Capture Linux
discovery,T1201,1,Examine password complexity policy - Ubuntu
discovery,T1201,2,Examine password complexity policy - CentOS/RHEL 7.x
discovery,T1201,3,Examine password complexity policy - CentOS/RHEL 6.x
discovery,T1201,4,Examine password expiration policy - All Linux
discovery,T1069,1,Permission Groups Discovery
discovery,T1057,1,Process Discovery - ps
discovery,T1018,6,Remote System Discovery - arp nix
discovery,T1018,7,Remote System Discovery - sweep
discovery,T1082,2,System Information Discovery
discovery,T1082,3,List OS Information
discovery,T1082,4,Linux VM Check via Hardware
discovery,T1082,5,Linux VM Check via Kernel Modules
discovery,T1082,7,Hostname Discovery
discovery,T1016,3,System Network Configuration Discovery
discovery,T1049,3,System Network Connections Discovery Linux & MacOS
discovery,T1033,2,System Owner/User Discovery
credential-access,T1139,1,Search Through Bash History
credential-access,T1081,2,Extract passwords with grep
credential-access,T1040,1,Packet Capture Linux
credential-access,T1145,2,Discover Private SSH Keys
credential-access,T1145,3,Copy Private SSH Keys with CP
credential-access,T1145,4,Copy Private SSH Keys with rsync
defense-evasion,T1009,1,Pad Binary to Change Hash - Linux/macOS dd
defense-evasion,T1146,1,Clear Bash history (rm)
defense-evasion,T1146,2,Clear Bash history (echo)
defense-evasion,T1146,3,Clear Bash history (cat dev/null)
defense-evasion,T1146,4,Clear Bash history (ln dev/null)
defense-evasion,T1146,5,Clear Bash history (truncate)
defense-evasion,T1146,6,Clear history of a bunch of shells
defense-evasion,T1090,1,Connection Proxy
defense-evasion,T1089,1,Disable iptables firewall
defense-evasion,T1089,2,Disable syslog
defense-evasion,T1089,3,Disable Cb Response
defense-evasion,T1089,4,Disable SELinux
defense-evasion,T1107,1,Delete a single file - Linux/macOS
defense-evasion,T1107,2,Delete an entire folder - Linux/macOS
defense-evasion,T1107,3,Overwrite and delete a file with shred
defense-evasion,T1107,12,Delete Filesystem - Linux
defense-evasion,T1222,8,chmod - Change file or folder mode (numeric mode)
defense-evasion,T1222,9,chmod - Change file or folder mode (symbolic mode)
defense-evasion,T1222,10,chmod - Change file or folder mode (numeric mode) recursively
defense-evasion,T1222,11,chmod - Change file or folder mode (symbolic mode) recursively
defense-evasion,T1222,12,chown - Change file or folder ownership and group
defense-evasion,T1222,13,chown - Change file or folder ownership and group recursively
defense-evasion,T1222,14,chown - Change file or folder mode ownership only
defense-evasion,T1222,15,chown - Change file or folder ownership recursively
defense-evasion,T1222,16,chattr - Remove immutable file attribute
defense-evasion,T1148,1,Disable history collection
defense-evasion,T1148,2,Mac HISTCONTROL
defense-evasion,T1158,1,Create a hidden file in a hidden directory
defense-evasion,T1070,3,rm -rf
defense-evasion,T1070,4,Overwrite Linux Mail Spool
defense-evasion,T1070,5,Overwrite Linux Log
defense-evasion,T1130,1,Install root CA on CentOS/RHEL
defense-evasion,T1036,2,Masquerading as Linux crond process.
defense-evasion,T1027,1,Decode base64 Data into Script
defense-evasion,T1055,3,Shared Library Injection via /etc/ld.so.preload
defense-evasion,T1055,4,Shared Library Injection via LD_PRELOAD
defense-evasion,T1014,1,Loadable Kernel Module based Rootkit
defense-evasion,T1014,2,Loadable Kernel Module based Rootkit
defense-evasion,T1064,1,Create and Execute Bash Shell Script
defense-evasion,T1099,1,Set a file's access timestamp
defense-evasion,T1099,2,Set a file's modification timestamp
defense-evasion,T1099,3,Set a file's creation timestamp
defense-evasion,T1099,4,Modify file timestamps using reference file
lateral-movement,T1105,1,rsync remote file copy (push)
lateral-movement,T1105,2,rsync remote file copy (pull)
lateral-movement,T1105,3,scp remote file copy (push)
lateral-movement,T1105,4,scp remote file copy (pull)
lateral-movement,T1105,5,sftp remote file copy (push)
lateral-movement,T1105,6,sftp remote file copy (pull)
collection,T1074,2,Stage data from Discovery.sh
collection,T1113,3,X Windows Capture
collection,T1113,4,Import
exfiltration,T1002,3,Data Compressed - nix - zip
exfiltration,T1002,4,Data Compressed - nix - gzip Single File
exfiltration,T1002,5,Data Compressed - nix - tar Folder or File
exfiltration,T1022,1,Data Encrypted with zip and gpg symmetric
exfiltration,T1030,1,Data Transfer Size Limits
exfiltration,T1048,1,Exfiltration Over Alternative Protocol - SSH
exfiltration,T1048,2,Exfiltration Over Alternative Protocol - SSH
exfiltration,T1048,3,Exfiltration Over Alternative Protocol - HTTP
exfiltration,T1048,5,Exfiltration Over Alternative Protocol - DNS
execution,T1059,1,Command-Line Interface
execution,T1168,1,Cron - Replace crontab with referenced file
execution,T1168,2,Cron - Add script to cron folder
execution,T1168,3,Event Monitor Daemon Persistence
execution,T1064,1,Create and Execute Bash Shell Script
execution,T1153,1,Execute Script using Source
execution,T1153,2,Execute Script using Source Alias
execution,T1154,1,Trap
command-and-control,T1090,1,Connection Proxy
command-and-control,T1132,1,Base64 Encoded data.
command-and-control,T1105,1,rsync remote file copy (push)
command-and-control,T1105,2,rsync remote file copy (pull)
command-and-control,T1105,3,scp remote file copy (push)
command-and-control,T1105,4,scp remote file copy (pull)
command-and-control,T1105,5,sftp remote file copy (push)
command-and-control,T1105,6,sftp remote file copy (pull)
command-and-control,T1071,3,Malicious User Agents - Nix
command-and-control,T1065,2,Testing usage of uncommonly used port
privilege-escalation,T1055,3,Shared Library Injection via /etc/ld.so.preload
privilege-escalation,T1055,4,Shared Library Injection via LD_PRELOAD
privilege-escalation,T1166,1,Make and modify binary from C source
privilege-escalation,T1166,2,Set a SetUID flag on file
privilege-escalation,T1166,3,Set a SetGID flag on file
privilege-escalation,T1169,1,Sudo usage
privilege-escalation,T1206,1,Unlimited sudo cache timeout
privilege-escalation,T1206,2,Disable tty_tickets for sudo caching
1 Tactic Technique # Test # Test Name
2 persistence T1156 1 Add command to .bash_profile
3 persistence T1156 2 Add command to .bashrc
4 persistence T1176 1 Chrome (Developer Mode)
5 persistence T1176 2 Chrome (Chrome Web Store)
6 persistence T1176 3 Firefox
7 persistence T1136 1 Create a user account on a Linux system
8 persistence T1136 5 Create a new user in Linux with `root` UID and GID.
9 persistence T1158 1 Create a hidden file in a hidden directory
10 persistence T1215 1 Linux - Load Kernel Module via insmod
11 persistence T1168 1 Cron - Replace crontab with referenced file
12 persistence T1168 2 Cron - Add script to cron folder
13 persistence T1168 3 Event Monitor Daemon Persistence
14 persistence T1166 1 Make and modify binary from C source
15 persistence T1166 2 Set a SetUID flag on file
16 persistence T1166 3 Set a SetGID flag on file
17 persistence T1501 1 Create Systemd Service
18 persistence T1154 1 Trap
19 impact T1485 5 macOS/Linux - Overwrite file with DD
20 impact T1496 1 macOS/Linux - Simulate CPU Load with Yes
21 impact T1529 3 Restart System via `shutdown` - macOS/Linux
22 impact T1529 4 Shutdown System via `shutdown` - macOS/Linux
23 impact T1529 5 Restart System via `reboot` - macOS/Linux
24 impact T1529 6 Shutdown System via `halt` - Linux
25 impact T1529 7 Reboot System via `halt` - Linux
26 impact T1529 8 Shutdown System via `poweroff` - Linux
27 impact T1529 9 Reboot System via `poweroff` - Linux
28 discovery T1087 1 Enumerate all accounts
29 discovery T1087 2 View sudoers access
30 discovery T1087 3 View accounts with UID 0
31 discovery T1087 4 List opened files by user
32 discovery T1087 5 Show if a user account has ever logged in remotely
33 discovery T1087 6 Enumerate users and groups
34 discovery T1217 1 List Mozilla Firefox Bookmark Database Files on Linux
35 discovery T1083 3 Nix File and Diectory Discovery
36 discovery T1083 4 Nix File and Directory Discovery 2
37 discovery T1046 1 Port Scan
38 discovery T1046 2 Port Scan Nmap
39 discovery T1135 1 Network Share Discovery
40 discovery T1040 1 Packet Capture Linux
41 discovery T1201 1 Examine password complexity policy - Ubuntu
42 discovery T1201 2 Examine password complexity policy - CentOS/RHEL 7.x
43 discovery T1201 3 Examine password complexity policy - CentOS/RHEL 6.x
44 discovery T1201 4 Examine password expiration policy - All Linux
45 discovery T1069 1 Permission Groups Discovery
46 discovery T1057 1 Process Discovery - ps
47 discovery T1018 6 Remote System Discovery - arp nix
48 discovery T1018 7 Remote System Discovery - sweep
49 discovery T1082 2 System Information Discovery
50 discovery T1082 3 List OS Information
51 discovery T1082 4 Linux VM Check via Hardware
52 discovery T1082 5 Linux VM Check via Kernel Modules
53 discovery T1082 7 Hostname Discovery
54 discovery T1016 3 System Network Configuration Discovery
55 discovery T1049 3 System Network Connections Discovery Linux & MacOS
56 discovery T1033 2 System Owner/User Discovery
57 credential-access T1139 1 Search Through Bash History
58 credential-access T1081 2 Extract passwords with grep
59 credential-access T1040 1 Packet Capture Linux
60 credential-access T1145 2 Discover Private SSH Keys
61 credential-access T1145 3 Copy Private SSH Keys with CP
62 credential-access T1145 4 Copy Private SSH Keys with rsync
63 defense-evasion T1009 1 Pad Binary to Change Hash - Linux/macOS dd
64 defense-evasion T1146 1 Clear Bash history (rm)
65 defense-evasion T1146 2 Clear Bash history (echo)
66 defense-evasion T1146 3 Clear Bash history (cat dev/null)
67 defense-evasion T1146 4 Clear Bash history (ln dev/null)
68 defense-evasion T1146 5 Clear Bash history (truncate)
69 defense-evasion T1146 6 Clear history of a bunch of shells
70 defense-evasion T1090 1 Connection Proxy
71 defense-evasion T1089 1 Disable iptables firewall
72 defense-evasion T1089 2 Disable syslog
73 defense-evasion T1089 3 Disable Cb Response
74 defense-evasion T1089 4 Disable SELinux
75 defense-evasion T1107 1 Delete a single file - Linux/macOS
76 defense-evasion T1107 2 Delete an entire folder - Linux/macOS
77 defense-evasion T1107 3 Overwrite and delete a file with shred
78 defense-evasion T1107 12 Delete Filesystem - Linux
79 defense-evasion T1222 8 chmod - Change file or folder mode (numeric mode)
80 defense-evasion T1222 9 chmod - Change file or folder mode (symbolic mode)
81 defense-evasion T1222 10 chmod - Change file or folder mode (numeric mode) recursively
82 defense-evasion T1222 11 chmod - Change file or folder mode (symbolic mode) recursively
83 defense-evasion T1222 12 chown - Change file or folder ownership and group
84 defense-evasion T1222 13 chown - Change file or folder ownership and group recursively
85 defense-evasion T1222 14 chown - Change file or folder mode ownership only
86 defense-evasion T1222 15 chown - Change file or folder ownership recursively
87 defense-evasion T1222 16 chattr - Remove immutable file attribute
88 defense-evasion T1148 1 Disable history collection
89 defense-evasion T1148 2 Mac HISTCONTROL
90 defense-evasion T1158 1 Create a hidden file in a hidden directory
91 defense-evasion T1070 3 rm -rf
92 defense-evasion T1070 4 Overwrite Linux Mail Spool
93 defense-evasion T1070 5 Overwrite Linux Log
94 defense-evasion T1130 1 Install root CA on CentOS/RHEL
95 defense-evasion T1036 2 Masquerading as Linux crond process.
96 defense-evasion T1027 1 Decode base64 Data into Script
97 defense-evasion T1055 3 Shared Library Injection via /etc/ld.so.preload
98 defense-evasion T1055 4 Shared Library Injection via LD_PRELOAD
99 defense-evasion T1014 1 Loadable Kernel Module based Rootkit
100 defense-evasion T1014 2 Loadable Kernel Module based Rootkit
101 defense-evasion T1064 1 Create and Execute Bash Shell Script
102 defense-evasion T1099 1 Set a file's access timestamp
103 defense-evasion T1099 2 Set a file's modification timestamp
104 defense-evasion T1099 3 Set a file's creation timestamp
105 defense-evasion T1099 4 Modify file timestamps using reference file
106 lateral-movement T1105 1 rsync remote file copy (push)
107 lateral-movement T1105 2 rsync remote file copy (pull)
108 lateral-movement T1105 3 scp remote file copy (push)
109 lateral-movement T1105 4 scp remote file copy (pull)
110 lateral-movement T1105 5 sftp remote file copy (push)
111 lateral-movement T1105 6 sftp remote file copy (pull)
112 collection T1074 2 Stage data from Discovery.sh
113 collection T1113 3 X Windows Capture
114 collection T1113 4 Import
115 exfiltration T1002 3 Data Compressed - nix - zip
116 exfiltration T1002 4 Data Compressed - nix - gzip Single File
117 exfiltration T1002 5 Data Compressed - nix - tar Folder or File
118 exfiltration T1022 1 Data Encrypted with zip and gpg symmetric
119 exfiltration T1030 1 Data Transfer Size Limits
120 exfiltration T1048 1 Exfiltration Over Alternative Protocol - SSH
121 exfiltration T1048 2 Exfiltration Over Alternative Protocol - SSH
122 exfiltration T1048 3 Exfiltration Over Alternative Protocol - HTTP
123 exfiltration T1048 5 Exfiltration Over Alternative Protocol - DNS
124 execution T1059 1 Command-Line Interface
125 execution T1168 1 Cron - Replace crontab with referenced file
126 execution T1168 2 Cron - Add script to cron folder
127 execution T1168 3 Event Monitor Daemon Persistence
128 execution T1064 1 Create and Execute Bash Shell Script
129 execution T1153 1 Execute Script using Source
130 execution T1153 2 Execute Script using Source Alias
131 execution T1154 1 Trap
132 command-and-control T1090 1 Connection Proxy
133 command-and-control T1132 1 Base64 Encoded data.
134 command-and-control T1105 1 rsync remote file copy (push)
135 command-and-control T1105 2 rsync remote file copy (pull)
136 command-and-control T1105 3 scp remote file copy (push)
137 command-and-control T1105 4 scp remote file copy (pull)
138 command-and-control T1105 5 sftp remote file copy (push)
139 command-and-control T1105 6 sftp remote file copy (pull)
140 command-and-control T1071 3 Malicious User Agents - Nix
141 command-and-control T1065 2 Testing usage of uncommonly used port
142 privilege-escalation T1055 3 Shared Library Injection via /etc/ld.so.preload
143 privilege-escalation T1055 4 Shared Library Injection via LD_PRELOAD
144 privilege-escalation T1166 1 Make and modify binary from C source
145 privilege-escalation T1166 2 Set a SetUID flag on file
146 privilege-escalation T1166 3 Set a SetGID flag on file
147 privilege-escalation T1169 1 Sudo usage
148 privilege-escalation T1206 1 Unlimited sudo cache timeout
149 privilege-escalation T1206 2 Disable tty_tickets for sudo caching
atomics/Indexes/Indexes-CSV/macos-index.csv
+160
View File
@@ -0,0 +1,160 @@
Tactic,Technique #,Test #,Test Name
persistence,T1156,1,Add command to .bash_profile
persistence,T1156,2,Add command to .bashrc
persistence,T1176,1,Chrome (Developer Mode)
persistence,T1176,2,Chrome (Chrome Web Store)
persistence,T1176,3,Firefox
persistence,T1136,2,Create a user account on a MacOS system
persistence,T1519,1,Persistance with Event Monitor - emond
persistence,T1158,1,Create a hidden file in a hidden directory
persistence,T1158,2,Mac Hidden file
persistence,T1158,5,Hidden files
persistence,T1158,6,Hide a Directory
persistence,T1158,7,Show all hidden files
persistence,T1159,1,Launch Agent
persistence,T1160,1,Launch Daemon
persistence,T1152,1,Launchctl
persistence,T1168,1,Cron - Replace crontab with referenced file
persistence,T1168,2,Cron - Add script to cron folder
persistence,T1168,3,Event Monitor Daemon Persistence
persistence,T1037,3,Logon Scripts - Mac
persistence,T1150,1,Plist Modification
persistence,T1163,1,rc.common
persistence,T1164,1,Re-Opened Applications
persistence,T1164,2,Re-Opened Applications
persistence,T1166,1,Make and modify binary from C source
persistence,T1166,2,Set a SetUID flag on file
persistence,T1166,3,Set a SetGID flag on file
persistence,T1165,1,add file to Local Library StartupItems
persistence,T1154,1,Trap
impact,T1485,5,macOS/Linux - Overwrite file with DD
impact,T1496,1,macOS/Linux - Simulate CPU Load with Yes
impact,T1529,3,Restart System via `shutdown` - macOS/Linux
impact,T1529,4,Shutdown System via `shutdown` - macOS/Linux
impact,T1529,5,Restart System via `reboot` - macOS/Linux
discovery,T1087,1,Enumerate all accounts
discovery,T1087,2,View sudoers access
discovery,T1087,3,View accounts with UID 0
discovery,T1087,4,List opened files by user
discovery,T1087,6,Enumerate users and groups
discovery,T1087,7,Enumerate users and groups
discovery,T1217,2,List Mozilla Firefox Bookmark Database Files on macOS
discovery,T1217,3,List Google Chrome Bookmark JSON Files on macOS
discovery,T1083,3,Nix File and Diectory Discovery
discovery,T1083,4,Nix File and Directory Discovery 2
discovery,T1046,1,Port Scan
discovery,T1046,2,Port Scan Nmap
discovery,T1135,1,Network Share Discovery
discovery,T1040,2,Packet Capture macOS
discovery,T1201,7,Examine password policy - macOS
discovery,T1069,1,Permission Groups Discovery
discovery,T1057,1,Process Discovery - ps
discovery,T1018,6,Remote System Discovery - arp nix
discovery,T1018,7,Remote System Discovery - sweep
discovery,T1063,3,Security Software Discovery - ps
discovery,T1082,2,System Information Discovery
discovery,T1082,3,List OS Information
discovery,T1082,7,Hostname Discovery
discovery,T1016,3,System Network Configuration Discovery
discovery,T1049,3,System Network Connections Discovery Linux & MacOS
discovery,T1033,2,System Owner/User Discovery
execution,T1155,1,AppleScript
execution,T1059,1,Command-Line Interface
execution,T1152,1,Launchctl
execution,T1168,1,Cron - Replace crontab with referenced file
execution,T1168,2,Cron - Add script to cron folder
execution,T1168,3,Event Monitor Daemon Persistence
execution,T1064,1,Create and Execute Bash Shell Script
execution,T1153,1,Execute Script using Source
execution,T1153,2,Execute Script using Source Alias
execution,T1151,1,Space After Filename
execution,T1154,1,Trap
lateral-movement,T1155,1,AppleScript
lateral-movement,T1037,3,Logon Scripts - Mac
lateral-movement,T1105,1,rsync remote file copy (push)
lateral-movement,T1105,2,rsync remote file copy (pull)
lateral-movement,T1105,3,scp remote file copy (push)
lateral-movement,T1105,4,scp remote file copy (pull)
lateral-movement,T1105,5,sftp remote file copy (push)
lateral-movement,T1105,6,sftp remote file copy (pull)
collection,T1074,2,Stage data from Discovery.sh
collection,T1005,1,Search macOS Safari Cookies
collection,T1113,1,Screencapture
collection,T1113,2,Screencapture (silent)
exfiltration,T1002,3,Data Compressed - nix - zip
exfiltration,T1002,4,Data Compressed - nix - gzip Single File
exfiltration,T1002,5,Data Compressed - nix - tar Folder or File
exfiltration,T1022,1,Data Encrypted with zip and gpg symmetric
exfiltration,T1030,1,Data Transfer Size Limits
exfiltration,T1048,1,Exfiltration Over Alternative Protocol - SSH
exfiltration,T1048,2,Exfiltration Over Alternative Protocol - SSH
exfiltration,T1048,3,Exfiltration Over Alternative Protocol - HTTP
credential-access,T1139,1,Search Through Bash History
credential-access,T1081,1,Extract Browser and System credentials with LaZagne
credential-access,T1081,2,Extract passwords with grep
credential-access,T1141,1,AppleScript - Prompt User for Password
credential-access,T1142,1,Keychain
credential-access,T1040,2,Packet Capture macOS
credential-access,T1145,2,Discover Private SSH Keys
credential-access,T1145,4,Copy Private SSH Keys with rsync
defense-evasion,T1009,1,Pad Binary to Change Hash - Linux/macOS dd
defense-evasion,T1146,1,Clear Bash history (rm)
defense-evasion,T1146,2,Clear Bash history (echo)
defense-evasion,T1146,3,Clear Bash history (cat dev/null)
defense-evasion,T1146,4,Clear Bash history (ln dev/null)
defense-evasion,T1146,6,Clear history of a bunch of shells
defense-evasion,T1090,1,Connection Proxy
defense-evasion,T1089,5,Disable Carbon Black Response
defense-evasion,T1089,6,Disable LittleSnitch
defense-evasion,T1089,7,Disable OpenDNS Umbrella
defense-evasion,T1107,1,Delete a single file - Linux/macOS
defense-evasion,T1107,2,Delete an entire folder - Linux/macOS
defense-evasion,T1107,14,Delete TeamViewer Log Files
defense-evasion,T1222,8,chmod - Change file or folder mode (numeric mode)
defense-evasion,T1222,9,chmod - Change file or folder mode (symbolic mode)
defense-evasion,T1222,10,chmod - Change file or folder mode (numeric mode) recursively
defense-evasion,T1222,11,chmod - Change file or folder mode (symbolic mode) recursively
defense-evasion,T1222,12,chown - Change file or folder ownership and group
defense-evasion,T1222,13,chown - Change file or folder ownership and group recursively
defense-evasion,T1222,14,chown - Change file or folder mode ownership only
defense-evasion,T1222,15,chown - Change file or folder ownership recursively
defense-evasion,T1222,16,chattr - Remove immutable file attribute
defense-evasion,T1144,1,Gatekeeper Bypass
defense-evasion,T1148,1,Disable history collection
defense-evasion,T1148,2,Mac HISTCONTROL
defense-evasion,T1158,1,Create a hidden file in a hidden directory
defense-evasion,T1158,2,Mac Hidden file
defense-evasion,T1158,5,Hidden files
defense-evasion,T1158,6,Hide a Directory
defense-evasion,T1158,7,Show all hidden files
defense-evasion,T1147,1,Hidden Users
defense-evasion,T1070,3,rm -rf
defense-evasion,T1152,1,Launchctl
defense-evasion,T1027,1,Decode base64 Data into Script
defense-evasion,T1150,1,Plist Modification
defense-evasion,T1064,1,Create and Execute Bash Shell Script
defense-evasion,T1151,1,Space After Filename
defense-evasion,T1099,1,Set a file's access timestamp
defense-evasion,T1099,2,Set a file's modification timestamp
defense-evasion,T1099,3,Set a file's creation timestamp
defense-evasion,T1099,4,Modify file timestamps using reference file
command-and-control,T1090,1,Connection Proxy
command-and-control,T1132,1,Base64 Encoded data.
command-and-control,T1105,1,rsync remote file copy (push)
command-and-control,T1105,2,rsync remote file copy (pull)
command-and-control,T1105,3,scp remote file copy (push)
command-and-control,T1105,4,scp remote file copy (pull)
command-and-control,T1105,5,sftp remote file copy (push)
command-and-control,T1105,6,sftp remote file copy (pull)
command-and-control,T1071,3,Malicious User Agents - Nix
command-and-control,T1065,2,Testing usage of uncommonly used port
privilege-escalation,T1519,1,Persistance with Event Monitor - emond
privilege-escalation,T1160,1,Launch Daemon
privilege-escalation,T1150,1,Plist Modification
privilege-escalation,T1166,1,Make and modify binary from C source
privilege-escalation,T1166,2,Set a SetUID flag on file
privilege-escalation,T1166,3,Set a SetGID flag on file
privilege-escalation,T1165,1,add file to Local Library StartupItems
privilege-escalation,T1169,1,Sudo usage
privilege-escalation,T1206,1,Unlimited sudo cache timeout
privilege-escalation,T1206,2,Disable tty_tickets for sudo caching
1 Tactic Technique # Test # Test Name
2 persistence T1156 1 Add command to .bash_profile
3 persistence T1156 2 Add command to .bashrc
4 persistence T1176 1 Chrome (Developer Mode)
5 persistence T1176 2 Chrome (Chrome Web Store)
6 persistence T1176 3 Firefox
7 persistence T1136 2 Create a user account on a MacOS system
8 persistence T1519 1 Persistance with Event Monitor - emond
9 persistence T1158 1 Create a hidden file in a hidden directory
10 persistence T1158 2 Mac Hidden file
11 persistence T1158 5 Hidden files
12 persistence T1158 6 Hide a Directory
13 persistence T1158 7 Show all hidden files
14 persistence T1159 1 Launch Agent
15 persistence T1160 1 Launch Daemon
16 persistence T1152 1 Launchctl
17 persistence T1168 1 Cron - Replace crontab with referenced file
18 persistence T1168 2 Cron - Add script to cron folder
19 persistence T1168 3 Event Monitor Daemon Persistence
20 persistence T1037 3 Logon Scripts - Mac
21 persistence T1150 1 Plist Modification
22 persistence T1163 1 rc.common
23 persistence T1164 1 Re-Opened Applications
24 persistence T1164 2 Re-Opened Applications
25 persistence T1166 1 Make and modify binary from C source
26 persistence T1166 2 Set a SetUID flag on file
27 persistence T1166 3 Set a SetGID flag on file
28 persistence T1165 1 add file to Local Library StartupItems
29 persistence T1154 1 Trap
30 impact T1485 5 macOS/Linux - Overwrite file with DD
31 impact T1496 1 macOS/Linux - Simulate CPU Load with Yes
32 impact T1529 3 Restart System via `shutdown` - macOS/Linux
33 impact T1529 4 Shutdown System via `shutdown` - macOS/Linux
34 impact T1529 5 Restart System via `reboot` - macOS/Linux
35 discovery T1087 1 Enumerate all accounts
36 discovery T1087 2 View sudoers access
37 discovery T1087 3 View accounts with UID 0
38 discovery T1087 4 List opened files by user
39 discovery T1087 6 Enumerate users and groups
40 discovery T1087 7 Enumerate users and groups
41 discovery T1217 2 List Mozilla Firefox Bookmark Database Files on macOS
42 discovery T1217 3 List Google Chrome Bookmark JSON Files on macOS
43 discovery T1083 3 Nix File and Diectory Discovery
44 discovery T1083 4 Nix File and Directory Discovery 2
45 discovery T1046 1 Port Scan
46 discovery T1046 2 Port Scan Nmap
47 discovery T1135 1 Network Share Discovery
48 discovery T1040 2 Packet Capture macOS
49 discovery T1201 7 Examine password policy - macOS
50 discovery T1069 1 Permission Groups Discovery
51 discovery T1057 1 Process Discovery - ps
52 discovery T1018 6 Remote System Discovery - arp nix
53 discovery T1018 7 Remote System Discovery - sweep
54 discovery T1063 3 Security Software Discovery - ps
55 discovery T1082 2 System Information Discovery
56 discovery T1082 3 List OS Information
57 discovery T1082 7 Hostname Discovery
58 discovery T1016 3 System Network Configuration Discovery
59 discovery T1049 3 System Network Connections Discovery Linux & MacOS
60 discovery T1033 2 System Owner/User Discovery
61 execution T1155 1 AppleScript
62 execution T1059 1 Command-Line Interface
63 execution T1152 1 Launchctl
64 execution T1168 1 Cron - Replace crontab with referenced file
65 execution T1168 2 Cron - Add script to cron folder
66 execution T1168 3 Event Monitor Daemon Persistence
67 execution T1064 1 Create and Execute Bash Shell Script
68 execution T1153 1 Execute Script using Source
69 execution T1153 2 Execute Script using Source Alias
70 execution T1151 1 Space After Filename
71 execution T1154 1 Trap
72 lateral-movement T1155 1 AppleScript
73 lateral-movement T1037 3 Logon Scripts - Mac
74 lateral-movement T1105 1 rsync remote file copy (push)
75 lateral-movement T1105 2 rsync remote file copy (pull)
76 lateral-movement T1105 3 scp remote file copy (push)
77 lateral-movement T1105 4 scp remote file copy (pull)
78 lateral-movement T1105 5 sftp remote file copy (push)
79 lateral-movement T1105 6 sftp remote file copy (pull)
80 collection T1074 2 Stage data from Discovery.sh
81 collection T1005 1 Search macOS Safari Cookies
82 collection T1113 1 Screencapture
83 collection T1113 2 Screencapture (silent)
84 exfiltration T1002 3 Data Compressed - nix - zip
85 exfiltration T1002 4 Data Compressed - nix - gzip Single File
86 exfiltration T1002 5 Data Compressed - nix - tar Folder or File
87 exfiltration T1022 1 Data Encrypted with zip and gpg symmetric
88 exfiltration T1030 1 Data Transfer Size Limits
89 exfiltration T1048 1 Exfiltration Over Alternative Protocol - SSH
90 exfiltration T1048 2 Exfiltration Over Alternative Protocol - SSH
91 exfiltration T1048 3 Exfiltration Over Alternative Protocol - HTTP
92 credential-access T1139 1 Search Through Bash History
93 credential-access T1081 1 Extract Browser and System credentials with LaZagne
94 credential-access T1081 2 Extract passwords with grep
95 credential-access T1141 1 AppleScript - Prompt User for Password
96 credential-access T1142 1 Keychain
97 credential-access T1040 2 Packet Capture macOS
98 credential-access T1145 2 Discover Private SSH Keys
99 credential-access T1145 4 Copy Private SSH Keys with rsync
100 defense-evasion T1009 1 Pad Binary to Change Hash - Linux/macOS dd
101 defense-evasion T1146 1 Clear Bash history (rm)
102 defense-evasion T1146 2 Clear Bash history (echo)
103 defense-evasion T1146 3 Clear Bash history (cat dev/null)
104 defense-evasion T1146 4 Clear Bash history (ln dev/null)
105 defense-evasion T1146 6 Clear history of a bunch of shells
106 defense-evasion T1090 1 Connection Proxy
107 defense-evasion T1089 5 Disable Carbon Black Response
108 defense-evasion T1089 6 Disable LittleSnitch
109 defense-evasion T1089 7 Disable OpenDNS Umbrella
110 defense-evasion T1107 1 Delete a single file - Linux/macOS
111 defense-evasion T1107 2 Delete an entire folder - Linux/macOS
112 defense-evasion T1107 14 Delete TeamViewer Log Files
113 defense-evasion T1222 8 chmod - Change file or folder mode (numeric mode)
114 defense-evasion T1222 9 chmod - Change file or folder mode (symbolic mode)
115 defense-evasion T1222 10 chmod - Change file or folder mode (numeric mode) recursively
116 defense-evasion T1222 11 chmod - Change file or folder mode (symbolic mode) recursively
117 defense-evasion T1222 12 chown - Change file or folder ownership and group
118 defense-evasion T1222 13 chown - Change file or folder ownership and group recursively
119 defense-evasion T1222 14 chown - Change file or folder mode ownership only
120 defense-evasion T1222 15 chown - Change file or folder ownership recursively
121 defense-evasion T1222 16 chattr - Remove immutable file attribute
122 defense-evasion T1144 1 Gatekeeper Bypass
123 defense-evasion T1148 1 Disable history collection
124 defense-evasion T1148 2 Mac HISTCONTROL
125 defense-evasion T1158 1 Create a hidden file in a hidden directory
126 defense-evasion T1158 2 Mac Hidden file
127 defense-evasion T1158 5 Hidden files
128 defense-evasion T1158 6 Hide a Directory
129 defense-evasion T1158 7 Show all hidden files
130 defense-evasion T1147 1 Hidden Users
131 defense-evasion T1070 3 rm -rf
132 defense-evasion T1152 1 Launchctl
133 defense-evasion T1027 1 Decode base64 Data into Script
134 defense-evasion T1150 1 Plist Modification
135 defense-evasion T1064 1 Create and Execute Bash Shell Script
136 defense-evasion T1151 1 Space After Filename
137 defense-evasion T1099 1 Set a file's access timestamp
138 defense-evasion T1099 2 Set a file's modification timestamp
139 defense-evasion T1099 3 Set a file's creation timestamp
140 defense-evasion T1099 4 Modify file timestamps using reference file
141 command-and-control T1090 1 Connection Proxy
142 command-and-control T1132 1 Base64 Encoded data.
143 command-and-control T1105 1 rsync remote file copy (push)
144 command-and-control T1105 2 rsync remote file copy (pull)
145 command-and-control T1105 3 scp remote file copy (push)
146 command-and-control T1105 4 scp remote file copy (pull)
147 command-and-control T1105 5 sftp remote file copy (push)
148 command-and-control T1105 6 sftp remote file copy (pull)
149 command-and-control T1071 3 Malicious User Agents - Nix
150 command-and-control T1065 2 Testing usage of uncommonly used port
151 privilege-escalation T1519 1 Persistance with Event Monitor - emond
152 privilege-escalation T1160 1 Launch Daemon
153 privilege-escalation T1150 1 Plist Modification
154 privilege-escalation T1166 1 Make and modify binary from C source
155 privilege-escalation T1166 2 Set a SetUID flag on file
156 privilege-escalation T1166 3 Set a SetGID flag on file
157 privilege-escalation T1165 1 add file to Local Library StartupItems
158 privilege-escalation T1169 1 Sudo usage
159 privilege-escalation T1206 1 Unlimited sudo cache timeout
160 privilege-escalation T1206 2 Disable tty_tickets for sudo caching
atomics/Indexes/Indexes-CSV/windows-index.csv
+461
View File
@@ -0,0 +1,461 @@
Tactic,Technique #,Test #,Test Name
defense-evasion,T1197,1,Bitsadmin Download (cmd)
defense-evasion,T1197,2,Bitsadmin Download (PowerShell)
defense-evasion,T1197,3,"Persist, Download, & Execute"
defense-evasion,T1088,1,Bypass UAC using Event Viewer (cmd)
defense-evasion,T1088,2,Bypass UAC using Event Viewer (PowerShell)
defense-evasion,T1088,3,Bypass UAC using Fodhelper
defense-evasion,T1088,4,Bypass UAC using Fodhelper - PowerShell
defense-evasion,T1088,5,Bypass UAC using ComputerDefaults (PowerShell)
defense-evasion,T1088,6,Bypass UAC by Mocking Trusted Directories
defense-evasion,T1191,1,CMSTP Executing Remote Scriptlet
defense-evasion,T1191,2,CMSTP Executing UAC Bypass
defense-evasion,T1500,1,Compile After Delivery using csc.exe
defense-evasion,T1223,1,Compiled HTML Help Local Payload
defense-evasion,T1223,2,Compiled HTML Help Remote Payload
defense-evasion,T1090,2,portproxy reg key
defense-evasion,T1196,1,Control Panel Items
defense-evasion,T1207,1,DCShadow - Mimikatz
defense-evasion,T1038,1,DLL Search Order Hijacking - amsi.dll
defense-evasion,T1073,1,DLL Side-Loading using the Notepad++ GUP.exe binary
defense-evasion,T1140,1,Deobfuscate/Decode Files Or Information
defense-evasion,T1140,2,Certutil Rename and Decode
defense-evasion,T1089,8,Unload Sysmon Filter Driver
defense-evasion,T1089,9,Disable Windows IIS HTTP Logging
defense-evasion,T1089,10,Uninstall Sysmon
defense-evasion,T1089,11,AMSI Bypass - AMSI InitFailed
defense-evasion,T1089,12,AMSI Bypass - Remove AMSI Provider Reg Key
defense-evasion,T1089,13,Disable Arbitrary Security Windows Service
defense-evasion,T1089,14,Disable PowerShell Script Block Logging
defense-evasion,T1089,15,PowerShell Bypass of AntiMalware Scripting Interface
defense-evasion,T1089,16,Tamper with Windows Defender ATP PowerShell
defense-evasion,T1089,17,Tamper with Windows Defender Command Prompt
defense-evasion,T1089,18,Tamper with Windows Defender Registry
defense-evasion,T1089,19,Disable Microft Office Security Features
defense-evasion,T1089,20,Remove Windows Defender Definition Files
defense-evasion,T1107,4,Delete a single file - Windows cmd
defense-evasion,T1107,5,Delete an entire folder - Windows cmd
defense-evasion,T1107,6,Delete a single file - Windows PowerShell
defense-evasion,T1107,7,Delete an entire folder - Windows PowerShell
defense-evasion,T1107,8,Delete VSS - vssadmin
defense-evasion,T1107,9,Delete VSS - wmic
defense-evasion,T1107,10,bcdedit
defense-evasion,T1107,11,wbadmin
defense-evasion,T1107,13,Delete-PrefetchFile
defense-evasion,T1107,14,Delete TeamViewer Log Files
defense-evasion,T1222,1,Take ownership using takeown utility
defense-evasion,T1222,2,Take ownership recursively using takeown utility
defense-evasion,T1222,3,cacls - Grant permission to specified user or group
defense-evasion,T1222,4,cacls - Grant permission to specified user or group recursively
defense-evasion,T1222,5,icacls - Grant permission to specified user or group
defense-evasion,T1222,6,icacls - Grant permission to specified user or group recursively
defense-evasion,T1222,7,attrib - Remove read-only attribute
defense-evasion,T1158,3,Create Windows System File with Attrib
defense-evasion,T1158,4,Create Windows Hidden File with Attrib
defense-evasion,T1158,8,Create ADS command prompt
defense-evasion,T1158,9,Create ADS PowerShell
defense-evasion,T1143,1,Hidden Window
defense-evasion,T1183,1,IFEO Add Debugger
defense-evasion,T1183,2,IFEO Global Flags
defense-evasion,T1070,1,Clear Logs
defense-evasion,T1070,2,FSUtil
defense-evasion,T1070,6,Delete System Logs Using PowerShell
defense-evasion,T1070,7,Delete System Logs Using Clear-EventLogId
defense-evasion,T1202,1,Indirect Command Execution - pcalua.exe
defense-evasion,T1202,2,Indirect Command Execution - forfiles.exe
defense-evasion,T1118,1,CheckIfInstallable method call
defense-evasion,T1118,2,InstallHelper method call
defense-evasion,T1118,3,InstallUtil class constructor method call
defense-evasion,T1118,4,InstallUtil Install method call
defense-evasion,T1118,5,InstallUtil Uninstall method call - /U variant
defense-evasion,T1118,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
defense-evasion,T1118,7,InstallUtil HelpText method call
defense-evasion,T1118,8,InstallUtil evasive invocation
defense-evasion,T1036,1,Masquerading as Windows LSASS process
defense-evasion,T1036,3,Masquerading - cscript.exe running as notepad.exe
defense-evasion,T1036,4,Masquerading - wscript.exe running as svchost.exe
defense-evasion,T1036,5,Masquerading - powershell.exe running as taskhostw.exe
defense-evasion,T1036,6,Masquerading - non-windows exe running as windows exe
defense-evasion,T1036,7,Masquerading - windows exe running as different windows exe
defense-evasion,T1036,8,Malicious process Masquerading as LSM.exe
defense-evasion,T1112,1,Modify Registry of Current User Profile - cmd
defense-evasion,T1112,2,Modify Registry of Local Machine - cmd
defense-evasion,T1112,3,Modify Registry of Another User Profile
defense-evasion,T1112,4,Modify registry to store logon credentials
defense-evasion,T1112,5,Modify registry to store PowerShell code
defense-evasion,T1112,6,Add domain to Trusted sites Zone
defense-evasion,T1112,7,Javascript in registry
defense-evasion,T1170,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
defense-evasion,T1170,2,Mshta calls a local VBScript file to launch notepad.exe
defense-evasion,T1170,3,Mshta executes VBScript to execute malicious command
defense-evasion,T1170,4,Mshta Executes Remote HTML Application (HTA)
defense-evasion,T1096,1,Alternate Data Streams (ADS)
defense-evasion,T1096,2,Store file in Alternate Data Stream (ADS)
defense-evasion,T1126,1,Add Network Share
defense-evasion,T1126,2,Remove Network Share
defense-evasion,T1126,3,Remove Network Share PowerShell
defense-evasion,T1027,2,Execute base64-encoded PowerShell
defense-evasion,T1027,3,Execute base64-encoded PowerShell from Windows Registry
defense-evasion,T1502,1,Parent PID Spoofing using PowerShell
defense-evasion,T1093,1,Process Hollowing using PowerShell
defense-evasion,T1055,1,Process Injection via mavinject.exe
defense-evasion,T1055,2,Process Injection via PowerSploit
defense-evasion,T1055,5,Process Injection via C#
defense-evasion,T1055,6,svchost writing a file to a UNC path
defense-evasion,T1121,1,Regasm Uninstall Method Call Test
defense-evasion,T1121,2,Regsvs Uninstall Method Call Test
defense-evasion,T1117,1,Regsvr32 local COM scriptlet execution
defense-evasion,T1117,2,Regsvr32 remote COM scriptlet execution
defense-evasion,T1117,3,Regsvr32 local DLL execution
defense-evasion,T1014,3,Windows Signed Driver Rootkit Test
defense-evasion,T1085,1,Rundll32 execute JavaScript Remote Payload With GetObject
defense-evasion,T1085,2,Rundll32 execute VBscript command
defense-evasion,T1085,3,Rundll32 advpack.dll Execution
defense-evasion,T1085,4,Rundll32 ieadvpack.dll Execution
defense-evasion,T1085,5,Rundll32 syssetup.dll Execution
defense-evasion,T1085,6,Rundll32 setupapi.dll Execution
defense-evasion,T1064,2,Create and Execute Batch Script
defense-evasion,T1218,1,mavinject - Inject DLL into running process
defense-evasion,T1218,2,SyncAppvPublishingServer - Execute arbitrary PowerShell code
defense-evasion,T1218,3,Register-CimProvider - Execute evil dll
defense-evasion,T1218,4,Msiexec.exe - Execute Local MSI file
defense-evasion,T1218,5,Msiexec.exe - Execute Remote MSI file
defense-evasion,T1218,6,Msiexec.exe - Execute Arbitrary DLL
defense-evasion,T1218,7,Odbcconf.exe - Execute Arbitrary DLL
defense-evasion,T1218,8,InfDefaultInstall.exe .inf Execution
defense-evasion,T1216,1,PubPrn.vbs Signed Script Bypass
defense-evasion,T1216,2,SyncAppvPublishingServer Signed Script PowerShell Command Execution
defense-evasion,T1216,3,manage-bde.wsf Signed Script Command Execution
defense-evasion,T1099,5,Windows - Modify file creation timestamp with PowerShell
defense-evasion,T1099,6,Windows - Modify file last modified timestamp with PowerShell
defense-evasion,T1099,7,Windows - Modify file last access timestamp with PowerShell
defense-evasion,T1127,1,MSBuild Bypass Using Inline Tasks
defense-evasion,T1102,1,Reach out to C2 Pointer URLs via command_prompt
defense-evasion,T1102,2,Reach out to C2 Pointer URLs via powershell
defense-evasion,T1220,1,MSXSL Bypass using local files
defense-evasion,T1220,2,MSXSL Bypass using remote files
defense-evasion,T1220,3,WMIC bypass using local XSL file
defense-evasion,T1220,4,WMIC bypass using remote XSL file
privilege-escalation,T1015,1,Attaches Command Prompt as a Debugger to a List of Target Processes
privilege-escalation,T1103,1,Install AppInit Shim
privilege-escalation,T1138,1,Application Shim Installation
privilege-escalation,T1138,2,New shim database files created in the default shim database directory
privilege-escalation,T1138,3,Registry key creation and/or modification events for SDB
privilege-escalation,T1088,1,Bypass UAC using Event Viewer (cmd)
privilege-escalation,T1088,2,Bypass UAC using Event Viewer (PowerShell)
privilege-escalation,T1088,3,Bypass UAC using Fodhelper
privilege-escalation,T1088,4,Bypass UAC using Fodhelper - PowerShell
privilege-escalation,T1088,5,Bypass UAC using ComputerDefaults (PowerShell)
privilege-escalation,T1088,6,Bypass UAC by Mocking Trusted Directories
privilege-escalation,T1038,1,DLL Search Order Hijacking - amsi.dll
privilege-escalation,T1044,1,File System Permissions Weakness
privilege-escalation,T1179,1,Hook PowerShell TLS Encrypt/Decrypt Messages
privilege-escalation,T1183,1,IFEO Add Debugger
privilege-escalation,T1183,2,IFEO Global Flags
privilege-escalation,T1050,1,Service Installation
privilege-escalation,T1050,2,Service Installation PowerShell
privilege-escalation,T1502,1,Parent PID Spoofing using PowerShell
privilege-escalation,T1504,1,Append malicious start-process cmdlet
privilege-escalation,T1055,1,Process Injection via mavinject.exe
privilege-escalation,T1055,2,Process Injection via PowerSploit
privilege-escalation,T1055,5,Process Injection via C#
privilege-escalation,T1055,6,svchost writing a file to a UNC path
privilege-escalation,T1053,1,At.exe Scheduled task
privilege-escalation,T1053,2,Scheduled task Local
privilege-escalation,T1053,3,Scheduled task Remote
privilege-escalation,T1053,4,Powershell Cmdlet Scheduled Task
privilege-escalation,T1058,1,Service Registry Permissions Weakness
privilege-escalation,T1100,1,Web Shell Written to Disk
persistence,T1015,1,Attaches Command Prompt as a Debugger to a List of Target Processes
persistence,T1098,1,Admin Account Manipulate
persistence,T1103,1,Install AppInit Shim
persistence,T1138,1,Application Shim Installation
persistence,T1138,2,New shim database files created in the default shim database directory
persistence,T1138,3,Registry key creation and/or modification events for SDB
persistence,T1197,1,Bitsadmin Download (cmd)
persistence,T1197,2,Bitsadmin Download (PowerShell)
persistence,T1197,3,"Persist, Download, & Execute"
persistence,T1176,1,Chrome (Developer Mode)
persistence,T1176,2,Chrome (Chrome Web Store)
persistence,T1176,3,Firefox
persistence,T1042,1,Change Default File Association
persistence,T1136,3,Create a new user in a command prompt
persistence,T1136,4,Create a new user in PowerShell
persistence,T1038,1,DLL Search Order Hijacking - amsi.dll
persistence,T1044,1,File System Permissions Weakness
persistence,T1158,3,Create Windows System File with Attrib
persistence,T1158,4,Create Windows Hidden File with Attrib
persistence,T1158,8,Create ADS command prompt
persistence,T1158,9,Create ADS PowerShell
persistence,T1179,1,Hook PowerShell TLS Encrypt/Decrypt Messages
persistence,T1062,1,Installing Hyper-V Feature
persistence,T1183,1,IFEO Add Debugger
persistence,T1183,2,IFEO Global Flags
persistence,T1037,1,Logon Scripts
persistence,T1037,2,Scheduled Task Startup Script
persistence,T1037,4,Supicious vbs file run from startup Folder
persistence,T1037,5,Supicious jse file run from startup Folder
persistence,T1037,6,Supicious bat file run from startup Folder
persistence,T1031,1,Modify Fax service to run PowerShell
persistence,T1128,1,Netsh Helper DLL Registration
persistence,T1050,1,Service Installation
persistence,T1050,2,Service Installation PowerShell
persistence,T1137,1,DDEAUTO
persistence,T1504,1,Append malicious start-process cmdlet
persistence,T1060,1,Reg Key Run
persistence,T1060,2,Reg Key RunOnce
persistence,T1060,3,PowerShell Registry RunOnce
persistence,T1053,1,At.exe Scheduled task
persistence,T1053,2,Scheduled task Local
persistence,T1053,3,Scheduled task Remote
persistence,T1053,4,Powershell Cmdlet Scheduled Task
persistence,T1180,1,Set Arbitrary Binary as Screensaver
persistence,T1101,1,Modify SSP configuration in registry
persistence,T1505,1,Install MS Exchange Transport Agent Persistence
persistence,T1058,1,Service Registry Permissions Weakness
persistence,T1023,1,Shortcut Modification
persistence,T1023,2,Create shortcut to cmd in startup folders
persistence,T1100,1,Web Shell Written to Disk
persistence,T1084,1,Persistence
persistence,T1004,1,Winlogon Shell Key Persistence - PowerShell
persistence,T1004,2,Winlogon Userinit Key Persistence - PowerShell
persistence,T1004,3,Winlogon Notify Key Logon Persistence - PowerShell
impact,T1531,1,Change User Password - Windows
impact,T1531,2,Delete User - Windows
impact,T1485,1,Windows - Delete Volume Shadow Copies
impact,T1485,2,Windows - Delete Windows Backup Catalog
impact,T1485,3,Windows - Disable Windows Recovery Console Repair
impact,T1485,4,Windows - Overwrite file with Sysinternals SDelete
impact,T1485,6,Windows - Delete Backup Files
impact,T1490,1,Windows - Delete Volume Shadow Copies
impact,T1490,2,Windows - Delete Volume Shadow Copies via WMI
impact,T1490,3,Windows - Delete Windows Backup Catalog
impact,T1490,4,Windows - Disable Windows Recovery Console Repair
impact,T1490,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell
impact,T1489,1,Windows - Stop service using Service Controller
impact,T1489,2,Windows - Stop service using net.exe
impact,T1489,3,Windows - Stop service by killing process
impact,T1529,1,Shutdown System - Windows
impact,T1529,2,Restart System - Windows
discovery,T1087,8,Enumerate all accounts
discovery,T1087,9,Enumerate all accounts via PowerShell
discovery,T1087,10,Enumerate logged on users
discovery,T1087,11,Enumerate logged on users via PowerShell
discovery,T1010,1,List Process Main Windows - C# .NET
discovery,T1217,4,List Google Chrome Bookmarks on Windows with powershell
discovery,T1217,5,List Google Chrome Bookmarks on Windows with command prompt
discovery,T1482,1,Windows - Discover domain trusts with dsquery
discovery,T1482,2,Windows - Discover domain trusts with nltest
discovery,T1482,3,Powershell enumerate domains and forests
discovery,T1083,1,File and Directory Discovery (cmd.exe)
discovery,T1083,2,File and Directory Discovery (PowerShell)
discovery,T1135,2,Network Share Discovery command prompt
discovery,T1135,3,Network Share Discovery PowerShell
discovery,T1135,4,View available share drives
discovery,T1040,3,Packet Capture Windows Command Prompt
discovery,T1040,4,Packet Capture PowerShell
discovery,T1201,5,Examine local password policy - Windows
discovery,T1201,6,Examine domain password policy - Windows
discovery,T1069,2,Basic Permission Groups Discovery Windows
discovery,T1069,3,Permission Groups Discovery PowerShell
discovery,T1069,4,Elevated group enumeration using net group
discovery,T1057,2,Process Discovery - tasklist
discovery,T1012,1,Query Registry
discovery,T1018,1,Remote System Discovery - net
discovery,T1018,2,Remote System Discovery - net group Domain Computers
discovery,T1018,3,Remote System Discovery - nltest
discovery,T1018,4,Remote System Discovery - ping sweep
discovery,T1018,5,Remote System Discovery - arp
discovery,T1018,8,Remote System Discovery - nslookup
discovery,T1063,1,Security Software Discovery
discovery,T1063,2,Security Software Discovery - powershell
discovery,T1063,4,Security Software Discovery - Sysmon Service
discovery,T1063,5,Security Software Discovery - AV Discovery via WMI
discovery,T1518,1,Find and Display Internet Explorer Browser Version
discovery,T1518,2,Applications Installed
discovery,T1082,1,System Information Discovery
discovery,T1082,6,Hostname Discovery (Windows)
discovery,T1082,8,Windows MachineGUID Discovery
discovery,T1016,1,System Network Configuration Discovery
discovery,T1016,2,List Windows Firewall Rules
discovery,T1016,4,System Network Configuration Discovery (TrickBot Style)
discovery,T1016,5,List Open Egress Ports
discovery,T1049,1,System Network Connections Discovery
discovery,T1049,2,System Network Connections Discovery with PowerShell
discovery,T1033,1,System Owner/User Discovery
discovery,T1007,1,System Service Discovery
discovery,T1007,2,System Service Discovery - net.exe
discovery,T1124,1,System Time Discovery
discovery,T1124,2,System Time Discovery - PowerShell
credential-access,T1098,1,Admin Account Manipulate
credential-access,T1110,1,Brute Force Credentials
credential-access,T1003,1,Powershell Mimikatz
credential-access,T1003,2,Gsecdump
credential-access,T1003,3,Windows Credential Editor
credential-access,T1003,4,"Registry dump of SAM, creds, and secrets"
credential-access,T1003,5,Dump LSASS.exe Memory using ProcDump
credential-access,T1003,6,Dump LSASS.exe Memory using Windows Task Manager
credential-access,T1003,7,Offline Credential Theft With Mimikatz
credential-access,T1003,8,Dump Active Directory Database with NTDSUtil
credential-access,T1003,9,Create Volume Shadow Copy with NTDS.dit
credential-access,T1003,10,Copy NTDS.dit from Volume Shadow Copy
credential-access,T1003,11,GPP Passwords (findstr)
credential-access,T1003,12,GPP Passwords (Get-GPPPassword)
credential-access,T1003,13,LSASS read with pypykatz
credential-access,T1003,14,Registry parse with pypykatz
credential-access,T1081,3,Extracting passwords with findstr
credential-access,T1081,4,Access unattend.xml
credential-access,T1214,1,Enumeration for Credentials in Registry
credential-access,T1214,2,Enumeration for PuTTY Credentials in Registry
credential-access,T1179,1,Hook PowerShell TLS Encrypt/Decrypt Messages
credential-access,T1056,1,Input Capture
credential-access,T1141,2,PowerShell - Prompt User for Password
credential-access,T1208,1,Request for service tickets
credential-access,T1040,3,Packet Capture Windows Command Prompt
credential-access,T1040,4,Packet Capture PowerShell
credential-access,T1174,1,Install and Register Password Filter DLL
credential-access,T1145,1,Private Keys
lateral-movement,T1037,1,Logon Scripts
lateral-movement,T1037,2,Scheduled Task Startup Script
lateral-movement,T1037,4,Supicious vbs file run from startup Folder
lateral-movement,T1037,5,Supicious jse file run from startup Folder
lateral-movement,T1037,6,Supicious bat file run from startup Folder
lateral-movement,T1075,1,Mimikatz Pass the Hash
lateral-movement,T1075,2,crackmapexec Pass the Hash
lateral-movement,T1097,1,Mimikatz Kerberos Ticket Attack
lateral-movement,T1076,1,RDP
lateral-movement,T1076,2,RDPto-DomainController
lateral-movement,T1105,7,certutil download (urlcache)
lateral-movement,T1105,8,certutil download (verifyctl)
lateral-movement,T1105,9,Windows - BITSAdmin BITS Download
lateral-movement,T1105,10,Windows - PowerShell Download
lateral-movement,T1105,11,OSTAP Worming Activity
lateral-movement,T1077,1,Map admin share
lateral-movement,T1077,2,Map Admin Share PowerShell
lateral-movement,T1077,3,Copy and Execute File with PsExec
lateral-movement,T1077,4,Execute command writing output to local Admin Share
lateral-movement,T1028,1,Enable Windows Remote Management
lateral-movement,T1028,2,PowerShell Lateral Movement
lateral-movement,T1028,3,WMIC Process Call Create
lateral-movement,T1028,4,Psexec
lateral-movement,T1028,5,Invoke-Command
collection,T1123,1,using device audio capture commandlet
collection,T1119,1,Automated Collection Command Prompt
collection,T1119,2,Automated Collection PowerShell
collection,T1119,3,Recon information for export with PowerShell
collection,T1119,4,Recon information for export with Command Prompt
collection,T1115,1,Utilize Clipboard to store or execute commands from
collection,T1115,2,PowerShell
collection,T1074,1,Stage data from Discovery.bat
collection,T1074,3,Zip a Folder with PowerShell for Staging in Temp
collection,T1114,1,T1114 Email Collection with PowerShell
collection,T1056,1,Input Capture
exfiltration,T1002,1,Compress Data for Exfiltration With PowerShell
exfiltration,T1002,2,Compress Data for Exfiltration With Rar
exfiltration,T1022,2,Compress Data and lock with password for Exfiltration with winrar
exfiltration,T1022,3,Compress Data and lock with password for Exfiltration with winzip
exfiltration,T1022,4,Compress Data and lock with password for Exfiltration with 7zip
exfiltration,T1048,4,Exfiltration Over Alternative Protocol - ICMP
execution,T1191,1,CMSTP Executing Remote Scriptlet
execution,T1191,2,CMSTP Executing UAC Bypass
execution,T1223,1,Compiled HTML Help Local Payload
execution,T1223,2,Compiled HTML Help Remote Payload
execution,T1196,1,Control Panel Items
execution,T1173,1,Execute Commands
execution,T1173,2,Execute PowerShell script via Word DDE
execution,T1118,1,CheckIfInstallable method call
execution,T1118,2,InstallHelper method call
execution,T1118,3,InstallUtil class constructor method call
execution,T1118,4,InstallUtil Install method call
execution,T1118,5,InstallUtil Uninstall method call - /U variant
execution,T1118,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
execution,T1118,7,InstallUtil HelpText method call
execution,T1118,8,InstallUtil evasive invocation
execution,T1170,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
execution,T1170,2,Mshta calls a local VBScript file to launch notepad.exe
execution,T1170,3,Mshta executes VBScript to execute malicious command
execution,T1170,4,Mshta Executes Remote HTML Application (HTA)
execution,T1086,1,Mimikatz
execution,T1086,2,BloodHound
execution,T1086,3,Obfuscation Tests
execution,T1086,4,Mimikatz - Cradlecraft PsSendKeys
execution,T1086,5,Invoke-AppPathBypass
execution,T1086,6,PowerShell Add User
execution,T1086,7,Powershell MsXml COM object - no prompt
execution,T1086,8,Powershell MsXml COM object - with prompt
execution,T1086,9,Powershell XML requests
execution,T1086,10,Powershell invoke mshta.exe download
execution,T1086,11,Powershell Invoke-DownloadCradle
execution,T1086,12,PowerShell Fileless Script Execution
execution,T1086,13,PowerShell Downgrade Attack
execution,T1086,14,NTFS Alternate Data Stream Access
execution,T1121,1,Regasm Uninstall Method Call Test
execution,T1121,2,Regsvs Uninstall Method Call Test
execution,T1117,1,Regsvr32 local COM scriptlet execution
execution,T1117,2,Regsvr32 remote COM scriptlet execution
execution,T1117,3,Regsvr32 local DLL execution
execution,T1085,1,Rundll32 execute JavaScript Remote Payload With GetObject
execution,T1085,2,Rundll32 execute VBscript command
execution,T1085,3,Rundll32 advpack.dll Execution
execution,T1085,4,Rundll32 ieadvpack.dll Execution
execution,T1085,5,Rundll32 syssetup.dll Execution
execution,T1085,6,Rundll32 setupapi.dll Execution
execution,T1053,1,At.exe Scheduled task
execution,T1053,2,Scheduled task Local
execution,T1053,3,Scheduled task Remote
execution,T1053,4,Powershell Cmdlet Scheduled Task
execution,T1064,2,Create and Execute Batch Script
execution,T1035,1,Execute a Command as a Service
execution,T1035,2,Use PsExec to execute a command on a remote host
execution,T1218,1,mavinject - Inject DLL into running process
execution,T1218,2,SyncAppvPublishingServer - Execute arbitrary PowerShell code
execution,T1218,3,Register-CimProvider - Execute evil dll
execution,T1218,4,Msiexec.exe - Execute Local MSI file
execution,T1218,5,Msiexec.exe - Execute Remote MSI file
execution,T1218,6,Msiexec.exe - Execute Arbitrary DLL
execution,T1218,7,Odbcconf.exe - Execute Arbitrary DLL
execution,T1218,8,InfDefaultInstall.exe .inf Execution
execution,T1216,1,PubPrn.vbs Signed Script Bypass
execution,T1216,2,SyncAppvPublishingServer Signed Script PowerShell Command Execution
execution,T1216,3,manage-bde.wsf Signed Script Command Execution
execution,T1127,1,MSBuild Bypass Using Inline Tasks
execution,T1204,1,OSTap Style Macro Execution
execution,T1204,2,Maldoc choice flags command execution
execution,T1204,3,OSTAP JS version
execution,T1047,1,WMI Reconnaissance Users
execution,T1047,2,WMI Reconnaissance Processes
execution,T1047,3,WMI Reconnaissance Software
execution,T1047,4,WMI Reconnaissance List Remote Services
execution,T1047,5,WMI Execute Local Process
execution,T1047,6,WMI Execute Remote Process
execution,T1028,1,Enable Windows Remote Management
execution,T1028,2,PowerShell Lateral Movement
execution,T1028,3,WMIC Process Call Create
execution,T1028,4,Psexec
execution,T1028,5,Invoke-Command
execution,T1220,1,MSXSL Bypass using local files
execution,T1220,2,MSXSL Bypass using remote files
execution,T1220,3,WMIC bypass using local XSL file
execution,T1220,4,WMIC bypass using remote XSL file
command-and-control,T1090,2,portproxy reg key
command-and-control,T1219,1,TeamViewer Files Detected Test on Windows
command-and-control,T1105,7,certutil download (urlcache)
command-and-control,T1105,8,certutil download (verifyctl)
command-and-control,T1105,9,Windows - BITSAdmin BITS Download
command-and-control,T1105,10,Windows - PowerShell Download
command-and-control,T1105,11,OSTAP Worming Activity
command-and-control,T1071,1,Malicious User Agents - Powershell
command-and-control,T1071,2,Malicious User Agents - CMD
command-and-control,T1071,4,DNS Large Query Volume
command-and-control,T1071,5,DNS Regular Beaconing
command-and-control,T1071,6,DNS Long Domain Query
command-and-control,T1071,7,DNS C2
command-and-control,T1071,8,OSTap Payload Download
command-and-control,T1032,1,OpenSSL C2
command-and-control,T1095,1,ICMP C2
command-and-control,T1095,2,Netcat C2
command-and-control,T1095,3,Powercat C2
command-and-control,T1065,1,Testing usage of uncommonly used port with PowerShell
command-and-control,T1102,1,Reach out to C2 Pointer URLs via command_prompt
command-and-control,T1102,2,Reach out to C2 Pointer URLs via powershell
initial-access,T1193,1,Download Phishing Attachment - VBScript
1 Tactic Technique # Test # Test Name
2 defense-evasion T1197 1 Bitsadmin Download (cmd)
3 defense-evasion T1197 2 Bitsadmin Download (PowerShell)
4 defense-evasion T1197 3 Persist, Download, & Execute
5 defense-evasion T1088 1 Bypass UAC using Event Viewer (cmd)
6 defense-evasion T1088 2 Bypass UAC using Event Viewer (PowerShell)
7 defense-evasion T1088 3 Bypass UAC using Fodhelper
8 defense-evasion T1088 4 Bypass UAC using Fodhelper - PowerShell
9 defense-evasion T1088 5 Bypass UAC using ComputerDefaults (PowerShell)
10 defense-evasion T1088 6 Bypass UAC by Mocking Trusted Directories
11 defense-evasion T1191 1 CMSTP Executing Remote Scriptlet
12 defense-evasion T1191 2 CMSTP Executing UAC Bypass
13 defense-evasion T1500 1 Compile After Delivery using csc.exe
14 defense-evasion T1223 1 Compiled HTML Help Local Payload
15 defense-evasion T1223 2 Compiled HTML Help Remote Payload
16 defense-evasion T1090 2 portproxy reg key
17 defense-evasion T1196 1 Control Panel Items
18 defense-evasion T1207 1 DCShadow - Mimikatz
19 defense-evasion T1038 1 DLL Search Order Hijacking - amsi.dll
20 defense-evasion T1073 1 DLL Side-Loading using the Notepad++ GUP.exe binary
21 defense-evasion T1140 1 Deobfuscate/Decode Files Or Information
22 defense-evasion T1140 2 Certutil Rename and Decode
23 defense-evasion T1089 8 Unload Sysmon Filter Driver
24 defense-evasion T1089 9 Disable Windows IIS HTTP Logging
25 defense-evasion T1089 10 Uninstall Sysmon
26 defense-evasion T1089 11 AMSI Bypass - AMSI InitFailed
27 defense-evasion T1089 12 AMSI Bypass - Remove AMSI Provider Reg Key
28 defense-evasion T1089 13 Disable Arbitrary Security Windows Service
29 defense-evasion T1089 14 Disable PowerShell Script Block Logging
30 defense-evasion T1089 15 PowerShell Bypass of AntiMalware Scripting Interface
31 defense-evasion T1089 16 Tamper with Windows Defender ATP PowerShell
32 defense-evasion T1089 17 Tamper with Windows Defender Command Prompt
33 defense-evasion T1089 18 Tamper with Windows Defender Registry
34 defense-evasion T1089 19 Disable Microft Office Security Features
35 defense-evasion T1089 20 Remove Windows Defender Definition Files
36 defense-evasion T1107 4 Delete a single file - Windows cmd
37 defense-evasion T1107 5 Delete an entire folder - Windows cmd
38 defense-evasion T1107 6 Delete a single file - Windows PowerShell
39 defense-evasion T1107 7 Delete an entire folder - Windows PowerShell
40 defense-evasion T1107 8 Delete VSS - vssadmin
41 defense-evasion T1107 9 Delete VSS - wmic
42 defense-evasion T1107 10 bcdedit
43 defense-evasion T1107 11 wbadmin
44 defense-evasion T1107 13 Delete-PrefetchFile
45 defense-evasion T1107 14 Delete TeamViewer Log Files
46 defense-evasion T1222 1 Take ownership using takeown utility
47 defense-evasion T1222 2 Take ownership recursively using takeown utility
48 defense-evasion T1222 3 cacls - Grant permission to specified user or group
49 defense-evasion T1222 4 cacls - Grant permission to specified user or group recursively
50 defense-evasion T1222 5 icacls - Grant permission to specified user or group
51 defense-evasion T1222 6 icacls - Grant permission to specified user or group recursively
52 defense-evasion T1222 7 attrib - Remove read-only attribute
53 defense-evasion T1158 3 Create Windows System File with Attrib
54 defense-evasion T1158 4 Create Windows Hidden File with Attrib
55 defense-evasion T1158 8 Create ADS command prompt
56 defense-evasion T1158 9 Create ADS PowerShell
57 defense-evasion T1143 1 Hidden Window
58 defense-evasion T1183 1 IFEO Add Debugger
59 defense-evasion T1183 2 IFEO Global Flags
60 defense-evasion T1070 1 Clear Logs
61 defense-evasion T1070 2 FSUtil
62 defense-evasion T1070 6 Delete System Logs Using PowerShell
63 defense-evasion T1070 7 Delete System Logs Using Clear-EventLogId
64 defense-evasion T1202 1 Indirect Command Execution - pcalua.exe
65 defense-evasion T1202 2 Indirect Command Execution - forfiles.exe
66 defense-evasion T1118 1 CheckIfInstallable method call
67 defense-evasion T1118 2 InstallHelper method call
68 defense-evasion T1118 3 InstallUtil class constructor method call
69 defense-evasion T1118 4 InstallUtil Install method call
70 defense-evasion T1118 5 InstallUtil Uninstall method call - /U variant
71 defense-evasion T1118 6 InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
72 defense-evasion T1118 7 InstallUtil HelpText method call
73 defense-evasion T1118 8 InstallUtil evasive invocation
74 defense-evasion T1036 1 Masquerading as Windows LSASS process
75 defense-evasion T1036 3 Masquerading - cscript.exe running as notepad.exe
76 defense-evasion T1036 4 Masquerading - wscript.exe running as svchost.exe
77 defense-evasion T1036 5 Masquerading - powershell.exe running as taskhostw.exe
78 defense-evasion T1036 6 Masquerading - non-windows exe running as windows exe
79 defense-evasion T1036 7 Masquerading - windows exe running as different windows exe
80 defense-evasion T1036 8 Malicious process Masquerading as LSM.exe
81 defense-evasion T1112 1 Modify Registry of Current User Profile - cmd
82 defense-evasion T1112 2 Modify Registry of Local Machine - cmd
83 defense-evasion T1112 3 Modify Registry of Another User Profile
84 defense-evasion T1112 4 Modify registry to store logon credentials
85 defense-evasion T1112 5 Modify registry to store PowerShell code
86 defense-evasion T1112 6 Add domain to Trusted sites Zone
87 defense-evasion T1112 7 Javascript in registry
88 defense-evasion T1170 1 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
89 defense-evasion T1170 2 Mshta calls a local VBScript file to launch notepad.exe
90 defense-evasion T1170 3 Mshta executes VBScript to execute malicious command
91 defense-evasion T1170 4 Mshta Executes Remote HTML Application (HTA)
92 defense-evasion T1096 1 Alternate Data Streams (ADS)
93 defense-evasion T1096 2 Store file in Alternate Data Stream (ADS)
94 defense-evasion T1126 1 Add Network Share
95 defense-evasion T1126 2 Remove Network Share
96 defense-evasion T1126 3 Remove Network Share PowerShell
97 defense-evasion T1027 2 Execute base64-encoded PowerShell
98 defense-evasion T1027 3 Execute base64-encoded PowerShell from Windows Registry
99 defense-evasion T1502 1 Parent PID Spoofing using PowerShell
100 defense-evasion T1093 1 Process Hollowing using PowerShell
101 defense-evasion T1055 1 Process Injection via mavinject.exe
102 defense-evasion T1055 2 Process Injection via PowerSploit
103 defense-evasion T1055 5 Process Injection via C#
104 defense-evasion T1055 6 svchost writing a file to a UNC path
105 defense-evasion T1121 1 Regasm Uninstall Method Call Test
106 defense-evasion T1121 2 Regsvs Uninstall Method Call Test
107 defense-evasion T1117 1 Regsvr32 local COM scriptlet execution
108 defense-evasion T1117 2 Regsvr32 remote COM scriptlet execution
109 defense-evasion T1117 3 Regsvr32 local DLL execution
110 defense-evasion T1014 3 Windows Signed Driver Rootkit Test
111 defense-evasion T1085 1 Rundll32 execute JavaScript Remote Payload With GetObject
112 defense-evasion T1085 2 Rundll32 execute VBscript command
113 defense-evasion T1085 3 Rundll32 advpack.dll Execution
114 defense-evasion T1085 4 Rundll32 ieadvpack.dll Execution
115 defense-evasion T1085 5 Rundll32 syssetup.dll Execution
116 defense-evasion T1085 6 Rundll32 setupapi.dll Execution
117 defense-evasion T1064 2 Create and Execute Batch Script
118 defense-evasion T1218 1 mavinject - Inject DLL into running process
119 defense-evasion T1218 2 SyncAppvPublishingServer - Execute arbitrary PowerShell code
120 defense-evasion T1218 3 Register-CimProvider - Execute evil dll
121 defense-evasion T1218 4 Msiexec.exe - Execute Local MSI file
122 defense-evasion T1218 5 Msiexec.exe - Execute Remote MSI file
123 defense-evasion T1218 6 Msiexec.exe - Execute Arbitrary DLL
124 defense-evasion T1218 7 Odbcconf.exe - Execute Arbitrary DLL
125 defense-evasion T1218 8 InfDefaultInstall.exe .inf Execution
126 defense-evasion T1216 1 PubPrn.vbs Signed Script Bypass
127 defense-evasion T1216 2 SyncAppvPublishingServer Signed Script PowerShell Command Execution
128 defense-evasion T1216 3 manage-bde.wsf Signed Script Command Execution
129 defense-evasion T1099 5 Windows - Modify file creation timestamp with PowerShell
130 defense-evasion T1099 6 Windows - Modify file last modified timestamp with PowerShell
131 defense-evasion T1099 7 Windows - Modify file last access timestamp with PowerShell
132 defense-evasion T1127 1 MSBuild Bypass Using Inline Tasks
133 defense-evasion T1102 1 Reach out to C2 Pointer URLs via command_prompt
134 defense-evasion T1102 2 Reach out to C2 Pointer URLs via powershell
135 defense-evasion T1220 1 MSXSL Bypass using local files
136 defense-evasion T1220 2 MSXSL Bypass using remote files
137 defense-evasion T1220 3 WMIC bypass using local XSL file
138 defense-evasion T1220 4 WMIC bypass using remote XSL file
139 privilege-escalation T1015 1 Attaches Command Prompt as a Debugger to a List of Target Processes
140 privilege-escalation T1103 1 Install AppInit Shim
141 privilege-escalation T1138 1 Application Shim Installation
142 privilege-escalation T1138 2 New shim database files created in the default shim database directory
143 privilege-escalation T1138 3 Registry key creation and/or modification events for SDB
144 privilege-escalation T1088 1 Bypass UAC using Event Viewer (cmd)
145 privilege-escalation T1088 2 Bypass UAC using Event Viewer (PowerShell)
146 privilege-escalation T1088 3 Bypass UAC using Fodhelper
147 privilege-escalation T1088 4 Bypass UAC using Fodhelper - PowerShell
148 privilege-escalation T1088 5 Bypass UAC using ComputerDefaults (PowerShell)
149 privilege-escalation T1088 6 Bypass UAC by Mocking Trusted Directories
150 privilege-escalation T1038 1 DLL Search Order Hijacking - amsi.dll
151 privilege-escalation T1044 1 File System Permissions Weakness
152 privilege-escalation T1179 1 Hook PowerShell TLS Encrypt/Decrypt Messages
153 privilege-escalation T1183 1 IFEO Add Debugger
154 privilege-escalation T1183 2 IFEO Global Flags
155 privilege-escalation T1050 1 Service Installation
156 privilege-escalation T1050 2 Service Installation PowerShell
157 privilege-escalation T1502 1 Parent PID Spoofing using PowerShell
158 privilege-escalation T1504 1 Append malicious start-process cmdlet
159 privilege-escalation T1055 1 Process Injection via mavinject.exe
160 privilege-escalation T1055 2 Process Injection via PowerSploit
161 privilege-escalation T1055 5 Process Injection via C#
162 privilege-escalation T1055 6 svchost writing a file to a UNC path
163 privilege-escalation T1053 1 At.exe Scheduled task
164 privilege-escalation T1053 2 Scheduled task Local
165 privilege-escalation T1053 3 Scheduled task Remote
166 privilege-escalation T1053 4 Powershell Cmdlet Scheduled Task
167 privilege-escalation T1058 1 Service Registry Permissions Weakness
168 privilege-escalation T1100 1 Web Shell Written to Disk
169 persistence T1015 1 Attaches Command Prompt as a Debugger to a List of Target Processes
170 persistence T1098 1 Admin Account Manipulate
171 persistence T1103 1 Install AppInit Shim
172 persistence T1138 1 Application Shim Installation
173 persistence T1138 2 New shim database files created in the default shim database directory
174 persistence T1138 3 Registry key creation and/or modification events for SDB
175 persistence T1197 1 Bitsadmin Download (cmd)
176 persistence T1197 2 Bitsadmin Download (PowerShell)
177 persistence T1197 3 Persist, Download, & Execute
178 persistence T1176 1 Chrome (Developer Mode)
179 persistence T1176 2 Chrome (Chrome Web Store)
180 persistence T1176 3 Firefox
181 persistence T1042 1 Change Default File Association
182 persistence T1136 3 Create a new user in a command prompt
183 persistence T1136 4 Create a new user in PowerShell
184 persistence T1038 1 DLL Search Order Hijacking - amsi.dll
185 persistence T1044 1 File System Permissions Weakness
186 persistence T1158 3 Create Windows System File with Attrib
187 persistence T1158 4 Create Windows Hidden File with Attrib
188 persistence T1158 8 Create ADS command prompt
189 persistence T1158 9 Create ADS PowerShell
190 persistence T1179 1 Hook PowerShell TLS Encrypt/Decrypt Messages
191 persistence T1062 1 Installing Hyper-V Feature
192 persistence T1183 1 IFEO Add Debugger
193 persistence T1183 2 IFEO Global Flags
194 persistence T1037 1 Logon Scripts
195 persistence T1037 2 Scheduled Task Startup Script
196 persistence T1037 4 Supicious vbs file run from startup Folder
197 persistence T1037 5 Supicious jse file run from startup Folder
198 persistence T1037 6 Supicious bat file run from startup Folder
199 persistence T1031 1 Modify Fax service to run PowerShell
200 persistence T1128 1 Netsh Helper DLL Registration
201 persistence T1050 1 Service Installation
202 persistence T1050 2 Service Installation PowerShell
203 persistence T1137 1 DDEAUTO
204 persistence T1504 1 Append malicious start-process cmdlet
205 persistence T1060 1 Reg Key Run
206 persistence T1060 2 Reg Key RunOnce
207 persistence T1060 3 PowerShell Registry RunOnce
208 persistence T1053 1 At.exe Scheduled task
209 persistence T1053 2 Scheduled task Local
210 persistence T1053 3 Scheduled task Remote
211 persistence T1053 4 Powershell Cmdlet Scheduled Task
212 persistence T1180 1 Set Arbitrary Binary as Screensaver
213 persistence T1101 1 Modify SSP configuration in registry
214 persistence T1505 1 Install MS Exchange Transport Agent Persistence
215 persistence T1058 1 Service Registry Permissions Weakness
216 persistence T1023 1 Shortcut Modification
217 persistence T1023 2 Create shortcut to cmd in startup folders
218 persistence T1100 1 Web Shell Written to Disk
219 persistence T1084 1 Persistence
220 persistence T1004 1 Winlogon Shell Key Persistence - PowerShell
221 persistence T1004 2 Winlogon Userinit Key Persistence - PowerShell
222 persistence T1004 3 Winlogon Notify Key Logon Persistence - PowerShell
223 impact T1531 1 Change User Password - Windows
224 impact T1531 2 Delete User - Windows
225 impact T1485 1 Windows - Delete Volume Shadow Copies
226 impact T1485 2 Windows - Delete Windows Backup Catalog
227 impact T1485 3 Windows - Disable Windows Recovery Console Repair
228 impact T1485 4 Windows - Overwrite file with Sysinternals SDelete
229 impact T1485 6 Windows - Delete Backup Files
230 impact T1490 1 Windows - Delete Volume Shadow Copies
231 impact T1490 2 Windows - Delete Volume Shadow Copies via WMI
232 impact T1490 3 Windows - Delete Windows Backup Catalog
233 impact T1490 4 Windows - Disable Windows Recovery Console Repair
234 impact T1490 5 Windows - Delete Volume Shadow Copies via WMI with PowerShell
235 impact T1489 1 Windows - Stop service using Service Controller
236 impact T1489 2 Windows - Stop service using net.exe
237 impact T1489 3 Windows - Stop service by killing process
238 impact T1529 1 Shutdown System - Windows
239 impact T1529 2 Restart System - Windows
240 discovery T1087 8 Enumerate all accounts
241 discovery T1087 9 Enumerate all accounts via PowerShell
242 discovery T1087 10 Enumerate logged on users
243 discovery T1087 11 Enumerate logged on users via PowerShell
244 discovery T1010 1 List Process Main Windows - C# .NET
245 discovery T1217 4 List Google Chrome Bookmarks on Windows with powershell
246 discovery T1217 5 List Google Chrome Bookmarks on Windows with command prompt
247 discovery T1482 1 Windows - Discover domain trusts with dsquery
248 discovery T1482 2 Windows - Discover domain trusts with nltest
249 discovery T1482 3 Powershell enumerate domains and forests
250 discovery T1083 1 File and Directory Discovery (cmd.exe)
251 discovery T1083 2 File and Directory Discovery (PowerShell)
252 discovery T1135 2 Network Share Discovery command prompt
253 discovery T1135 3 Network Share Discovery PowerShell
254 discovery T1135 4 View available share drives
255 discovery T1040 3 Packet Capture Windows Command Prompt
256 discovery T1040 4 Packet Capture PowerShell
257 discovery T1201 5 Examine local password policy - Windows
258 discovery T1201 6 Examine domain password policy - Windows
259 discovery T1069 2 Basic Permission Groups Discovery Windows
260 discovery T1069 3 Permission Groups Discovery PowerShell
261 discovery T1069 4 Elevated group enumeration using net group
262 discovery T1057 2 Process Discovery - tasklist
263 discovery T1012 1 Query Registry
264 discovery T1018 1 Remote System Discovery - net
265 discovery T1018 2 Remote System Discovery - net group Domain Computers
266 discovery T1018 3 Remote System Discovery - nltest
267 discovery T1018 4 Remote System Discovery - ping sweep
268 discovery T1018 5 Remote System Discovery - arp
269 discovery T1018 8 Remote System Discovery - nslookup
270 discovery T1063 1 Security Software Discovery
271 discovery T1063 2 Security Software Discovery - powershell
272 discovery T1063 4 Security Software Discovery - Sysmon Service
273 discovery T1063 5 Security Software Discovery - AV Discovery via WMI
274 discovery T1518 1 Find and Display Internet Explorer Browser Version
275 discovery T1518 2 Applications Installed
276 discovery T1082 1 System Information Discovery
277 discovery T1082 6 Hostname Discovery (Windows)
278 discovery T1082 8 Windows MachineGUID Discovery
279 discovery T1016 1 System Network Configuration Discovery
280 discovery T1016 2 List Windows Firewall Rules
281 discovery T1016 4 System Network Configuration Discovery (TrickBot Style)
282 discovery T1016 5 List Open Egress Ports
283 discovery T1049 1 System Network Connections Discovery
284 discovery T1049 2 System Network Connections Discovery with PowerShell
285 discovery T1033 1 System Owner/User Discovery
286 discovery T1007 1 System Service Discovery
287 discovery T1007 2 System Service Discovery - net.exe
288 discovery T1124 1 System Time Discovery
289 discovery T1124 2 System Time Discovery - PowerShell
290 credential-access T1098 1 Admin Account Manipulate
291 credential-access T1110 1 Brute Force Credentials
292 credential-access T1003 1 Powershell Mimikatz
293 credential-access T1003 2 Gsecdump
294 credential-access T1003 3 Windows Credential Editor
295 credential-access T1003 4 Registry dump of SAM, creds, and secrets
296 credential-access T1003 5 Dump LSASS.exe Memory using ProcDump
297 credential-access T1003 6 Dump LSASS.exe Memory using Windows Task Manager
298 credential-access T1003 7 Offline Credential Theft With Mimikatz
299 credential-access T1003 8 Dump Active Directory Database with NTDSUtil
300 credential-access T1003 9 Create Volume Shadow Copy with NTDS.dit
301 credential-access T1003 10 Copy NTDS.dit from Volume Shadow Copy
302 credential-access T1003 11 GPP Passwords (findstr)
303 credential-access T1003 12 GPP Passwords (Get-GPPPassword)
304 credential-access T1003 13 LSASS read with pypykatz
305 credential-access T1003 14 Registry parse with pypykatz
306 credential-access T1081 3 Extracting passwords with findstr
307 credential-access T1081 4 Access unattend.xml
308 credential-access T1214 1 Enumeration for Credentials in Registry
309 credential-access T1214 2 Enumeration for PuTTY Credentials in Registry
310 credential-access T1179 1 Hook PowerShell TLS Encrypt/Decrypt Messages
311 credential-access T1056 1 Input Capture
312 credential-access T1141 2 PowerShell - Prompt User for Password
313 credential-access T1208 1 Request for service tickets
314 credential-access T1040 3 Packet Capture Windows Command Prompt
315 credential-access T1040 4 Packet Capture PowerShell
316 credential-access T1174 1 Install and Register Password Filter DLL
317 credential-access T1145 1 Private Keys
318 lateral-movement T1037 1 Logon Scripts
319 lateral-movement T1037 2 Scheduled Task Startup Script
320 lateral-movement T1037 4 Supicious vbs file run from startup Folder
321 lateral-movement T1037 5 Supicious jse file run from startup Folder
322 lateral-movement T1037 6 Supicious bat file run from startup Folder
323 lateral-movement T1075 1 Mimikatz Pass the Hash
324 lateral-movement T1075 2 crackmapexec Pass the Hash
325 lateral-movement T1097 1 Mimikatz Kerberos Ticket Attack
326 lateral-movement T1076 1 RDP
327 lateral-movement T1076 2 RDPto-DomainController
328 lateral-movement T1105 7 certutil download (urlcache)
329 lateral-movement T1105 8 certutil download (verifyctl)
330 lateral-movement T1105 9 Windows - BITSAdmin BITS Download
331 lateral-movement T1105 10 Windows - PowerShell Download
332 lateral-movement T1105 11 OSTAP Worming Activity
333 lateral-movement T1077 1 Map admin share
334 lateral-movement T1077 2 Map Admin Share PowerShell
335 lateral-movement T1077 3 Copy and Execute File with PsExec
336 lateral-movement T1077 4 Execute command writing output to local Admin Share
337 lateral-movement T1028 1 Enable Windows Remote Management
338 lateral-movement T1028 2 PowerShell Lateral Movement
339 lateral-movement T1028 3 WMIC Process Call Create
340 lateral-movement T1028 4 Psexec
341 lateral-movement T1028 5 Invoke-Command
342 collection T1123 1 using device audio capture commandlet
343 collection T1119 1 Automated Collection Command Prompt
344 collection T1119 2 Automated Collection PowerShell
345 collection T1119 3 Recon information for export with PowerShell
346 collection T1119 4 Recon information for export with Command Prompt
347 collection T1115 1 Utilize Clipboard to store or execute commands from
348 collection T1115 2 PowerShell
349 collection T1074 1 Stage data from Discovery.bat
350 collection T1074 3 Zip a Folder with PowerShell for Staging in Temp
351 collection T1114 1 T1114 Email Collection with PowerShell
352 collection T1056 1 Input Capture
353 exfiltration T1002 1 Compress Data for Exfiltration With PowerShell
354 exfiltration T1002 2 Compress Data for Exfiltration With Rar
355 exfiltration T1022 2 Compress Data and lock with password for Exfiltration with winrar
356 exfiltration T1022 3 Compress Data and lock with password for Exfiltration with winzip
357 exfiltration T1022 4 Compress Data and lock with password for Exfiltration with 7zip
358 exfiltration T1048 4 Exfiltration Over Alternative Protocol - ICMP
359 execution T1191 1 CMSTP Executing Remote Scriptlet
360 execution T1191 2 CMSTP Executing UAC Bypass
361 execution T1223 1 Compiled HTML Help Local Payload
362 execution T1223 2 Compiled HTML Help Remote Payload
363 execution T1196 1 Control Panel Items
364 execution T1173 1 Execute Commands
365 execution T1173 2 Execute PowerShell script via Word DDE
366 execution T1118 1 CheckIfInstallable method call
367 execution T1118 2 InstallHelper method call
368 execution T1118 3 InstallUtil class constructor method call
369 execution T1118 4 InstallUtil Install method call
370 execution T1118 5 InstallUtil Uninstall method call - /U variant
371 execution T1118 6 InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
372 execution T1118 7 InstallUtil HelpText method call
373 execution T1118 8 InstallUtil evasive invocation
374 execution T1170 1 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
375 execution T1170 2 Mshta calls a local VBScript file to launch notepad.exe
376 execution T1170 3 Mshta executes VBScript to execute malicious command
377 execution T1170 4 Mshta Executes Remote HTML Application (HTA)
378 execution T1086 1 Mimikatz
379 execution T1086 2 BloodHound
380 execution T1086 3 Obfuscation Tests
381 execution T1086 4 Mimikatz - Cradlecraft PsSendKeys
382 execution T1086 5 Invoke-AppPathBypass
383 execution T1086 6 PowerShell Add User
384 execution T1086 7 Powershell MsXml COM object - no prompt
385 execution T1086 8 Powershell MsXml COM object - with prompt
386 execution T1086 9 Powershell XML requests
387 execution T1086 10 Powershell invoke mshta.exe download
388 execution T1086 11 Powershell Invoke-DownloadCradle
389 execution T1086 12 PowerShell Fileless Script Execution
390 execution T1086 13 PowerShell Downgrade Attack
391 execution T1086 14 NTFS Alternate Data Stream Access
392 execution T1121 1 Regasm Uninstall Method Call Test
393 execution T1121 2 Regsvs Uninstall Method Call Test
394 execution T1117 1 Regsvr32 local COM scriptlet execution
395 execution T1117 2 Regsvr32 remote COM scriptlet execution
396 execution T1117 3 Regsvr32 local DLL execution
397 execution T1085 1 Rundll32 execute JavaScript Remote Payload With GetObject
398 execution T1085 2 Rundll32 execute VBscript command
399 execution T1085 3 Rundll32 advpack.dll Execution
400 execution T1085 4 Rundll32 ieadvpack.dll Execution
401 execution T1085 5 Rundll32 syssetup.dll Execution
402 execution T1085 6 Rundll32 setupapi.dll Execution
403 execution T1053 1 At.exe Scheduled task
404 execution T1053 2 Scheduled task Local
405 execution T1053 3 Scheduled task Remote
406 execution T1053 4 Powershell Cmdlet Scheduled Task
407 execution T1064 2 Create and Execute Batch Script
408 execution T1035 1 Execute a Command as a Service
409 execution T1035 2 Use PsExec to execute a command on a remote host
410 execution T1218 1 mavinject - Inject DLL into running process
411 execution T1218 2 SyncAppvPublishingServer - Execute arbitrary PowerShell code
412 execution T1218 3 Register-CimProvider - Execute evil dll
413 execution T1218 4 Msiexec.exe - Execute Local MSI file
414 execution T1218 5 Msiexec.exe - Execute Remote MSI file
415 execution T1218 6 Msiexec.exe - Execute Arbitrary DLL
416 execution T1218 7 Odbcconf.exe - Execute Arbitrary DLL
417 execution T1218 8 InfDefaultInstall.exe .inf Execution
418 execution T1216 1 PubPrn.vbs Signed Script Bypass
419 execution T1216 2 SyncAppvPublishingServer Signed Script PowerShell Command Execution
420 execution T1216 3 manage-bde.wsf Signed Script Command Execution
421 execution T1127 1 MSBuild Bypass Using Inline Tasks
422 execution T1204 1 OSTap Style Macro Execution
423 execution T1204 2 Maldoc choice flags command execution
424 execution T1204 3 OSTAP JS version
425 execution T1047 1 WMI Reconnaissance Users
426 execution T1047 2 WMI Reconnaissance Processes
427 execution T1047 3 WMI Reconnaissance Software
428 execution T1047 4 WMI Reconnaissance List Remote Services
429 execution T1047 5 WMI Execute Local Process
430 execution T1047 6 WMI Execute Remote Process
431 execution T1028 1 Enable Windows Remote Management
432 execution T1028 2 PowerShell Lateral Movement
433 execution T1028 3 WMIC Process Call Create
434 execution T1028 4 Psexec
435 execution T1028 5 Invoke-Command
436 execution T1220 1 MSXSL Bypass using local files
437 execution T1220 2 MSXSL Bypass using remote files
438 execution T1220 3 WMIC bypass using local XSL file
439 execution T1220 4 WMIC bypass using remote XSL file
440 command-and-control T1090 2 portproxy reg key
441 command-and-control T1219 1 TeamViewer Files Detected Test on Windows
442 command-and-control T1105 7 certutil download (urlcache)
443 command-and-control T1105 8 certutil download (verifyctl)
444 command-and-control T1105 9 Windows - BITSAdmin BITS Download
445 command-and-control T1105 10 Windows - PowerShell Download
446 command-and-control T1105 11 OSTAP Worming Activity
447 command-and-control T1071 1 Malicious User Agents - Powershell
448 command-and-control T1071 2 Malicious User Agents - CMD
449 command-and-control T1071 4 DNS Large Query Volume
450 command-and-control T1071 5 DNS Regular Beaconing
451 command-and-control T1071 6 DNS Long Domain Query
452 command-and-control T1071 7 DNS C2
453 command-and-control T1071 8 OSTap Payload Download
454 command-and-control T1032 1 OpenSSL C2
455 command-and-control T1095 1 ICMP C2
456 command-and-control T1095 2 Netcat C2
457 command-and-control T1095 3 Powercat C2
458 command-and-control T1065 1 Testing usage of uncommonly used port with PowerShell
459 command-and-control T1102 1 Reach out to C2 Pointer URLs via command_prompt
460 command-and-control T1102 2 Reach out to C2 Pointer URLs via powershell
461 initial-access T1193 1 Download Phishing Attachment - VBScript
atomics/Indexes/Indexes-Markdown/index.md
+1020
View File
@@ -0,0 +1,1020 @@
# All Atomic Tests by ATT&CK Tactic & Technique
# persistence
- [T1156 .bash_profile and .bashrc](./T1156/T1156.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- [T1015 Accessibility Features](./T1015/T1015.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- [T1098 Account Manipulation](./T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1103 AppInit DLLs](./T1103/T1103.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1138 Application Shimming](./T1138/T1138.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- T1131 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1197 BITS Jobs](./T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- T1067 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](./T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- [T1042 Change Default File Association](./T1042/T1042.md)
- Atomic Test #1: Change Default File Association [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1136 Create Account](./T1136/T1136.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #2: Create a user account on a MacOS system [macos]
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- [T1038 DLL Search Order Hijacking](./T1038/T1038.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1519 Emond](./T1519/T1519.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1044 File System Permissions Weakness](./T1044/T1044.md)
- Atomic Test #1: File System Permissions Weakness [windows]
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- Atomic Test #8: Create ADS command prompt [windows]
- Atomic Test #9: Create ADS PowerShell [windows]
- [T1179 Hooking](./T1179/T1179.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1062 Hypervisor](./T1062/T1062.md)
- Atomic Test #1: Installing Hyper-V Feature [windows]
- [T1183 Image File Execution Options Injection](./T1183/T1183.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1525 Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1215 Kernel Modules and Extensions](./T1215/T1215.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- T1161 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1159 Launch Agent](./T1159/T1159.md)
- Atomic Test #1: Launch Agent [macos]
- [T1160 Launch Daemon](./T1160/T1160.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, linux]
- T1162 Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #1: Logon Scripts [windows]
- Atomic Test #2: Scheduled Task Startup Script [windows]
- Atomic Test #3: Logon Scripts - Mac [macos]
- Atomic Test #4: Supicious vbs file run from startup Folder [windows]
- Atomic Test #5: Supicious jse file run from startup Folder [windows]
- Atomic Test #6: Supicious bat file run from startup Folder [windows]
- [T1031 Modify Existing Service](./T1031/T1031.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- [T1128 Netsh Helper DLL](./T1128/T1128.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- [T1050 New Service](./T1050/T1050.md)
- Atomic Test #1: Service Installation [windows]
- Atomic Test #2: Service Installation PowerShell [windows]
- [T1137 Office Application Startup](./T1137/T1137.md)
- Atomic Test #1: DDEAUTO [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1150 Plist Modification](./T1150/T1150.md)
- Atomic Test #1: Plist Modification [macos]
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1504 PowerShell Profile](./T1504/T1504.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- [T1163 Rc.common](./T1163/T1163.md)
- Atomic Test #1: rc.common [macos]
- [T1164 Re-opened Applications](./T1164/T1164.md)
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1060 Registry Run Keys / Startup Folder](./T1060/T1060.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- [T1180 Screensaver](./T1180/T1180.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1101 Security Support Provider](./T1101/T1101.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- [T1505 Server Software Component](./T1505/T1505.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- [T1058 Service Registry Permissions Weakness](./T1058/T1058.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- [T1166 Setuid and Setgid](./T1166/T1166.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- [T1023 Shortcut Modification](./T1023/T1023.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- [T1165 Startup Items](./T1165/T1165.md)
- Atomic Test #1: add file to Local Library StartupItems [macos]
- T1019 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1501 Systemd Service](./T1501/T1501.md)
- Atomic Test #1: Create Systemd Service [linux]
- T1209 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
- Atomic Test #1: Persistence [windows]
- [T1004 Winlogon Helper DLL](./T1004/T1004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
# defense-evasion
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1527 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1197 BITS Jobs](./T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- [T1009 Binary Padding](./T1009/T1009.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- [T1088 Bypass User Account Control](./T1088/T1088.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- [T1191 CMSTP](./T1191/T1191.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- [T1146 Clear Command History](./T1146/T1146.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- T1116 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1500 Compile After Delivery](./T1500/T1500.md)
- Atomic Test #1: Compile After Delivery using csc.exe [windows]
- [T1223 Compiled HTML File](./T1223/T1223.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1090 Connection Proxy](./T1090/T1090.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: portproxy reg key [windows]
- [T1196 Control Panel Items](./T1196/T1196.md)
- Atomic Test #1: Control Panel Items [windows]
- [T1207 DCShadow](./T1207/T1207.md)
- Atomic Test #1: DCShadow - Mimikatz [windows]
- [T1038 DLL Search Order Hijacking](./T1038/T1038.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1073 DLL Side-Loading](./T1073/T1073.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1140 Deobfuscate/Decode Files or Information](./T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- [T1089 Disabling Security Tools](./T1089/T1089.md)
- Atomic Test #1: Disable iptables firewall [linux]
- Atomic Test #2: Disable syslog [linux]
- Atomic Test #3: Disable Cb Response [linux]
- Atomic Test #4: Disable SELinux [linux]
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
- Atomic Test #8: Unload Sysmon Filter Driver [windows]
- Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #10: Uninstall Sysmon [windows]
- Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
- Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
- Atomic Test #14: Disable PowerShell Script Block Logging [windows]
- Atomic Test #15: PowerShell Bypass of AntiMalware Scripting Interface [windows]
- Atomic Test #16: Tamper with Windows Defender ATP PowerShell [windows]
- Atomic Test #17: Tamper with Windows Defender Command Prompt [windows]
- Atomic Test #18: Tamper with Windows Defender Registry [windows]
- Atomic Test #19: Disable Microft Office Security Features [windows]
- Atomic Test #20: Remove Windows Defender Definition Files [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1107 File Deletion](./T1107/T1107.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #4: Delete a single file - Windows cmd [windows]
- Atomic Test #5: Delete an entire folder - Windows cmd [windows]
- Atomic Test #6: Delete a single file - Windows PowerShell [windows]
- Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
- Atomic Test #8: Delete VSS - vssadmin [windows]
- Atomic Test #9: Delete VSS - wmic [windows]
- Atomic Test #10: bcdedit [windows]
- Atomic Test #11: wbadmin [windows]
- Atomic Test #12: Delete Filesystem - Linux [linux]
- Atomic Test #13: Delete-PrefetchFile [windows]
- Atomic Test #14: Delete TeamViewer Log Files [windows, macos]
- T1006 File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1222 File and Directory Permissions Modification](./T1222/T1222.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: Take ownership recursively using takeown utility [windows]
- Atomic Test #3: cacls - Grant permission to specified user or group [windows]
- Atomic Test #4: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #5: icacls - Grant permission to specified user or group [windows]
- Atomic Test #6: icacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #7: attrib - Remove read-only attribute [windows]
- Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #10: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #11: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #12: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #16: chattr - Remove immutable file attribute [macos, linux]
- [T1144 Gatekeeper Bypass](./T1144/T1144.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1148 HISTCONTROL](./T1148/T1148.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- Atomic Test #8: Create ADS command prompt [windows]
- Atomic Test #9: Create ADS PowerShell [windows]
- [T1147 Hidden Users](./T1147/T1147.md)
- Atomic Test #1: Hidden Users [macos]
- [T1143 Hidden Window](./T1143/T1143.md)
- Atomic Test #1: Hidden Window [windows]
- [T1183 Image File Execution Options Injection](./T1183/T1183.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1054 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070 Indicator Removal on Host](./T1070/T1070.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: FSUtil [windows]
- Atomic Test #3: rm -rf [macos, linux]
- Atomic Test #4: Overwrite Linux Mail Spool [linux]
- Atomic Test #5: Overwrite Linux Log [linux]
- Atomic Test #6: Delete System Logs Using PowerShell [windows]
- Atomic Test #7: Delete System Logs Using Clear-EventLogId [windows]
- [T1202 Indirect Command Execution](./T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
- [T1130 Install Root Certificate](./T1130/T1130.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- [T1118 InstallUtil](./T1118/T1118.md)
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1036 Masquerading](./T1036/T1036.md)
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
- Atomic Test #2: Masquerading as Linux crond process. [linux]
- Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
- Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
- Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
- Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
- Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
- Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
- [T1112 Modify Registry](./T1112/T1112.md)
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify Registry of Another User Profile [windows]
- Atomic Test #4: Modify registry to store logon credentials [windows]
- Atomic Test #5: Modify registry to store PowerShell code [windows]
- Atomic Test #6: Add domain to Trusted sites Zone [windows]
- Atomic Test #7: Javascript in registry [windows]
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
- Atomic Test #3: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows]
- [T1096 NTFS File Attributes](./T1096/T1096.md)
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
- [T1126 Network Share Connection Removal](./T1126/T1126.md)
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
- [T1027 Obfuscated Files or Information](./T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
- [T1502 Parent PID Spoofing](./T1502/T1502.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- [T1150 Plist Modification](./T1150/T1150.md)
- Atomic Test #1: Plist Modification [macos]
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1186 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1093 Process Hollowing](./T1093/T1093.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #4: Process Injection via C# [windows]
- Atomic Test #5: svchost writing a file to a UNC path [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
- [T1117 Regsvr32](./T1117/T1117.md)
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1014 Rootkit](./T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
- [T1085 Rundll32](./T1085/T1085.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
- Atomic Test #3: Rundll32 advpack.dll Execution [windows]
- Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Create and Execute Batch Script [windows]
- [T1218 Signed Binary Proxy Execution](./T1218/T1218.md)
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows]
- Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows]
- Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows]
- Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows]
- Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows]
- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- Atomic Test #2: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
- T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1151 Space after Filename](./T1151/T1151.md)
- Atomic Test #1: Space After Filename [macos]
- T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1099 Timestomp](./T1099/T1099.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1102 Web Service](./T1102/T1102.md)
- Atomic Test #1: Reach out to C2 Pointer URLs via command_prompt [windows]
- Atomic Test #2: Reach out to C2 Pointer URLs via powershell [windows]
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1220 XSL Script Processing](./T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
- Atomic Test #3: WMIC bypass using local XSL file [windows]
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
# privilege-escalation
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1015 Accessibility Features](./T1015/T1015.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1103 AppInit DLLs](./T1103/T1103.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1138 Application Shimming](./T1138/T1138.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1088 Bypass User Account Control](./T1088/T1088.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- [T1038 DLL Search Order Hijacking](./T1038/T1038.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1514 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1519 Emond](./T1519/T1519.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1044 File System Permissions Weakness](./T1044/T1044.md)
- Atomic Test #1: File System Permissions Weakness [windows]
- [T1179 Hooking](./T1179/T1179.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1183 Image File Execution Options Injection](./T1183/T1183.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- [T1160 Launch Daemon](./T1160/T1160.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1050 New Service](./T1050/T1050.md)
- Atomic Test #1: Service Installation [windows]
- Atomic Test #2: Service Installation PowerShell [windows]
- [T1502 Parent PID Spoofing](./T1502/T1502.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1150 Plist Modification](./T1150/T1150.md)
- Atomic Test #1: Plist Modification [macos]
- T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1504 PowerShell Profile](./T1504/T1504.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #4: Process Injection via C# [windows]
- Atomic Test #5: svchost writing a file to a UNC path [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- [T1058 Service Registry Permissions Weakness](./T1058/T1058.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- [T1166 Setuid and Setgid](./T1166/T1166.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- [T1165 Startup Items](./T1165/T1165.md)
- Atomic Test #1: add file to Local Library StartupItems [macos]
- [T1169 Sudo](./T1169/T1169.md)
- Atomic Test #1: Sudo usage [macos, linux]
- [T1206 Sudo Caching](./T1206/T1206.md)
- Atomic Test #1: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #2: Disable tty_tickets for sudo caching [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
# impact
- [T1531 Account Access Removal](./T1531/T1531.md)
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- [T1485 Data Destruction](./T1485/T1485.md)
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1490 Inhibit System Recovery](./T1490/T1490.md)
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
- Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](./T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1489 Service Stop](./T1489/T1489.md)
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](./T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
- Atomic Test #2: Restart System - Windows [windows]
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #5: Restart System via `reboot` - macOS/Linux [macos, linux]
- Atomic Test #6: Shutdown System via `halt` - Linux [linux]
- Atomic Test #7: Reboot System via `halt` - Linux [linux]
- Atomic Test #8: Shutdown System via `poweroff` - Linux [linux]
- Atomic Test #9: Reboot System via `poweroff` - Linux [linux]
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# discovery
- [T1087 Account Discovery](./T1087/T1087.md)
- Atomic Test #1: Enumerate all accounts [linux, macos]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #5: Show if a user account has ever logged in remotely [linux]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- Atomic Test #7: Enumerate users and groups [macos]
- Atomic Test #8: Enumerate all accounts [windows]
- Atomic Test #9: Enumerate all accounts via PowerShell [windows]
- Atomic Test #10: Enumerate logged on users [windows]
- Atomic Test #11: Enumerate logged on users via PowerShell [windows]
- [T1010 Application Window Discovery](./T1010/T1010.md)
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- [T1217 Browser Bookmark Discovery](./T1217/T1217.md)
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
- Atomic Test #4: List Google Chrome Bookmarks on Windows with powershell [windows]
- Atomic Test #5: List Google Chrome Bookmarks on Windows with command prompt [windows]
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1482 Domain Trust Discovery](./T1482/T1482.md)
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
- Atomic Test #3: Powershell enumerate domains and forests [windows]
- [T1083 File and Directory Discovery](./T1083/T1083.md)
- Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
- Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
- Atomic Test #3: Nix File and Diectory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- [T1046 Network Service Scanning](./T1046/T1046.md)
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- [T1135 Network Share Discovery](./T1135/T1135.md)
- Atomic Test #1: Network Share Discovery [macos, linux]
- Atomic Test #2: Network Share Discovery command prompt [windows]
- Atomic Test #3: Network Share Discovery PowerShell [windows]
- Atomic Test #4: View available share drives [windows]
- [T1040 Network Sniffing](./T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture macOS [macos]
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Packet Capture PowerShell [windows]
- [T1201 Password Policy Discovery](./T1201/T1201.md)
- Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
- Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
- Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [linux]
- Atomic Test #4: Examine password expiration policy - All Linux [linux]
- Atomic Test #5: Examine local password policy - Windows [windows]
- Atomic Test #6: Examine domain password policy - Windows [windows]
- Atomic Test #7: Examine password policy - macOS [macos]
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1069 Permission Groups Discovery](./T1069/T1069.md)
- Atomic Test #1: Permission Groups Discovery [macos, linux]
- Atomic Test #2: Basic Permission Groups Discovery Windows [windows]
- Atomic Test #3: Permission Groups Discovery PowerShell [windows]
- Atomic Test #4: Elevated group enumeration using net group [windows]
- [T1057 Process Discovery](./T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- Atomic Test #2: Process Discovery - tasklist [windows]
- [T1012 Query Registry](./T1012/T1012.md)
- Atomic Test #1: Query Registry [windows]
- [T1018 Remote System Discovery](./T1018/T1018.md)
- Atomic Test #1: Remote System Discovery - net [windows]
- Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]
- Atomic Test #3: Remote System Discovery - nltest [windows]
- Atomic Test #4: Remote System Discovery - ping sweep [windows]
- Atomic Test #5: Remote System Discovery - arp [windows]
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- Atomic Test #8: Remote System Discovery - nslookup [windows]
- [T1063 Security Software Discovery](./T1063/T1063.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
- Atomic Test #3: Security Software Discovery - ps [linux, macos]
- Atomic Test #4: Security Software Discovery - Sysmon Service [windows]
- Atomic Test #5: Security Software Discovery - AV Discovery via WMI [windows]
- [T1518 Software Discovery](./T1518/T1518.md)
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #2: System Information Discovery [linux, macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- Atomic Test #6: Hostname Discovery (Windows) [windows]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #8: Windows MachineGUID Discovery [windows]
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
- Atomic Test #1: System Network Configuration Discovery [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
- Atomic Test #5: List Open Egress Ports [windows]
- [T1049 System Network Connections Discovery](./T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- [T1033 System Owner/User Discovery](./T1033/T1033.md)
- Atomic Test #1: System Owner/User Discovery [windows]
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- [T1007 System Service Discovery](./T1007/T1007.md)
- Atomic Test #1: System Service Discovery [windows]
- Atomic Test #2: System Service Discovery - net.exe [windows]
- [T1124 System Time Discovery](./T1124/T1124.md)
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# credential-access
- [T1098 Account Manipulation](./T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- [T1139 Bash History](./T1139/T1139.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- [T1110 Brute Force](./T1110/T1110.md)
- Atomic Test #1: Brute Force Credentials [windows]
- T1522 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003 Credential Dumping](./T1003/T1003.md)
- Atomic Test #1: Powershell Mimikatz [windows]
- Atomic Test #2: Gsecdump [windows]
- Atomic Test #3: Windows Credential Editor [windows]
- Atomic Test #4: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #5: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #9: Create Volume Shadow Copy with NTDS.dit [windows]
- Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows]
- Atomic Test #11: GPP Passwords (findstr) [windows]
- Atomic Test #12: GPP Passwords (Get-GPPPassword) [windows]
- Atomic Test #13: LSASS read with pypykatz [windows]
- Atomic Test #14: Registry parse with pypykatz [windows]
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1081 Credentials in Files](./T1081/T1081.md)
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
- [T1214 Credentials in Registry](./T1214/T1214.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1179 Hooking](./T1179/T1179.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1056 Input Capture](./T1056/T1056.md)
- Atomic Test #1: Input Capture [windows]
- [T1141 Input Prompt](./T1141/T1141.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- [T1208 Kerberoasting](./T1208/T1208.md)
- Atomic Test #1: Request for service tickets [windows]
- [T1142 Keychain](./T1142/T1142.md)
- Atomic Test #1: Keychain [macos]
- T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1040 Network Sniffing](./T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture macOS [macos]
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Packet Capture PowerShell [windows]
- [T1174 Password Filter DLL](./T1174/T1174.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1145 Private Keys](./T1145/T1145.md)
- Atomic Test #1: Private Keys [windows]
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1167 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# execution
- [T1155 AppleScript](./T1155/T1155.md)
- Atomic Test #1: AppleScript [macos]
- [T1191 CMSTP](./T1191/T1191.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- [T1059 Command-Line Interface](./T1059/T1059.md)
- Atomic Test #1: Command-Line Interface [macos, linux]
- [T1223 Compiled HTML File](./T1223/T1223.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1196 Control Panel Items](./T1196/T1196.md)
- Atomic Test #1: Control Panel Items [windows]
- [T1173 Dynamic Data Exchange](./T1173/T1173.md)
- Atomic Test #1: Execute Commands [windows]
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
- T1106 Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1129 Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1118 InstallUtil](./T1118/T1118.md)
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, linux]
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
- Atomic Test #3: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows]
- [T1086 PowerShell](./T1086/T1086.md)
- Atomic Test #1: Mimikatz [windows]
- Atomic Test #2: BloodHound [windows]
- Atomic Test #3: Obfuscation Tests [windows]
- Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #5: Invoke-AppPathBypass [windows]
- Atomic Test #6: PowerShell Add User [windows]
- Atomic Test #7: Powershell MsXml COM object - no prompt [windows]
- Atomic Test #8: Powershell MsXml COM object - with prompt [windows]
- Atomic Test #9: Powershell XML requests [windows]
- Atomic Test #10: Powershell invoke mshta.exe download [windows]
- Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #12: PowerShell Fileless Script Execution [windows]
- Atomic Test #13: PowerShell Downgrade Attack [windows]
- Atomic Test #14: NTFS Alternate Data Stream Access [windows]
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
- [T1117 Regsvr32](./T1117/T1117.md)
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- [T1085 Rundll32](./T1085/T1085.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
- Atomic Test #3: Rundll32 advpack.dll Execution [windows]
- Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Create and Execute Batch Script [windows]
- [T1035 Service Execution](./T1035/T1035.md)
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- [T1218 Signed Binary Proxy Execution](./T1218/T1218.md)
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows]
- Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows]
- Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows]
- Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows]
- Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows]
- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- Atomic Test #2: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
- [T1153 Source](./T1153/T1153.md)
- Atomic Test #1: Execute Script using Source [macos, linux]
- Atomic Test #2: Execute Script using Source Alias [macos, linux]
- [T1151 Space after Filename](./T1151/T1151.md)
- Atomic Test #1: Space After Filename [macos]
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, linux]
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- [T1204 User Execution](./T1204/T1204.md)
- Atomic Test #1: OSTap Style Macro Execution [windows]
- Atomic Test #2: Maldoc choice flags command execution [windows]
- Atomic Test #3: OSTAP JS version [windows]
- [T1047 Windows Management Instrumentation](./T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
- Atomic Test #3: WMI Reconnaissance Software [windows]
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- Atomic Test #5: WMI Execute Local Process [windows]
- Atomic Test #6: WMI Execute Remote Process [windows]
- [T1028 Windows Remote Management](./T1028/T1028.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: PowerShell Lateral Movement [windows]
- Atomic Test #3: WMIC Process Call Create [windows]
- Atomic Test #4: Psexec [windows]
- Atomic Test #5: Invoke-Command [windows]
- [T1220 XSL Script Processing](./T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
- Atomic Test #3: WMIC bypass using local XSL file [windows]
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
# lateral-movement
- [T1155 AppleScript](./T1155/T1155.md)
- Atomic Test #1: AppleScript [macos]
- T1527 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1017 Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #1: Logon Scripts [windows]
- Atomic Test #2: Scheduled Task Startup Script [windows]
- Atomic Test #3: Logon Scripts - Mac [macos]
- Atomic Test #4: Supicious vbs file run from startup Folder [windows]
- Atomic Test #5: Supicious jse file run from startup Folder [windows]
- Atomic Test #6: Supicious bat file run from startup Folder [windows]
- [T1075 Pass the Hash](./T1075/T1075.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- [T1097 Pass the Ticket](./T1097/T1097.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- [T1076 Remote Desktop Protocol](./T1076/T1076.md)
- Atomic Test #1: RDP [windows]
- Atomic Test #2: RDPto-DomainController [windows]
- [T1105 Remote File Copy](./T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- Atomic Test #10: Windows - PowerShell Download [windows]
- Atomic Test #11: OSTAP Worming Activity [windows]
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1077 Windows Admin Shares](./T1077/T1077.md)
- Atomic Test #1: Map admin share [windows]
- Atomic Test #2: Map Admin Share PowerShell [windows]
- Atomic Test #3: Copy and Execute File with PsExec [windows]
- Atomic Test #4: Execute command writing output to local Admin Share [windows]
- [T1028 Windows Remote Management](./T1028/T1028.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: PowerShell Lateral Movement [windows]
- Atomic Test #3: WMIC Process Call Create [windows]
- Atomic Test #4: Psexec [windows]
- Atomic Test #5: Invoke-Command [windows]
# collection
- [T1123 Audio Capture](./T1123/T1123.md)
- Atomic Test #1: using device audio capture commandlet [windows]
- [T1119 Automated Collection](./T1119/T1119.md)
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- Atomic Test #3: Recon information for export with PowerShell [windows]
- Atomic Test #4: Recon information for export with Command Prompt [windows]
- [T1115 Clipboard Data](./T1115/T1115.md)
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: PowerShell [windows]
- [T1074 Data Staged](./T1074/T1074.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
- Atomic Test #1: Search macOS Safari Cookies [macos]
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1114 Email Collection](./T1114/T1114.md)
- Atomic Test #1: T1114 Email Collection with PowerShell [windows]
- [T1056 Input Capture](./T1056/T1056.md)
- Atomic Test #1: Input Capture [windows]
- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1113 Screen Capture](./T1113/T1113.md)
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Import [linux]
- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1002 Data Compressed](./T1002/T1002.md)
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- Atomic Test #2: Compress Data for Exfiltration With Rar [windows]
- Atomic Test #3: Data Compressed - nix - zip [linux, macos]
- Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #1: Data Encrypted with zip and gpg symmetric [macos, linux]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #3: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- Atomic Test #4: Exfiltration Over Alternative Protocol - ICMP [windows]
- Atomic Test #5: Exfiltration Over Alternative Protocol - DNS [linux]
- T1041 Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# command-and-control
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1090 Connection Proxy](./T1090/T1090.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: portproxy reg key [windows]
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1132 Data Encoding](./T1132/T1132.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1219 Remote Access Tools](./T1219/T1219.md)
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
- [T1105 Remote File Copy](./T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- Atomic Test #10: Windows - PowerShell Download [windows]
- Atomic Test #11: OSTAP Worming Activity [windows]
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
- Atomic Test #1: Malicious User Agents - Powershell [windows]
- Atomic Test #2: Malicious User Agents - CMD [windows]
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- Atomic Test #4: DNS Large Query Volume [windows]
- Atomic Test #5: DNS Regular Beaconing [windows]
- Atomic Test #6: DNS Long Domain Query [windows]
- Atomic Test #7: DNS C2 [windows]
- Atomic Test #8: OSTap Payload Download [windows]
- [T1032 Standard Cryptographic Protocol](./T1032/T1032.md)
- Atomic Test #1: OpenSSL C2 [windows]
- [T1095 Standard Non-Application Layer Protocol](./T1095/T1095.md)
- Atomic Test #1: ICMP C2 [windows]
- Atomic Test #2: Netcat C2 [windows]
- Atomic Test #3: Powercat C2 [windows]
- [T1065 Uncommonly Used Port](./T1065/T1065.md)
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- [T1102 Web Service](./T1102/T1102.md)
- Atomic Test #1: Reach out to C2 Pointer URLs via command_prompt [windows]
- Atomic Test #2: Reach out to C2 Pointer URLs via powershell [windows]
# initial-access
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1193 Spearphishing Attachment](./T1193/T1193.md)
- Atomic Test #1: Download Phishing Attachment - VBScript [windows]
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/Indexes-Markdown/linux-index.md
+345
View File
@@ -0,0 +1,345 @@
# Linux Atomic Tests by ATT&CK Tactic & Technique
# persistence
- [T1156 .bash_profile and .bashrc](./T1156/T1156.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- [T1098 Account Manipulation](./T1098/T1098.md)
- T1067 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](./T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- [T1136 Create Account](./T1136/T1136.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- T1525 Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1215 Kernel Modules and Extensions](./T1215/T1215.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, linux]
- [T1137 Office Application Startup](./T1137/T1137.md)
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1505 Server Software Component](./T1505/T1505.md)
- [T1166 Setuid and Setgid](./T1166/T1166.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- [T1501 Systemd Service](./T1501/T1501.md)
- Atomic Test #1: Create Systemd Service [linux]
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
# impact
- [T1531 Account Access Removal](./T1531/T1531.md)
- [T1485 Data Destruction](./T1485/T1485.md)
- Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1490 Inhibit System Recovery](./T1490/T1490.md)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](./T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](./T1529/T1529.md)
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #5: Restart System via `reboot` - macOS/Linux [macos, linux]
- Atomic Test #6: Shutdown System via `halt` - Linux [linux]
- Atomic Test #7: Reboot System via `halt` - Linux [linux]
- Atomic Test #8: Shutdown System via `poweroff` - Linux [linux]
- Atomic Test #9: Reboot System via `poweroff` - Linux [linux]
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# discovery
- [T1087 Account Discovery](./T1087/T1087.md)
- Atomic Test #1: Enumerate all accounts [linux, macos]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #5: Show if a user account has ever logged in remotely [linux]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- [T1217 Browser Bookmark Discovery](./T1217/T1217.md)
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1083 File and Directory Discovery](./T1083/T1083.md)
- Atomic Test #3: Nix File and Diectory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- [T1046 Network Service Scanning](./T1046/T1046.md)
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- [T1135 Network Share Discovery](./T1135/T1135.md)
- Atomic Test #1: Network Share Discovery [macos, linux]
- [T1040 Network Sniffing](./T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- [T1201 Password Policy Discovery](./T1201/T1201.md)
- Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
- Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
- Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [linux]
- Atomic Test #4: Examine password expiration policy - All Linux [linux]
- [T1069 Permission Groups Discovery](./T1069/T1069.md)
- Atomic Test #1: Permission Groups Discovery [macos, linux]
- [T1057 Process Discovery](./T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- [T1018 Remote System Discovery](./T1018/T1018.md)
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- [T1518 Software Discovery](./T1518/T1518.md)
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #2: System Information Discovery [linux, macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- Atomic Test #7: Hostname Discovery [linux, macos]
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- [T1049 System Network Connections Discovery](./T1049/T1049.md)
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- [T1033 System Owner/User Discovery](./T1033/T1033.md)
- Atomic Test #2: System Owner/User Discovery [linux, macos]
# credential-access
- [T1098 Account Manipulation](./T1098/T1098.md)
- [T1139 Bash History](./T1139/T1139.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- [T1110 Brute Force](./T1110/T1110.md)
- T1522 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003 Credential Dumping](./T1003/T1003.md)
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1081 Credentials in Files](./T1081/T1081.md)
- Atomic Test #2: Extract passwords with grep [macos, linux]
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056 Input Capture](./T1056/T1056.md)
- [T1040 Network Sniffing](./T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- [T1145 Private Keys](./T1145/T1145.md)
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# defense-evasion
- T1527 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1009 Binary Padding](./T1009/T1009.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- [T1146 Clear Command History](./T1146/T1146.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- [T1500 Compile After Delivery](./T1500/T1500.md)
- [T1090 Connection Proxy](./T1090/T1090.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- [T1089 Disabling Security Tools](./T1089/T1089.md)
- Atomic Test #1: Disable iptables firewall [linux]
- Atomic Test #2: Disable syslog [linux]
- Atomic Test #3: Disable Cb Response [linux]
- Atomic Test #4: Disable SELinux [linux]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1107 File Deletion](./T1107/T1107.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #12: Delete Filesystem - Linux [linux]
- [T1222 File and Directory Permissions Modification](./T1222/T1222.md)
- Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #10: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #11: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #12: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #16: chattr - Remove immutable file attribute [macos, linux]
- [T1148 HISTCONTROL](./T1148/T1148.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070 Indicator Removal on Host](./T1070/T1070.md)
- Atomic Test #3: rm -rf [macos, linux]
- Atomic Test #4: Overwrite Linux Mail Spool [linux]
- Atomic Test #5: Overwrite Linux Log [linux]
- [T1130 Install Root Certificate](./T1130/T1130.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- [T1036 Masquerading](./T1036/T1036.md)
- Atomic Test #2: Masquerading as Linux crond process. [linux]
- [T1027 Obfuscated Files or Information](./T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1014 Rootkit](./T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- [T1151 Space after Filename](./T1151/T1151.md)
- [T1099 Timestomp](./T1099/T1099.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1102 Web Service](./T1102/T1102.md)
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# lateral-movement
- T1527 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1017 Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1105 Remote File Copy](./T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# collection
- [T1123 Audio Capture](./T1123/T1123.md)
- [T1119 Automated Collection](./T1119/T1119.md)
- [T1115 Clipboard Data](./T1115/T1115.md)
- [T1074 Data Staged](./T1074/T1074.md)
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1114 Email Collection](./T1114/T1114.md)
- [T1056 Input Capture](./T1056/T1056.md)
- [T1113 Screen Capture](./T1113/T1113.md)
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Import [linux]
# exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1002 Data Compressed](./T1002/T1002.md)
- Atomic Test #3: Data Compressed - nix - zip [linux, macos]
- Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #1: Data Encrypted with zip and gpg symmetric [macos, linux]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #3: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- Atomic Test #5: Exfiltration Over Alternative Protocol - DNS [linux]
- T1041 Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# execution
- [T1059 Command-Line Interface](./T1059/T1059.md)
- Atomic Test #1: Command-Line Interface [macos, linux]
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, linux]
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- [T1153 Source](./T1153/T1153.md)
- Atomic Test #1: Execute Script using Source [macos, linux]
- Atomic Test #2: Execute Script using Source Alias [macos, linux]
- [T1151 Space after Filename](./T1151/T1151.md)
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, linux]
- [T1204 User Execution](./T1204/T1204.md)
# command-and-control
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1090 Connection Proxy](./T1090/T1090.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1132 Data Encoding](./T1132/T1132.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1219 Remote Access Tools](./T1219/T1219.md)
- [T1105 Remote File Copy](./T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- [T1032 Standard Cryptographic Protocol](./T1032/T1032.md)
- [T1095 Standard Non-Application Layer Protocol](./T1095/T1095.md)
- [T1065 Uncommonly Used Port](./T1065/T1065.md)
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- [T1102 Web Service](./T1102/T1102.md)
# initial-access
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1193 Spearphishing Attachment](./T1193/T1193.md)
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# privilege-escalation
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #2: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #3: Shared Library Injection via LD_PRELOAD [linux]
- [T1166 Setuid and Setgid](./T1166/T1166.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- [T1169 Sudo](./T1169/T1169.md)
- Atomic Test #1: Sudo usage [macos, linux]
- [T1206 Sudo Caching](./T1206/T1206.md)
- Atomic Test #1: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #2: Disable tty_tickets for sudo caching [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
atomics/Indexes/Indexes-Markdown/macos-index.md
+375
View File
@@ -0,0 +1,375 @@
# macOS Atomic Tests by ATT&CK Tactic & Technique
# persistence
- [T1156 .bash_profile and .bashrc](./T1156/T1156.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- [T1176 Browser Extensions](./T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- [T1136 Create Account](./T1136/T1136.md)
- Atomic Test #2: Create a user account on a MacOS system [macos]
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1519 Emond](./T1519/T1519.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- [T1215 Kernel Modules and Extensions](./T1215/T1215.md)
- T1161 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1159 Launch Agent](./T1159/T1159.md)
- Atomic Test #1: Launch Agent [macos]
- [T1160 Launch Daemon](./T1160/T1160.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, linux]
- T1162 Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #3: Logon Scripts - Mac [macos]
- [T1150 Plist Modification](./T1150/T1150.md)
- Atomic Test #1: Plist Modification [macos]
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1163 Rc.common](./T1163/T1163.md)
- Atomic Test #1: rc.common [macos]
- [T1164 Re-opened Applications](./T1164/T1164.md)
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1166 Setuid and Setgid](./T1166/T1166.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- [T1165 Startup Items](./T1165/T1165.md)
- Atomic Test #1: add file to Local Library StartupItems [macos]
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
# impact
- [T1531 Account Access Removal](./T1531/T1531.md)
- [T1485 Data Destruction](./T1485/T1485.md)
- Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1490 Inhibit System Recovery](./T1490/T1490.md)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](./T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](./T1529/T1529.md)
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #5: Restart System via `reboot` - macOS/Linux [macos, linux]
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# discovery
- [T1087 Account Discovery](./T1087/T1087.md)
- Atomic Test #1: Enumerate all accounts [linux, macos]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- Atomic Test #7: Enumerate users and groups [macos]
- [T1010 Application Window Discovery](./T1010/T1010.md)
- [T1217 Browser Bookmark Discovery](./T1217/T1217.md)
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
- [T1083 File and Directory Discovery](./T1083/T1083.md)
- Atomic Test #3: Nix File and Diectory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- [T1046 Network Service Scanning](./T1046/T1046.md)
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- [T1135 Network Share Discovery](./T1135/T1135.md)
- Atomic Test #1: Network Share Discovery [macos, linux]
- [T1040 Network Sniffing](./T1040/T1040.md)
- Atomic Test #2: Packet Capture macOS [macos]
- [T1201 Password Policy Discovery](./T1201/T1201.md)
- Atomic Test #7: Examine password policy - macOS [macos]
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1069 Permission Groups Discovery](./T1069/T1069.md)
- Atomic Test #1: Permission Groups Discovery [macos, linux]
- [T1057 Process Discovery](./T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- [T1018 Remote System Discovery](./T1018/T1018.md)
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- [T1063 Security Software Discovery](./T1063/T1063.md)
- Atomic Test #3: Security Software Discovery - ps [linux, macos]
- [T1518 Software Discovery](./T1518/T1518.md)
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #2: System Information Discovery [linux, macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #7: Hostname Discovery [linux, macos]
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- [T1049 System Network Connections Discovery](./T1049/T1049.md)
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- [T1033 System Owner/User Discovery](./T1033/T1033.md)
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# execution
- [T1155 AppleScript](./T1155/T1155.md)
- Atomic Test #1: AppleScript [macos]
- [T1059 Command-Line Interface](./T1059/T1059.md)
- Atomic Test #1: Command-Line Interface [macos, linux]
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, linux]
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- [T1153 Source](./T1153/T1153.md)
- Atomic Test #1: Execute Script using Source [macos, linux]
- Atomic Test #2: Execute Script using Source Alias [macos, linux]
- [T1151 Space after Filename](./T1151/T1151.md)
- Atomic Test #1: Space After Filename [macos]
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1154 Trap](./T1154/T1154.md)
- Atomic Test #1: Trap [macos, linux]
- [T1204 User Execution](./T1204/T1204.md)
# lateral-movement
- [T1155 AppleScript](./T1155/T1155.md)
- Atomic Test #1: AppleScript [macos]
- T1017 Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #3: Logon Scripts - Mac [macos]
- [T1105 Remote File Copy](./T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# collection
- [T1123 Audio Capture](./T1123/T1123.md)
- [T1119 Automated Collection](./T1119/T1119.md)
- [T1115 Clipboard Data](./T1115/T1115.md)
- [T1074 Data Staged](./T1074/T1074.md)
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
- Atomic Test #1: Search macOS Safari Cookies [macos]
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056 Input Capture](./T1056/T1056.md)
- [T1113 Screen Capture](./T1113/T1113.md)
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1002 Data Compressed](./T1002/T1002.md)
- Atomic Test #3: Data Compressed - nix - zip [linux, macos]
- Atomic Test #4: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #5: Data Compressed - nix - tar Folder or File [linux, macos]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #1: Data Encrypted with zip and gpg symmetric [macos, linux]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #3: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- T1041 Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# credential-access
- [T1139 Bash History](./T1139/T1139.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- [T1110 Brute Force](./T1110/T1110.md)
- [T1003 Credential Dumping](./T1003/T1003.md)
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1081 Credentials in Files](./T1081/T1081.md)
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056 Input Capture](./T1056/T1056.md)
- [T1141 Input Prompt](./T1141/T1141.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- [T1142 Keychain](./T1142/T1142.md)
- Atomic Test #1: Keychain [macos]
- [T1040 Network Sniffing](./T1040/T1040.md)
- Atomic Test #2: Packet Capture macOS [macos]
- [T1145 Private Keys](./T1145/T1145.md)
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1167 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# defense-evasion
- [T1009 Binary Padding](./T1009/T1009.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- [T1146 Clear Command History](./T1146/T1146.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- T1116 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1500 Compile After Delivery](./T1500/T1500.md)
- [T1090 Connection Proxy](./T1090/T1090.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- [T1089 Disabling Security Tools](./T1089/T1089.md)
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1107 File Deletion](./T1107/T1107.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #14: Delete TeamViewer Log Files [windows, macos]
- [T1222 File and Directory Permissions Modification](./T1222/T1222.md)
- Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #10: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #11: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #12: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #16: chattr - Remove immutable file attribute [macos, linux]
- [T1144 Gatekeeper Bypass](./T1144/T1144.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- [T1148 HISTCONTROL](./T1148/T1148.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- [T1147 Hidden Users](./T1147/T1147.md)
- Atomic Test #1: Hidden Users [macos]
- [T1143 Hidden Window](./T1143/T1143.md)
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070 Indicator Removal on Host](./T1070/T1070.md)
- Atomic Test #3: rm -rf [macos, linux]
- [T1130 Install Root Certificate](./T1130/T1130.md)
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1036 Masquerading](./T1036/T1036.md)
- [T1027 Obfuscated Files or Information](./T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- [T1150 Plist Modification](./T1150/T1150.md)
- Atomic Test #1: Plist Modification [macos]
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055 Process Injection](./T1055/T1055.md)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1014 Rootkit](./T1014/T1014.md)
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1151 Space after Filename](./T1151/T1151.md)
- Atomic Test #1: Space After Filename [macos]
- [T1099 Timestomp](./T1099/T1099.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1102 Web Service](./T1102/T1102.md)
# command-and-control
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1090 Connection Proxy](./T1090/T1090.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1132 Data Encoding](./T1132/T1132.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1219 Remote Access Tools](./T1219/T1219.md)
- [T1105 Remote File Copy](./T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- [T1032 Standard Cryptographic Protocol](./T1032/T1032.md)
- [T1095 Standard Non-Application Layer Protocol](./T1095/T1095.md)
- [T1065 Uncommonly Used Port](./T1065/T1065.md)
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- [T1102 Web Service](./T1102/T1102.md)
# initial-access
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1193 Spearphishing Attachment](./T1193/T1193.md)
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# privilege-escalation
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1514 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1519 Emond](./T1519/T1519.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1160 Launch Daemon](./T1160/T1160.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1150 Plist Modification](./T1150/T1150.md)
- Atomic Test #1: Plist Modification [macos]
- [T1055 Process Injection](./T1055/T1055.md)
- [T1166 Setuid and Setgid](./T1166/T1166.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- [T1165 Startup Items](./T1165/T1165.md)
- Atomic Test #1: add file to Local Library StartupItems [macos]
- [T1169 Sudo](./T1169/T1169.md)
- Atomic Test #1: Sudo usage [macos, linux]
- [T1206 Sudo Caching](./T1206/T1206.md)
- Atomic Test #1: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #2: Disable tty_tickets for sudo caching [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
atomics/Indexes/Indexes-Markdown/windows-index.md
+765
View File
@@ -0,0 +1,765 @@
# Windows Atomic Tests by ATT&CK Tactic & Technique
# defense-evasion
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1197 BITS Jobs](./T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- [T1009 Binary Padding](./T1009/T1009.md)
- [T1088 Bypass User Account Control](./T1088/T1088.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- [T1191 CMSTP](./T1191/T1191.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- T1116 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1500 Compile After Delivery](./T1500/T1500.md)
- Atomic Test #1: Compile After Delivery using csc.exe [windows]
- [T1223 Compiled HTML File](./T1223/T1223.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1090 Connection Proxy](./T1090/T1090.md)
- Atomic Test #2: portproxy reg key [windows]
- [T1196 Control Panel Items](./T1196/T1196.md)
- Atomic Test #1: Control Panel Items [windows]
- [T1207 DCShadow](./T1207/T1207.md)
- Atomic Test #1: DCShadow - Mimikatz [windows]
- [T1038 DLL Search Order Hijacking](./T1038/T1038.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1073 DLL Side-Loading](./T1073/T1073.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1140 Deobfuscate/Decode Files or Information](./T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- [T1089 Disabling Security Tools](./T1089/T1089.md)
- Atomic Test #8: Unload Sysmon Filter Driver [windows]
- Atomic Test #9: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #10: Uninstall Sysmon [windows]
- Atomic Test #11: AMSI Bypass - AMSI InitFailed [windows]
- Atomic Test #12: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- Atomic Test #13: Disable Arbitrary Security Windows Service [windows]
- Atomic Test #14: Disable PowerShell Script Block Logging [windows]
- Atomic Test #15: PowerShell Bypass of AntiMalware Scripting Interface [windows]
- Atomic Test #16: Tamper with Windows Defender ATP PowerShell [windows]
- Atomic Test #17: Tamper with Windows Defender Command Prompt [windows]
- Atomic Test #18: Tamper with Windows Defender Registry [windows]
- Atomic Test #19: Disable Microft Office Security Features [windows]
- Atomic Test #20: Remove Windows Defender Definition Files [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1107 File Deletion](./T1107/T1107.md)
- Atomic Test #4: Delete a single file - Windows cmd [windows]
- Atomic Test #5: Delete an entire folder - Windows cmd [windows]
- Atomic Test #6: Delete a single file - Windows PowerShell [windows]
- Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
- Atomic Test #8: Delete VSS - vssadmin [windows]
- Atomic Test #9: Delete VSS - wmic [windows]
- Atomic Test #10: bcdedit [windows]
- Atomic Test #11: wbadmin [windows]
- Atomic Test #13: Delete-PrefetchFile [windows]
- Atomic Test #14: Delete TeamViewer Log Files [windows, macos]
- T1006 File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1222 File and Directory Permissions Modification](./T1222/T1222.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: Take ownership recursively using takeown utility [windows]
- Atomic Test #3: cacls - Grant permission to specified user or group [windows]
- Atomic Test #4: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #5: icacls - Grant permission to specified user or group [windows]
- Atomic Test #6: icacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #7: attrib - Remove read-only attribute [windows]
- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
- Atomic Test #8: Create ADS command prompt [windows]
- Atomic Test #9: Create ADS PowerShell [windows]
- [T1143 Hidden Window](./T1143/T1143.md)
- Atomic Test #1: Hidden Window [windows]
- [T1183 Image File Execution Options Injection](./T1183/T1183.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1054 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070 Indicator Removal on Host](./T1070/T1070.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: FSUtil [windows]
- Atomic Test #6: Delete System Logs Using PowerShell [windows]
- Atomic Test #7: Delete System Logs Using Clear-EventLogId [windows]
- [T1202 Indirect Command Execution](./T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
- [T1130 Install Root Certificate](./T1130/T1130.md)
- [T1118 InstallUtil](./T1118/T1118.md)
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- [T1036 Masquerading](./T1036/T1036.md)
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
- Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
- Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
- Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
- Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
- Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
- Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
- [T1112 Modify Registry](./T1112/T1112.md)
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify Registry of Another User Profile [windows]
- Atomic Test #4: Modify registry to store logon credentials [windows]
- Atomic Test #5: Modify registry to store PowerShell code [windows]
- Atomic Test #6: Add domain to Trusted sites Zone [windows]
- Atomic Test #7: Javascript in registry [windows]
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
- Atomic Test #3: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows]
- [T1096 NTFS File Attributes](./T1096/T1096.md)
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
- [T1126 Network Share Connection Removal](./T1126/T1126.md)
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
- [T1027 Obfuscated Files or Information](./T1027/T1027.md)
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
- [T1502 Parent PID Spoofing](./T1502/T1502.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- T1186 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1093 Process Hollowing](./T1093/T1093.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #4: Process Injection via C# [windows]
- Atomic Test #5: svchost writing a file to a UNC path [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
- [T1117 Regsvr32](./T1117/T1117.md)
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- [T1014 Rootkit](./T1014/T1014.md)
- Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
- [T1085 Rundll32](./T1085/T1085.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
- Atomic Test #3: Rundll32 advpack.dll Execution [windows]
- Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #2: Create and Execute Batch Script [windows]
- [T1218 Signed Binary Proxy Execution](./T1218/T1218.md)
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows]
- Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows]
- Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows]
- Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows]
- Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows]
- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- Atomic Test #2: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
- T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1099 Timestomp](./T1099/T1099.md)
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1102 Web Service](./T1102/T1102.md)
- Atomic Test #1: Reach out to C2 Pointer URLs via command_prompt [windows]
- Atomic Test #2: Reach out to C2 Pointer URLs via powershell [windows]
- [T1220 XSL Script Processing](./T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
- Atomic Test #3: WMIC bypass using local XSL file [windows]
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
# privilege-escalation
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1015 Accessibility Features](./T1015/T1015.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1103 AppInit DLLs](./T1103/T1103.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1138 Application Shimming](./T1138/T1138.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1088 Bypass User Account Control](./T1088/T1088.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- [T1038 DLL Search Order Hijacking](./T1038/T1038.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1044 File System Permissions Weakness](./T1044/T1044.md)
- Atomic Test #1: File System Permissions Weakness [windows]
- [T1179 Hooking](./T1179/T1179.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1183 Image File Execution Options Injection](./T1183/T1183.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- [T1050 New Service](./T1050/T1050.md)
- Atomic Test #1: Service Installation [windows]
- Atomic Test #2: Service Installation PowerShell [windows]
- [T1502 Parent PID Spoofing](./T1502/T1502.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1504 PowerShell Profile](./T1504/T1504.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- [T1055 Process Injection](./T1055/T1055.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #4: Process Injection via C# [windows]
- Atomic Test #5: svchost writing a file to a UNC path [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- [T1058 Service Registry Permissions Weakness](./T1058/T1058.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
# persistence
- [T1015 Accessibility Features](./T1015/T1015.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- [T1098 Account Manipulation](./T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1103 AppInit DLLs](./T1103/T1103.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1138 Application Shimming](./T1138/T1138.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- T1131 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1197 BITS Jobs](./T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- T1067 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](./T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- [T1042 Change Default File Association](./T1042/T1042.md)
- Atomic Test #1: Change Default File Association [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1136 Create Account](./T1136/T1136.md)
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- [T1038 DLL Search Order Hijacking](./T1038/T1038.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1044 File System Permissions Weakness](./T1044/T1044.md)
- Atomic Test #1: File System Permissions Weakness [windows]
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
- Atomic Test #8: Create ADS command prompt [windows]
- Atomic Test #9: Create ADS PowerShell [windows]
- [T1179 Hooking](./T1179/T1179.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1062 Hypervisor](./T1062/T1062.md)
- Atomic Test #1: Installing Hyper-V Feature [windows]
- [T1183 Image File Execution Options Injection](./T1183/T1183.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #1: Logon Scripts [windows]
- Atomic Test #2: Scheduled Task Startup Script [windows]
- Atomic Test #4: Supicious vbs file run from startup Folder [windows]
- Atomic Test #5: Supicious jse file run from startup Folder [windows]
- Atomic Test #6: Supicious bat file run from startup Folder [windows]
- [T1031 Modify Existing Service](./T1031/T1031.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- [T1128 Netsh Helper DLL](./T1128/T1128.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- [T1050 New Service](./T1050/T1050.md)
- Atomic Test #1: Service Installation [windows]
- Atomic Test #2: Service Installation PowerShell [windows]
- [T1137 Office Application Startup](./T1137/T1137.md)
- Atomic Test #1: DDEAUTO [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1013 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1504 PowerShell Profile](./T1504/T1504.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1060 Registry Run Keys / Startup Folder](./T1060/T1060.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- [T1180 Screensaver](./T1180/T1180.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1101 Security Support Provider](./T1101/T1101.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- [T1505 Server Software Component](./T1505/T1505.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- [T1058 Service Registry Permissions Weakness](./T1058/T1058.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- [T1023 Shortcut Modification](./T1023/T1023.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1019 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1209 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
- Atomic Test #1: Persistence [windows]
- [T1004 Winlogon Helper DLL](./T1004/T1004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
# impact
- [T1531 Account Access Removal](./T1531/T1531.md)
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- [T1485 Data Destruction](./T1485/T1485.md)
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1490 Inhibit System Recovery](./T1490/T1490.md)
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
- Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](./T1496/T1496.md)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1489 Service Stop](./T1489/T1489.md)
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](./T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
- Atomic Test #2: Restart System - Windows [windows]
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# discovery
- [T1087 Account Discovery](./T1087/T1087.md)
- Atomic Test #8: Enumerate all accounts [windows]
- Atomic Test #9: Enumerate all accounts via PowerShell [windows]
- Atomic Test #10: Enumerate logged on users [windows]
- Atomic Test #11: Enumerate logged on users via PowerShell [windows]
- [T1010 Application Window Discovery](./T1010/T1010.md)
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- [T1217 Browser Bookmark Discovery](./T1217/T1217.md)
- Atomic Test #4: List Google Chrome Bookmarks on Windows with powershell [windows]
- Atomic Test #5: List Google Chrome Bookmarks on Windows with command prompt [windows]
- [T1482 Domain Trust Discovery](./T1482/T1482.md)
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
- Atomic Test #3: Powershell enumerate domains and forests [windows]
- [T1083 File and Directory Discovery](./T1083/T1083.md)
- Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
- Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
- [T1046 Network Service Scanning](./T1046/T1046.md)
- [T1135 Network Share Discovery](./T1135/T1135.md)
- Atomic Test #2: Network Share Discovery command prompt [windows]
- Atomic Test #3: Network Share Discovery PowerShell [windows]
- Atomic Test #4: View available share drives [windows]
- [T1040 Network Sniffing](./T1040/T1040.md)
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Packet Capture PowerShell [windows]
- [T1201 Password Policy Discovery](./T1201/T1201.md)
- Atomic Test #5: Examine local password policy - Windows [windows]
- Atomic Test #6: Examine domain password policy - Windows [windows]
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1069 Permission Groups Discovery](./T1069/T1069.md)
- Atomic Test #2: Basic Permission Groups Discovery Windows [windows]
- Atomic Test #3: Permission Groups Discovery PowerShell [windows]
- Atomic Test #4: Elevated group enumeration using net group [windows]
- [T1057 Process Discovery](./T1057/T1057.md)
- Atomic Test #2: Process Discovery - tasklist [windows]
- [T1012 Query Registry](./T1012/T1012.md)
- Atomic Test #1: Query Registry [windows]
- [T1018 Remote System Discovery](./T1018/T1018.md)
- Atomic Test #1: Remote System Discovery - net [windows]
- Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]
- Atomic Test #3: Remote System Discovery - nltest [windows]
- Atomic Test #4: Remote System Discovery - ping sweep [windows]
- Atomic Test #5: Remote System Discovery - arp [windows]
- Atomic Test #8: Remote System Discovery - nslookup [windows]
- [T1063 Security Software Discovery](./T1063/T1063.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
- Atomic Test #4: Security Software Discovery - Sysmon Service [windows]
- Atomic Test #5: Security Software Discovery - AV Discovery via WMI [windows]
- [T1518 Software Discovery](./T1518/T1518.md)
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #6: Hostname Discovery (Windows) [windows]
- Atomic Test #8: Windows MachineGUID Discovery [windows]
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
- Atomic Test #1: System Network Configuration Discovery [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
- Atomic Test #5: List Open Egress Ports [windows]
- [T1049 System Network Connections Discovery](./T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- [T1033 System Owner/User Discovery](./T1033/T1033.md)
- Atomic Test #1: System Owner/User Discovery [windows]
- [T1007 System Service Discovery](./T1007/T1007.md)
- Atomic Test #1: System Service Discovery [windows]
- Atomic Test #2: System Service Discovery - net.exe [windows]
- [T1124 System Time Discovery](./T1124/T1124.md)
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# credential-access
- [T1098 Account Manipulation](./T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- [T1110 Brute Force](./T1110/T1110.md)
- Atomic Test #1: Brute Force Credentials [windows]
- [T1003 Credential Dumping](./T1003/T1003.md)
- Atomic Test #1: Powershell Mimikatz [windows]
- Atomic Test #2: Gsecdump [windows]
- Atomic Test #3: Windows Credential Editor [windows]
- Atomic Test #4: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #5: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #9: Create Volume Shadow Copy with NTDS.dit [windows]
- Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows]
- Atomic Test #11: GPP Passwords (findstr) [windows]
- Atomic Test #12: GPP Passwords (Get-GPPPassword) [windows]
- Atomic Test #13: LSASS read with pypykatz [windows]
- Atomic Test #14: Registry parse with pypykatz [windows]
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1081 Credentials in Files](./T1081/T1081.md)
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
- [T1214 Credentials in Registry](./T1214/T1214.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1179 Hooking](./T1179/T1179.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1056 Input Capture](./T1056/T1056.md)
- Atomic Test #1: Input Capture [windows]
- [T1141 Input Prompt](./T1141/T1141.md)
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- [T1208 Kerberoasting](./T1208/T1208.md)
- Atomic Test #1: Request for service tickets [windows]
- T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1040 Network Sniffing](./T1040/T1040.md)
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Packet Capture PowerShell [windows]
- [T1174 Password Filter DLL](./T1174/T1174.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1145 Private Keys](./T1145/T1145.md)
- Atomic Test #1: Private Keys [windows]
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# lateral-movement
- T1017 Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #1: Logon Scripts [windows]
- Atomic Test #2: Scheduled Task Startup Script [windows]
- Atomic Test #4: Supicious vbs file run from startup Folder [windows]
- Atomic Test #5: Supicious jse file run from startup Folder [windows]
- Atomic Test #6: Supicious bat file run from startup Folder [windows]
- [T1075 Pass the Hash](./T1075/T1075.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- [T1097 Pass the Ticket](./T1097/T1097.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- [T1076 Remote Desktop Protocol](./T1076/T1076.md)
- Atomic Test #1: RDP [windows]
- Atomic Test #2: RDPto-DomainController [windows]
- [T1105 Remote File Copy](./T1105/T1105.md)
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- Atomic Test #10: Windows - PowerShell Download [windows]
- Atomic Test #11: OSTAP Worming Activity [windows]
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1077 Windows Admin Shares](./T1077/T1077.md)
- Atomic Test #1: Map admin share [windows]
- Atomic Test #2: Map Admin Share PowerShell [windows]
- Atomic Test #3: Copy and Execute File with PsExec [windows]
- Atomic Test #4: Execute command writing output to local Admin Share [windows]
- [T1028 Windows Remote Management](./T1028/T1028.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: PowerShell Lateral Movement [windows]
- Atomic Test #3: WMIC Process Call Create [windows]
- Atomic Test #4: Psexec [windows]
- Atomic Test #5: Invoke-Command [windows]
# collection
- [T1123 Audio Capture](./T1123/T1123.md)
- Atomic Test #1: using device audio capture commandlet [windows]
- [T1119 Automated Collection](./T1119/T1119.md)
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- Atomic Test #3: Recon information for export with PowerShell [windows]
- Atomic Test #4: Recon information for export with Command Prompt [windows]
- [T1115 Clipboard Data](./T1115/T1115.md)
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: PowerShell [windows]
- [T1074 Data Staged](./T1074/T1074.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1005 Data from Local System](./T1005/T1005.md)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1114 Email Collection](./T1114/T1114.md)
- Atomic Test #1: T1114 Email Collection with PowerShell [windows]
- [T1056 Input Capture](./T1056/T1056.md)
- Atomic Test #1: Input Capture [windows]
- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1113 Screen Capture](./T1113/T1113.md)
- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1002 Data Compressed](./T1002/T1002.md)
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- Atomic Test #2: Compress Data for Exfiltration With Rar [windows]
- [T1022 Data Encrypted](./T1022/T1022.md)
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- [T1030 Data Transfer Size Limits](./T1030/T1030.md)
- [T1048 Exfiltration Over Alternative Protocol](./T1048/T1048.md)
- Atomic Test #4: Exfiltration Over Alternative Protocol - ICMP [windows]
- T1041 Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# execution
- [T1191 CMSTP](./T1191/T1191.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- [T1059 Command-Line Interface](./T1059/T1059.md)
- [T1223 Compiled HTML File](./T1223/T1223.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1196 Control Panel Items](./T1196/T1196.md)
- Atomic Test #1: Control Panel Items [windows]
- [T1173 Dynamic Data Exchange](./T1173/T1173.md)
- Atomic Test #1: Execute Commands [windows]
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
- T1106 Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1129 Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1118 InstallUtil](./T1118/T1118.md)
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows]
- Atomic Test #3: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #4: Mshta Executes Remote HTML Application (HTA) [windows]
- [T1086 PowerShell](./T1086/T1086.md)
- Atomic Test #1: Mimikatz [windows]
- Atomic Test #2: BloodHound [windows]
- Atomic Test #3: Obfuscation Tests [windows]
- Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #5: Invoke-AppPathBypass [windows]
- Atomic Test #6: PowerShell Add User [windows]
- Atomic Test #7: Powershell MsXml COM object - no prompt [windows]
- Atomic Test #8: Powershell MsXml COM object - with prompt [windows]
- Atomic Test #9: Powershell XML requests [windows]
- Atomic Test #10: Powershell invoke mshta.exe download [windows]
- Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #12: PowerShell Fileless Script Execution [windows]
- Atomic Test #13: PowerShell Downgrade Attack [windows]
- Atomic Test #14: NTFS Alternate Data Stream Access [windows]
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
- [T1117 Regsvr32](./T1117/T1117.md)
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- [T1085 Rundll32](./T1085/T1085.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
- Atomic Test #3: Rundll32 advpack.dll Execution [windows]
- Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
- [T1053 Scheduled Task](./T1053/T1053.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #2: Create and Execute Batch Script [windows]
- [T1035 Service Execution](./T1035/T1035.md)
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- [T1218 Signed Binary Proxy Execution](./T1218/T1218.md)
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #4: Msiexec.exe - Execute Local MSI file [windows]
- Atomic Test #5: Msiexec.exe - Execute Remote MSI file [windows]
- Atomic Test #6: Msiexec.exe - Execute Arbitrary DLL [windows]
- Atomic Test #7: Odbcconf.exe - Execute Arbitrary DLL [windows]
- Atomic Test #8: InfDefaultInstall.exe .inf Execution [windows]
- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- Atomic Test #2: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- [T1204 User Execution](./T1204/T1204.md)
- Atomic Test #1: OSTap Style Macro Execution [windows]
- Atomic Test #2: Maldoc choice flags command execution [windows]
- Atomic Test #3: OSTAP JS version [windows]
- [T1047 Windows Management Instrumentation](./T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
- Atomic Test #3: WMI Reconnaissance Software [windows]
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- Atomic Test #5: WMI Execute Local Process [windows]
- Atomic Test #6: WMI Execute Remote Process [windows]
- [T1028 Windows Remote Management](./T1028/T1028.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: PowerShell Lateral Movement [windows]
- Atomic Test #3: WMIC Process Call Create [windows]
- Atomic Test #4: Psexec [windows]
- Atomic Test #5: Invoke-Command [windows]
- [T1220 XSL Script Processing](./T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
- Atomic Test #3: WMIC bypass using local XSL file [windows]
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
# command-and-control
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1090 Connection Proxy](./T1090/T1090.md)
- Atomic Test #2: portproxy reg key [windows]
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1132 Data Encoding](./T1132/T1132.md)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1219 Remote Access Tools](./T1219/T1219.md)
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
- [T1105 Remote File Copy](./T1105/T1105.md)
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- Atomic Test #10: Windows - PowerShell Download [windows]
- Atomic Test #11: OSTAP Worming Activity [windows]
- [T1071 Standard Application Layer Protocol](./T1071/T1071.md)
- Atomic Test #1: Malicious User Agents - Powershell [windows]
- Atomic Test #2: Malicious User Agents - CMD [windows]
- Atomic Test #4: DNS Large Query Volume [windows]
- Atomic Test #5: DNS Regular Beaconing [windows]
- Atomic Test #6: DNS Long Domain Query [windows]
- Atomic Test #7: DNS C2 [windows]
- Atomic Test #8: OSTap Payload Download [windows]
- [T1032 Standard Cryptographic Protocol](./T1032/T1032.md)
- Atomic Test #1: OpenSSL C2 [windows]
- [T1095 Standard Non-Application Layer Protocol](./T1095/T1095.md)
- Atomic Test #1: ICMP C2 [windows]
- Atomic Test #2: Netcat C2 [windows]
- Atomic Test #3: Powercat C2 [windows]
- [T1065 Uncommonly Used Port](./T1065/T1065.md)
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- [T1102 Web Service](./T1102/T1102.md)
- Atomic Test #1: Reach out to C2 Pointer URLs via command_prompt [windows]
- Atomic Test #2: Reach out to C2 Pointer URLs via powershell [windows]
# initial-access
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1193 Spearphishing Attachment](./T1193/T1193.md)
- Atomic Test #1: Download Phishing Attachment - VBScript [windows]
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/linux-matrix.md → atomics/Indexes/Matrices/linux-matrix.md
View File
atomics/macos-matrix.md → atomics/Indexes/Matrices/macos-matrix.md
View File
atomics/matrix.md → atomics/Indexes/Matrices/matrix.md
View File
atomics/windows-matrix.md → atomics/Indexes/Matrices/windows-matrix.md
View File
atomics/Indexes/index.yaml
+29825
View File
File diff suppressed because it is too large Load Diff
bin/generate-atomic-docs.rb
+87 -30
View File
@@ -4,6 +4,7 @@ require 'erb'
require 'fileutils'
require 'json'
require 'atomic_red_team'
require 'csv'
class AtomicRedTeamDocs
ATTACK_API = Attack.new
@@ -32,18 +33,26 @@ class AtomicRedTeamDocs
end
puts
puts "Generated docs for #{oks.count} techniques, #{fails.count} failures"
generate_attack_matrix! 'All', "#{File.dirname(File.dirname(__FILE__))}/atomics/matrix.md"
generate_attack_matrix! 'Windows', "#{File.dirname(File.dirname(__FILE__))}/atomics/windows-matrix.md", only_platform: /windows/
generate_attack_matrix! 'macOS', "#{File.dirname(File.dirname(__FILE__))}/atomics/macos-matrix.md", only_platform: /macos/
generate_attack_matrix! 'Linux', "#{File.dirname(File.dirname(__FILE__))}/atomics/linux-matrix.md", only_platform: /^(?!windows|macos).*$/
generate_attack_matrix! 'All', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Matrices/matrix.md"
generate_attack_matrix! 'Windows', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Matrices/windows-matrix.md", only_platform: /windows/
generate_attack_matrix! 'macOS', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Matrices/macos-matrix.md", only_platform: /macos/
generate_attack_matrix! 'Linux', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Matrices/linux-matrix.md", only_platform: /^(?!windows|macos).*$/
generate_index! 'All', "#{File.dirname(File.dirname(__FILE__))}/atomics/index.md"
generate_index! 'Windows', "#{File.dirname(File.dirname(__FILE__))}/atomics/windows-index.md", only_platform: /windows/
generate_index! 'macOS', "#{File.dirname(File.dirname(__FILE__))}/atomics/macos-index.md", only_platform: /macos/
generate_index! 'Linux', "#{File.dirname(File.dirname(__FILE__))}/atomics/linux-index.md", only_platform: /^(?!windows|macos).*$/
generate_index! 'All', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-Markdown/index.md"
generate_index! 'Windows', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-Markdown/windows-index.md", only_platform: /windows/
generate_index! 'macOS', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-Markdown/macos-index.md", only_platform: /macos/
generate_index! 'Linux', "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-Markdown/linux-index.md", only_platform: /^(?!windows|macos).*$/
generate_yaml_index! "#{File.dirname(File.dirname(__FILE__))}/atomics/index.yaml"
generate_navigator_layer! "#{File.dirname(File.dirname(__FILE__))}/atomics/art_navigator_layer.json"
generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/index.csv"
generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/windows-index.csv", only_platform: /windows/
generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/macos-index.csv", only_platform: /macos/
generate_index_csv! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Indexes-CSV/linux-index.csv", only_platform: /^(?!windows|macos).*$/
generate_yaml_index! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/index.yaml"
generate_navigator_layer! "#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json", \
"#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json", \
"#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json", \
"#{File.dirname(File.dirname(__FILE__))}/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json"
return oks, fails
end
@@ -126,6 +135,28 @@ class AtomicRedTeamDocs
puts "Generated Atomic Red Team index at #{output_doc_path}"
end
#
# Generates a master Markdown index of ATT&CK Tactic -> Technique -> Atomic Tests
#
def generate_index_csv!(output_doc_path_by_tactic, only_platform: /.*/)
rows = Array.new
rows << ["Tactic", "Technique #", "Test #", "Test Name"]
ATTACK_API.techniques_by_tactic(only_platform: only_platform).each do |tactic, techniques|
techniques.each do |technique|
ATOMIC_RED_TEAM.atomic_tests_for_technique(technique).each_with_index do |atomic_test, i|
next unless atomic_test['supported_platforms'].any? {|platform| platform.downcase =~ only_platform}
rows << [tactic, technique['identifier'], i+1, atomic_test['name']]
end
end
end
File.write(output_doc_path_by_tactic, rows.map(&:to_csv).join)
puts "Generated Atomic Red Team CSV indexes at #{output_doc_path_by_tactic}"
end
#
# Generates a master YAML index of ATT&CK Tactic -> Technique -> Atomic Tests
#
@@ -149,24 +180,7 @@ class AtomicRedTeamDocs
puts "Generated Atomic Red Team YAML index at #{output_doc_path}"
end
#
# Generates a MITRE ATT&CK Navigator Layer based on contributed techniques
#
def generate_navigator_layer!(output_layer_path)
techniques = []
ATOMIC_RED_TEAM.atomic_tests.each do |atomic_yaml|
begin
technique = {
"techniqueID" => atomic_yaml['attack_technique'],
"score" => 100,
"enabled" => true
}
techniques.push(technique)
end
def get_layer(techniques)
layer = {
"version" => "2.2",
"name" => "Atomic Red Team",
@@ -183,11 +197,54 @@ class AtomicRedTeamDocs
],
"techniques" => techniques
}
end
#
# Generates a MITRE ATT&CK Navigator Layer based on contributed techniques
#
def generate_navigator_layer!(output_layer_path, output_layer_path_win, output_layer_path_mac, output_layer_path_lin)
File.write output_layer_path,layer.to_json
techniques = []
techniques_win = []
techniques_mac = []
techniques_lin = []
ATOMIC_RED_TEAM.atomic_tests.each do |atomic_yaml|
begin
technique = {
"techniqueID" => atomic_yaml['attack_technique'],
"score" => 100,
"enabled" => true
}
techniques.push(technique)
has_windows_tests = false
has_macos_tests = false
has_linux_tests = false
atomic_yaml['atomic_tests'].each do |atomic|
if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /windows/} then has_windows_tests = true end
if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /macos/} then has_macos_tests = true end
if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /^(?!windows|macos).*$/} then has_linux_tests = true end
end
if has_windows_tests then techniques_win.push(technique) end
if has_macos_tests then techniques_mac.push(technique) end
if has_linux_tests then techniques_lin.push(technique) end
end
end
puts "Generated Atomic Red Team ATT&CK Navigator Layer at #{output_layer_path}"
layer = get_layer techniques
layer_win = get_layer techniques_win
layer_mac = get_layer techniques_mac
layer_lin = get_layer techniques_lin
File.write output_layer_path,layer.to_json
File.write output_layer_path_win,layer_win.to_json
File.write output_layer_path_mac,layer_mac.to_json
File.write output_layer_path_lin,layer_lin.to_json
puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path}"
puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_win}"
puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_mac}"
puts "Generated Atomic Red Team ATT&CK Navigator Layers at #{output_layer_path_lin}"
end
end
docs/assets/javascripts/roll-the-dice.js
+1 -1
View File
@@ -1,5 +1,5 @@
$(document).ready(function () {
$.get("https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/index.yaml", function (data) {
$.get("https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/Indexes/index.yaml", function (data) {
window.atomic_index = jsyaml.safeLoad(data);
});
docs/testing.md
+5 -5
View File
@@ -29,11 +29,11 @@ execute all the Discovery phase items at once in a batch file, or run each phase
Select one or more Atomic Tests that you plan to execute. A complete list, ATT&CK matrices, and platform-specific
matrices linking to Atomic Tests can be found here:
- [Complete list of Atomic Tests](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/index.md)
- [Atomic Tests per the ATT&CK Matrix](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/matrix.md)
- Windows [Tests](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/windows-index.md) and [Matrix](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/windows-matrix.md)
- macOS [Tests](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/macos-index.md) and [Matrix](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/macos-matrix.md)
- Linux [Tests](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/linux-index.md) and [Matrix](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/linux-matrix.md)
- [Complete list of Atomic Tests](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes-Markdown/index.md)
- [Atomic Tests per the ATT&CK Matrix](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Matrices/matrix.md)
- Windows [Tests](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes-Markdown/windows-index.md) and [Matrix](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Matrices/windows-matrix.md)
- macOS [Tests](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes-Markdown/macos-index.md) and [Matrix](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Matrices/macos-matrix.md)
- Linux [Tests](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes-Markdown/linux-index.md) and [Matrix](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Matrices/linux-matrix.md)
## Execute Test